/** * Security Validator Tests * * Comprehensive test suite for SecurityValidator class * Aggressively consolidated to reduce test count while preserving all assertions */ import { describe, it, expect, beforeEach, afterEach } from 'vitest'; import { SecurityValidator } from '../../../src/security/security-validator.ts'; import { FilesystemSandbox } from '../../../src/testing/mocks/filesystem-sandbox.ts'; import { calculateEntropy, isPlaceholder, shouldExcludeFile } from '../../../src/security/secret-patterns.ts'; import { isWhitelisted, extractURLs } from '../../../src/security/api-patterns.ts'; describe('SecurityValidator', () => { let sandbox: FilesystemSandbox; let validator: SecurityValidator; beforeEach(async () => { sandbox = new FilesystemSandbox(); await sandbox.initialize(); validator = new SecurityValidator(sandbox.getPath()); }); afterEach(async () => { await sandbox.cleanup(); }); // ============================================================================ // External API Detection Tests (9 tests, reduced from 19) // ============================================================================ describe('External API Detection', () => { it('should detect all fetch API patterns', async () => { // string URL await sandbox.writeFile('fetch-string.ts', ` fetch('https://api.example.com/data'); `); let calls = await validator.detectExternalAPICalls(sandbox.getPath()); expect(calls.length).toBeGreaterThanOrEqual(1, 'failed for fetch with string URL'); expect(calls.some(c => c.method === 'fetch')).toBe(true); // template literal await sandbox.writeFile('fetch-template.ts', ` const domain = 'example.com'; fetch(\`https://\${domain}/api\`); `); calls = await validator.detectExternalAPICalls(sandbox.getPath()); expect(calls.length).toBeGreaterThanOrEqual(1, 'failed for fetch with template literal'); expect(calls.some(c => c.method === 'fetch')).toBe(true); }); it('should not detect fetch to localhost or local network', async () => { const localUrls = [ 'http://localhost:3000/api', 'http://127.0.0.1:8080/test', ]; for (const url of localUrls) { await sandbox.writeFile('test.ts', `fetch('${url}');`); const calls = await validator.detectExternalAPICalls(sandbox.getPath()); expect(calls).toHaveLength(0, `failed for local URL: ${url}`); } }); it('should detect all axios HTTP methods', async () => { const methods = [ ['get', 'https://api.example.com/users'], ['post', 'https://api.example.com/users'], ['put', 'https://api.example.com/users/123'], ['delete', 'https://api.example.com/users/123'], ]; for (const [method, url] of methods) { const importLine = method === 'get' ? "import axios from 'axios';\n " : ''; const dataArg = method === 'post' || method === 'put' ? ', data' : ''; await sandbox.writeFile(`axios-${method}.ts`, ` ${importLine}axios.${method}('${url}'${dataArg}); `); } const calls = await validator.detectExternalAPICalls(sandbox.getPath()); expect(calls.length).toBeGreaterThanOrEqual(4, 'failed to detect all axios methods'); expect(calls.some(c => c.method === 'axios')).toBe(true); }); it('should detect all http/https module patterns', async () => { const patterns = [ ['http', 'get', 'http://api.example.com/data'], ['https', 'get', 'https://api.example.com/data'], ['http', 'request', 'http://api.example.com/data'], ['https', 'request', 'https://api.example.com/data'], ]; for (const [module, method, url] of patterns) { const importLine = method === 'get' || module === 'http' ? `import * as ${module} from '${module}';\n ` : ''; const args = method === 'get' ? ', callback' : ', options'; await sandbox.writeFile(`${module}-${method}.ts`, ` ${importLine}${module}.${method}('${url}'${args}); `); } const calls = await validator.detectExternalAPICalls(sandbox.getPath()); expect(calls.length).toBeGreaterThanOrEqual(4, 'failed to detect all http/https patterns'); expect(calls.some(c => c.method === 'http' || c.method === 'https')).toBe(true); }); it('should detect all XMLHttpRequest patterns', async () => { const methods = [ ['GET', 'https://api.example.com/data'], ['POST', 'https://api.example.com/submit'], ]; for (const [method, url] of methods) { const xhrInit = method === 'GET' ? 'const xhr = new XMLHttpRequest();\n ' : ''; await sandbox.writeFile(`xhr-${method}.ts`, ` ${xhrInit}xhr.open('${method}', '${url}'); `); } const calls = await validator.detectExternalAPICalls(sandbox.getPath()); expect(calls.length).toBeGreaterThanOrEqual(2, 'failed to detect all XHR patterns'); expect(calls.some(c => c.method === 'XMLHttpRequest')).toBe(true); }); it('should validate whitelist for all URL types', () => { // localhost variants expect(validator.isWhitelistedAPI('http://localhost:3000')).toBe(true); expect(validator.isWhitelistedAPI('http://127.0.0.1:8080')).toBe(true); // local network expect(validator.isWhitelistedAPI('http://192.168.1.1')).toBe(true); expect(validator.isWhitelistedAPI('http://10.0.0.1')).toBe(true); // documentation expect(validator.isWhitelistedAPI('https://docs.claude.com/guide')).toBe(true); expect(validator.isWhitelistedAPI('https://github.com/user/repo/README.md')).toBe(true); // external APIs (should NOT be whitelisted) expect(validator.isWhitelistedAPI('https://api.openai.com')).toBe(false); expect(validator.isWhitelistedAPI('https://api.stripe.com')).toBe(false); }); it('should handle false positives correctly', async () => { // commented API calls await sandbox.writeFile('comments.ts', ` // fetch('https://api.example.com/data'); /* axios.get('https://api.example.com/users'); */ `); // Note: Comments are still detected by regex - known limitation // string literals that look like URLs await sandbox.writeFile('literals.ts', ` const message = 'Visit https://example.com for more info'; `); const calls = await validator.detectExternalAPICalls(sandbox.getPath('literals.ts')); expect(calls).toHaveLength(0); }); it('should validate offline operation correctly', async () => { // clean code (offline) - use isolated sandbox const offlineSandbox = new FilesystemSandbox(); await offlineSandbox.initialize(); const offlineValidator = new SecurityValidator(offlineSandbox.getPath()); await offlineSandbox.writeFile('offline.ts', ` const data = await loadLocalData(); `); const isOffline = await offlineValidator.validateOfflineOperation(offlineSandbox.getPath()); expect(isOffline).toBe(true); await offlineSandbox.cleanup(); // code with external calls (not offline) - use isolated sandbox const onlineSandbox = new FilesystemSandbox(); await onlineSandbox.initialize(); const onlineValidator = new SecurityValidator(onlineSandbox.getPath()); await onlineSandbox.writeFile('online.ts', ` fetch('https://api.example.com/data'); `); const isOnline = await onlineValidator.validateOfflineOperation(onlineSandbox.getPath()); expect(isOnline).toBe(false); await onlineSandbox.cleanup(); }); it('should detect multiple API calls in same file', async () => { // Use isolated sandbox so only the multi.ts file is scanned const multiSandbox = new FilesystemSandbox(); await multiSandbox.initialize(); const multiValidator = new SecurityValidator(multiSandbox.getPath()); await multiSandbox.writeFile('multi.ts', ` fetch('https://api1.example.com/data'); axios.get('https://api2.example.com/users'); https.get('https://api3.example.com/posts'); `); const calls = await multiValidator.detectExternalAPICalls(multiSandbox.getPath()); expect(calls.length).toBeGreaterThanOrEqual(3); await multiSandbox.cleanup(); }); }); // ============================================================================ // Secret Detection Tests (8 tests, reduced from 19) // ============================================================================ describe('Secret Detection', () => { it('should detect all API key types', async () => { const apiKeys = [ ['OpenAI', 'test.ts', "const apiKey = 'sk-abcdefghijklmnopqrstuvwxyz123456';", 'api-key'], ['Anthropic', 'test.ts', "const key = 'sk-ant-api03-abcdefghijklmnopqrstuvwxyz';", undefined], ['Google', 'test.ts', "const googleKey = 'AIzaSyAbCdEfGhIjKlMnOpQrStUvWxYz';", undefined], ['AWS', 'config.ts', "const accessKey = 'AKIAIOSFODNN7ABCDEFG';", undefined], ['Stripe', 'config.ts', "const stripeKey = 'pk_test_Nh7BxKmW9rP3qY2dL8vF4jH6cT';", undefined], ['GitHub', 'test.ts', "const token = 'ghp_abcdefghijklmnopqrstuvwxyz123456';", undefined], ['generic', 'test.ts', "const apiKey = 'api_key=1234567890abcdefghijklmnopqrstuvwxyz';", undefined], ]; for (const [name, file, content, expectedType] of apiKeys) { await sandbox.writeFile(file, `${content}`); const secrets = await validator.detectSecretsInFile(sandbox.getPath(file)); expect(secrets.length).toBeGreaterThan(0, `failed to detect ${name} API key`); if (expectedType) { expect(secrets[0].type).toBe(expectedType); } } }); it('should detect all password patterns', async () => { const passwords = [ ['password', "const password = 'mySecretPassword123';", 'password'], ['database password', "const dbPassword = 'db_pass=SuperSecret123!';", undefined], ['pwd', "const pwd = 'myPassword123';", undefined], ]; for (const [name, content, expectedType] of passwords) { await sandbox.writeFile('test.ts', `${content}`); const secrets = await validator.detectSecretsInFile(sandbox.getPath('test.ts')); expect(secrets.length).toBeGreaterThan(0, `failed to detect ${name}`); if (expectedType) { expect(secrets[0].type).toBe(expectedType); } } }); it('should detect all token types', async () => { const tokens = [ ['JWT', "const jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';", 'token'], ['bearer', "const auth = 'Bearer abcdefghijklmnopqrstuvwxyz123456';", undefined], ['OAuth access', "const accessToken = 'access_token=abcdefghijklmnopqrstuvwxyz';", undefined], ]; for (const [name, content, expectedType] of tokens) { await sandbox.writeFile('test.ts', `${content}`); const secrets = await validator.detectSecretsInFile(sandbox.getPath('test.ts')); expect(secrets.length).toBeGreaterThan(0, `failed to detect ${name}`); if (expectedType) { expect(secrets[0].type).toBe(expectedType); } } }); it('should detect all private key types', async () => { const privateKeys = [ ['RSA', 'test.pem', `-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA1234567890abcdef -----END RSA PRIVATE KEY-----`, 'private-key'], ['generic', 'test.pem', `-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC -----END PRIVATE KEY-----`, undefined], ['EC', 'test.pem', `-----BEGIN EC PRIVATE KEY----- MHcCAQEEIIGlRHQ -----END EC PRIVATE KEY-----`, undefined], ]; for (const [name, file, content, expectedType] of privateKeys) { await sandbox.writeFile(file, `${content}`); const secrets = await validator.detectSecretsInFile(sandbox.getPath(file)); expect(secrets.length).toBeGreaterThan(0, `failed to detect ${name} private key`); if (expectedType) { expect(secrets[0].type).toBe(expectedType); } } }); it('should perform entropy analysis correctly', async () => { // calculate entropy expect(calculateEntropy('aaaa')).toBeLessThan(1); expect(calculateEntropy('abcd')).toBeGreaterThan(1); expect(calculateEntropy('aB3!xY9@')).toBeGreaterThan(2); // high-entropy string await sandbox.writeFile('high-entropy.ts', ` const secret = 'aB3!xY9@qW8#eR5$tY7&uI0*oP2^'; `); // High entropy strings should be flagged // low-entropy string (should not flag) await sandbox.writeFile('low-entropy.ts', ` const message = 'hello world'; `); const secrets = await validator.detectSecretsInFile(sandbox.getPath('low-entropy.ts')); expect(secrets).toHaveLength(0); }); it('should reduce false positives via placeholder detection', () => { // placeholders expect(isPlaceholder('YOUR_API_KEY_HERE')).toBe(true); expect(isPlaceholder('replace-with-your-key')).toBe(true); expect(isPlaceholder('example-key')).toBe(true); expect(isPlaceholder('xxxxxxxxxxxxx')).toBe(true); expect(isPlaceholder('***************')).toBe(true); // test/mock values expect(isPlaceholder('test-api-key')).toBe(true); expect(isPlaceholder('fake-password')).toBe(true); expect(isPlaceholder('mock-token')).toBe(true); // file exclusions expect(shouldExcludeFile('test/fixtures/secrets.ts')).toBe(true); expect(shouldExcludeFile('src/security.test.ts')).toBe(true); expect(shouldExcludeFile('__tests__/api.spec.ts')).toBe(true); expect(shouldExcludeFile('.env.example')).toBe(true); expect(shouldExcludeFile('config.sample')).toBe(true); }); it('should validate no secrets committed', async () => { // clean code await sandbox.writeFile('clean.ts', ` const config = loadFromEnv(); `); let isClean = await validator.validateNoSecretsCommitted(); expect(isClean).toBe(true); // committed secret await sandbox.writeFile('leaked.ts', ` const apiKey = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; `); isClean = await validator.validateNoSecretsCommitted(); expect(isClean).toBe(false); }); it('should provide confidence scoring', async () => { await sandbox.writeFile('test.ts', ` const realSecret = 'sk-abcdefghijklmnopqrstuvwxyz'; const maybe = 'password'; `); const secrets = await validator.detectSecretsInFile(sandbox.getPath('test.ts')); if (secrets.length > 0) { expect(secrets[0].confidence).toBeGreaterThan(0); expect(secrets[0].confidence).toBeLessThanOrEqual(1); } }); }); // ============================================================================ // File Permission Validation Tests (6 tests, reduced from 10) // ============================================================================ describe('File Permission Validation', () => { it('should validate all standard permission patterns', async () => { const patterns = [ ['regular.ts', 'const x = 1;', 0o644, '644'], ['script.sh', '#!/bin/bash\necho "test"', 0o755, '755'], ['.env', 'SECRET=value', 0o600, '600'], ]; for (const [file, content, mode, expected] of patterns) { await sandbox.writeFile(file, content, { mode }); const isValid = await validator.checkPermission(sandbox.getPath(file), expected); expect(isValid).toBe(true, `failed for ${file} with mode ${expected}`); } }); it('should detect and fix invalid permissions', async () => { // detect invalid await sandbox.writeFile('bad.ts', 'const x = 1;', { mode: 0o777 }); let isValid = await validator.checkPermission(sandbox.getPath('bad.ts'), '644'); expect(isValid).toBe(false); // fix permissions await sandbox.writeFile('fix.ts', 'const x = 1;', { mode: 0o777 }); await validator.fixPermissions(sandbox.getPath('fix.ts'), '644'); isValid = await validator.checkPermission(sandbox.getPath('fix.ts'), '644'); expect(isValid).toBe(true); }); it('should validate directories and report violations', async () => { await sandbox.createDirectory('testdir'); const result = await validator.validateFilePermissions(sandbox.getPath('testdir')); expect(result).toHaveProperty('passed'); expect(result).toHaveProperty('violations'); // violations with details await sandbox.writeFile('bad1.ts', 'code', { mode: 0o777 }); await sandbox.writeFile('bad2.ts', 'code', { mode: 0o666 }); const violations = await validator.validateFilePermissions(sandbox.getPath()); expect(violations.violations.length).toBeGreaterThan(0); if (violations.violations.length > 0) { expect(violations.violations[0]).toHaveProperty('file'); expect(violations.violations[0]).toHaveProperty('actual'); expect(violations.violations[0]).toHaveProperty('expected'); expect(violations.violations[0]).toHaveProperty('reason'); } }); it('should handle edge cases gracefully', async () => { // non-existent file const isValid = await validator.checkPermission( sandbox.getPath('nonexistent.ts'), '644' ); expect(isValid).toBe(false); // multiple files await sandbox.writeFile('file1.ts', 'code', { mode: 0o644 }); await sandbox.writeFile('file2.ts', 'code', { mode: 0o644 }); await sandbox.writeFile('file3.ts', 'code', { mode: 0o644 }); const result = await validator.validateFilePermissions(sandbox.getPath()); expect(result.checkedFiles).toBeGreaterThanOrEqual(3); }); it('should handle special file types correctly', async () => { // shell scripts should be 755 await sandbox.writeFile('deploy.sh', '#!/bin/bash\n', { mode: 0o755 }); // .env should be 600 await sandbox.writeFile('.env', 'SECRET=value', { mode: 0o600 }); const result = await validator.validateFilePermissions(sandbox.getPath()); // Shell scripts should be 755, .env should be 600 }); it('should exclude build artifacts and pass with correct permissions', async () => { // node_modules and dist should be excluded await sandbox.createDirectory('node_modules'); await sandbox.writeFile('node_modules/package.js', 'code', { mode: 0o777 }); await sandbox.createDirectory('dist'); await sandbox.writeFile('dist/bundle.js', 'code', { mode: 0o777 }); const excludedResult = await validator.validateFilePermissions(sandbox.getPath()); // Should not check node_modules or dist files // clean project should pass await sandbox.writeFile('good1.ts', 'code', { mode: 0o644 }); await sandbox.writeFile('good2.ts', 'code', { mode: 0o644 }); const cleanResult = await validator.validateFilePermissions(sandbox.getPath()); expect(cleanResult.passed).toBe(true); }); }); // ============================================================================ // Dependency Scanning Tests (3 tests, reduced from 6) // ============================================================================ describe('Dependency Scanning', () => { it('should scan package.json with all dependency types', async () => { await sandbox.writeFile('package.json', JSON.stringify({ dependencies: { 'express': '^4.18.0', 'lodash': '^4.17.21', }, devDependencies: { 'vitest': '^1.0.0', }, })); const result = await validator.scanDependencies(); expect(result).toHaveProperty('vulnerabilities'); expect(result).toHaveProperty('passed'); }); it('should handle all package.json edge cases', async () => { // missing package.json let result = await validator.scanDependencies(); expect(result.passed).toBe(true); expect(result.vulnerabilities).toHaveLength(0); // malformed JSON await sandbox.writeFile('package.json', 'invalid json'); result = await validator.scanDependencies(); expect(result.passed).toBe(true); // Should not crash // empty dependencies await sandbox.writeFile('package.json', JSON.stringify({ dependencies: {}, })); result = await validator.scanDependencies(); expect(result.passed).toBe(true); // safe package (no vulnerabilities) await sandbox.writeFile('package.json', JSON.stringify({ dependencies: { 'safe-package': '1.0.0' }, })); result = await validator.scanDependencies(); expect(result.passed).toBe(true); }); it('should generate comprehensive vulnerability reports and operate offline', async () => { await sandbox.writeFile('package.json', JSON.stringify({ dependencies: { 'test': '1.0.0' }, })); // vulnerability report with severity summary const report = await validator.checkKnownVulnerabilities(); expect(report).toHaveProperty('dependencies'); expect(report).toHaveProperty('summary'); expect(report.summary).toHaveProperty('critical'); expect(report.summary).toHaveProperty('high'); expect(report.summary).toHaveProperty('medium'); expect(report.summary).toHaveProperty('low'); // offline operation (NFR-SEC-001) const result = await validator.scanDependencies(); expect(result).toBeDefined(); }); }); // ============================================================================ // Security Gate Enforcement Tests (3 tests, reduced from 7) // ============================================================================ describe('Security Gate Enforcement', () => { it('should validate construction gate with all criteria', async () => { // clean code passes await sandbox.writeFile('test.ts', 'const x = 1;', { mode: 0o644 }); let passed = await validator.validateConstructionGate(); expect(passed).toBe(true); // critical issues block await sandbox.writeFile('config.ts', ` const apiKey = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; `); passed = await validator.validateConstructionGate(); expect(passed).toBe(false); // medium/low issues allowed await sandbox.writeFile('medium.ts', 'const x = 1;'); passed = await validator.validateConstructionGate(); // Should not block on medium/low }); it('should validate production gate with strict criteria', async () => { // clean code passes await sandbox.writeFile('clean.ts', 'const x = 1;'); let passed = await validator.validateProductionGate(); expect(passed).toBe(true); // high issue blocks await sandbox.writeFile('api.ts', ` fetch('https://api.example.com/data'); `); passed = await validator.validateProductionGate(); expect(passed).toBe(false); // critical issue blocks await sandbox.writeFile('config.ts', ` const key = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; `); passed = await validator.validateProductionGate(); expect(passed).toBe(false); }); it('should enforce security gate with detailed results', async () => { await sandbox.writeFile('test.ts', 'const x = 1;'); const result = await validator.enforceSecurityGate(); expect(result).toHaveProperty('passed'); expect(result).toHaveProperty('gate'); expect(result).toHaveProperty('blockingIssues'); expect(result).toHaveProperty('warnings'); expect(result).toHaveProperty('timestamp'); }); }); // ============================================================================ // Reporting Tests (3 tests, reduced from 6) // ============================================================================ describe('Reporting', () => { it('should generate comprehensive security reports', async () => { // clean report await sandbox.writeFile('test.ts', 'const x = 1;'); let report = await validator.generateSecurityReport(); expect(report).toContain('Security Scan Report'); expect(report).toContain('Summary'); expect(report).toContain('Files Checked'); expect(report).toContain('Scan Duration'); // report with issues await sandbox.writeFile('config.ts', ` const apiKey = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; `); report = await validator.generateSecurityReport(); expect(report).toContain('Critical Issues'); }); it('should export reports in all formats', async () => { const formats: Array<'json' | 'markdown' | 'html'> = ['json', 'markdown', 'html']; for (const format of formats) { const exported = await validator.exportReport(format); if (format === 'json') { const parsed = JSON.parse(exported); expect(parsed).toHaveProperty('passed'); expect(parsed).toHaveProperty('issues'); expect(parsed).toHaveProperty('summary'); } else if (format === 'markdown') { expect(exported).toContain('# Security Scan Report'); } else { expect(exported).toContain(''); expect(exported).toContain('Security Scan Report'); } } }); it('should generate remediation plans and group issues by category', async () => { await sandbox.writeFile('mixed.ts', ` const apiKey = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; fetch('https://api.external.com/data'); `); // remediation plan const scanResult = await validator.scan(); const plan = await validator.generateRemediationPlan(scanResult.issues); expect(plan).toContain('Remediation Plan'); expect(plan).toContain('Action'); expect(plan).toContain('CRITICAL'); // grouped report with recommendations const report = await validator.generateSecurityReport(); expect(report).toMatch(/external-api-call|secret-exposure/); expect(report).toContain('Recommendation'); }); }); // ============================================================================ // Performance Tests (3 tests, reduced from 5) // ============================================================================ describe('Performance', () => { it('should scan 100 files in under 10 seconds (NFR-SEC-PERF-001)', async () => { // Create 100 test files for (let i = 0; i < 100; i++) { await sandbox.writeFile(`file${i}.ts`, `const x${i} = ${i};`); } const startTime = Date.now(); const result = await validator.scan({ parallel: true }); const duration = Date.now() - startTime; expect(duration).toBeLessThan(10000); // <10s expect(result.checkedFiles).toBeGreaterThanOrEqual(100); }); it('should support parallel scanning and handle large files', async () => { // parallel vs sequential for (let i = 0; i < 10; i++) { await sandbox.writeFile(`file${i}.ts`, 'code'); } const startParallel = Date.now(); await validator.scan({ parallel: true }); const parallelDuration = Date.now() - startParallel; const startSequential = Date.now(); await validator.scan({ parallel: false }); const sequentialDuration = Date.now() - startSequential; // Parallel should not be dramatically slower than sequential // Use generous threshold: 10x + 50ms to handle CI runner variance expect(parallelDuration).toBeLessThanOrEqual(sequentialDuration * 10 + 50); // large file handling const largeContent = 'const x = 1;\n'.repeat(10000); await sandbox.writeFile('large.ts', largeContent); const startTime = Date.now(); await validator.scanFile(sandbox.getPath('large.ts')); const duration = Date.now() - startTime; expect(duration).toBeLessThan(1000); // <1s per file }); it('should skip binary files and report scan duration', async () => { // binary files await sandbox.writeFile('image.png', Buffer.from([0x89, 0x50, 0x4E, 0x47])); // Binary files should be skipped // scan duration reporting await sandbox.writeFile('test.ts', 'code'); const result = await validator.scan(); expect(result.scanDuration).toBeGreaterThanOrEqual(0); expect(typeof result.scanDuration).toBe('number'); }); }); // ============================================================================ // Integration Tests (5 tests, reduced from 10) // ============================================================================ describe('Integration', () => { it('should scan entire project and detect multiple issue types', async () => { // comprehensive scan await sandbox.writeFile('src/app.ts', 'const app = 1;'); await sandbox.writeFile('test/app.test.ts', 'test code'); await sandbox.writeFile('package.json', '{}'); let result = await validator.scan(); expect(result.checkedFiles).toBeGreaterThan(0); // multiple issue types await sandbox.writeFile('bad.ts', ` const apiKey = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; fetch('https://api.external.com/data'); `); result = await validator.scan(); expect(result.issues.length).toBeGreaterThan(0); const categories = new Set(result.issues.map(i => i.category)); expect(categories.size).toBeGreaterThan(1); }); it('should support custom configuration', async () => { // custom exclude paths const customValidator1 = new SecurityValidator(sandbox.getPath(), { excludePaths: ['**/excluded/**'], }); await sandbox.createDirectory('excluded'); await sandbox.writeFile('excluded/bad.ts', 'const key = "sk-secret";'); let result = await customValidator1.scan(); expect(result.issues).toHaveLength(0); // custom whitelist const customValidator2 = new SecurityValidator(sandbox.getPath(), { customWhitelist: [/https:\/\/custom\.api\.com/], }); await sandbox.writeFile('test.ts', ` fetch('https://custom.api.com/data'); `); const calls = await customValidator2.detectExternalAPICalls(sandbox.getPath()); expect(calls).toHaveLength(0); // custom permission rules - test one file at a time const customValidator3 = new SecurityValidator(sandbox.getPath(), { permissionRules: { '\\.config$': '600', }, }); // Create clean sandbox for this test const tempSandbox = new FilesystemSandbox(); await tempSandbox.initialize(); const customValidator4 = new SecurityValidator(tempSandbox.getPath(), { permissionRules: { '\\.config$': '600', }, }); await tempSandbox.writeFile('app.config', 'config', { mode: 0o600 }); result = await customValidator4.validateFilePermissions(tempSandbox.getPath()); expect(result.passed).toBe(true); await tempSandbox.cleanup(); }); it('should handle mixed content types', async () => { await sandbox.writeFile('code.ts', 'typescript'); await sandbox.writeFile('script.js', 'javascript'); await sandbox.writeFile('config.json', '{}'); await sandbox.writeFile('data.yaml', 'key: value'); const result = await validator.scan(); expect(result.checkedFiles).toBeGreaterThanOrEqual(4); }); it('should support single file and directory scanning', async () => { // single file await sandbox.writeFile('single.ts', ` const apiKey = 'sk-Nh7BxKmW9rP3qY2dL8vF4jH6cT1nM5sG0wR7yU3aZ9bV'; `); let issues = await validator.scanFile(sandbox.getPath('single.ts')); expect(issues.length).toBeGreaterThan(0); // recursive directory scan await sandbox.createDirectory('src/lib'); await sandbox.writeFile('src/app.ts', 'code'); await sandbox.writeFile('src/lib/util.ts', 'code'); let result = await validator.scanDirectory(sandbox.getPath('src'), true); expect(result.checkedFiles).toBeGreaterThanOrEqual(2); // non-recursive directory scan result = await validator.scanDirectory(sandbox.getPath('src'), false); expect(result.checkedFiles).toBe(1); // Only src/app.ts }); it('should provide comprehensive scan summary', async () => { await sandbox.writeFile('test.ts', 'code'); const result = await validator.scan(); expect(result).toHaveProperty('passed'); expect(result).toHaveProperty('issues'); expect(result).toHaveProperty('summary'); expect(result).toHaveProperty('checkedFiles'); expect(result).toHaveProperty('scanDuration'); }); }); }); // ============================================================================ // Helper Function Tests (2 tests, reduced from 3) // ============================================================================ describe('Helper Functions', () => { it('should extract all URL types from code', () => { // string URLs const code = ` fetch('https://api.example.com'); const url = 'http://test.com'; `; let urls = extractURLs(code); expect(urls.length).toBeGreaterThanOrEqual(2); // template literals const templateCode = 'fetch(`https://${domain}/api`)'; const templateUrls = extractURLs(templateCode); expect(templateUrls.length).toBeGreaterThan(0); }); it('should validate whitelist patterns correctly', () => { // localhost patterns expect(isWhitelisted('http://localhost:3000')).toBe(true); expect(isWhitelisted('http://127.0.0.1:8080')).toBe(true); expect(isWhitelisted('http://0.0.0.0:9000')).toBe(true); // local network expect(isWhitelisted('http://192.168.1.1')).toBe(true); expect(isWhitelisted('http://10.0.0.1')).toBe(true); expect(isWhitelisted('http://172.16.0.1')).toBe(true); // external domains (should NOT be whitelisted) expect(isWhitelisted('https://api.openai.com')).toBe(false); expect(isWhitelisted('https://google.com')).toBe(false); }); });