serve.zone/dcrouter
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-23 21:20:39 +00:00
parent 9629329bc2
commit 0907949f8a
86 changed files with 654 additions and 569 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
test/suite/security/test.header-injection-prevention.ts
View File

@ -1,7 +1,7 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../plugins.js';
import * as net from 'net';
import { startTestServer, stopTestServer, TEST_PORT, sendEmailWithRawSocket } from '../server.loader.js';
import { startTestServer, stopTestServer, TEST_PORT, sendEmailWithRawSocket } from '../../helpers/server.loader.js';
import type { SmtpServer } from '../../../ts/mail/delivery/smtpserver/index.js';
let testServer: SmtpServer;
@ -70,7 +70,7 @@ tap.test('Header Injection Prevention - CRLF injection in headers', async (tools
console.log('Header injection prevention active - malicious headers detected');
}
expect(accepted || rejected).toBeTrue();
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
@ -118,7 +118,7 @@ tap.test('Header Injection Prevention - Command injection in MAIL FROM', async (
dataBuffer.includes('500');
console.log('Command injection attempt handled');
expect(properResponse).toBeTrue();
expect(properResponse).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
@ -191,7 +191,7 @@ tap.test('Header Injection Prevention - HTML/Script injection in body', async (t
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
const accepted = dataBuffer.includes('250');
console.log(`HTML/Script content: ${accepted ? 'accepted (may be sanitized)' : 'rejected'}`);
expect(true).toBeTrue();
expect(true).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
@ -239,7 +239,7 @@ tap.test('Header Injection Prevention - Null byte injection', async (tools) => {
dataBuffer.includes('550');
console.log('Null byte injection attempt handled');
expect(handled).toBeTrue();
expect(handled).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
@ -308,7 +308,7 @@ tap.test('Header Injection Prevention - Unicode and encoding attacks', async (to
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
const result = dataBuffer.includes('250') ? 'accepted' : 'rejected';
console.log(`Unicode/encoding attack: ${result}`);
expect(true).toBeTrue();
expect(true).toEqual(true);
socket.write('QUIT\r\n');
socket.end();