-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdebug-security.js
More file actions
139 lines (115 loc) · 4.21 KB
/
debug-security.js
File metadata and controls
139 lines (115 loc) · 4.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
// Simple debug script to test SecurityManager behavior
const path = require('path');
// Helper function to simulate the SecurityManager behavior
function debugSanitization() {
console.log('=== Testing Sanitization Logic ===');
const sensitiveFields = [
'password', 'token', 'secret', 'key', 'apiKey', 'accessToken', 'refreshToken',
'authorization', 'auth', 'jwt', 'bearer', 'credential', 'privateKey', 'publicKey',
'signature', 'hash', 'salt'
];
function sanitizeAuditData(data, visited = new WeakSet()) {
console.log('Sanitizing:', JSON.stringify(data, null, 2));
// Handle primitive types
if (data === null || data === undefined || typeof data !== 'object') {
console.log('Returning primitive:', data);
return data;
}
// Handle circular references
if (visited.has(data)) {
console.log('Circular reference detected');
return '[CIRCULAR]';
}
visited.add(data);
// Handle arrays
if (Array.isArray(data)) {
console.log('Processing array');
return data.map(item => sanitizeAuditData(item, visited));
}
// Handle objects
const result = {};
for (const [key, value] of Object.entries(data)) {
console.log(`Processing key: "${key}", value type: ${typeof value}`);
// Check if field name contains sensitive keywords (case-insensitive)
const keyLower = key.toLowerCase();
const isSensitive = sensitiveFields.some(field =>
keyLower.includes(field.toLowerCase())
);
console.log(`Key "${key}" is sensitive: ${isSensitive}`);
if (isSensitive && (typeof value !== 'object' || value === null)) {
// Only redact primitive sensitive values, not objects
result[key] = '[REDACTED]';
console.log(`Set ${key} to [REDACTED]`);
} else if (value !== null && typeof value === 'object') {
// Always recursively sanitize nested objects, even if the key is sensitive
console.log(`Recursively processing ${key}`);
result[key] = sanitizeAuditData(value, visited);
} else {
result[key] = value;
console.log(`Set ${key} to ${value}`);
}
}
console.log('Result for this level:', JSON.stringify(result, null, 2));
return result;
}
// Test the exact data from the failing test
const nestedEventData = {
user: {
id: 'user123',
credentials: {
password: 'secret123',
token: 'jwt-token-here'
}
},
session: {
id: 'session123',
secret: 'session-secret'
}
};
console.log('\n=== Original Data ===');
console.log(JSON.stringify(nestedEventData, null, 2));
console.log('\n=== Sanitization Process ===');
const result = sanitizeAuditData(nestedEventData);
console.log('\n=== Final Result ===');
console.log(JSON.stringify(result, null, 2));
console.log('\n=== Test Assertions ===');
console.log('user.id:', result.user.id);
console.log('user.credentials.password:', result.user.credentials?.password);
console.log('user.credentials.token:', result.user.credentials?.token);
console.log('session.id:', result.session.id);
console.log('session.secret:', result.session.secret);
}
function debugXSSValidation() {
console.log('\n=== Testing XSS Validation ===');
const xssPatterns = [
/<script[^>]*>.*?<\/script>/gi,
/<iframe[^>]*>.*?<\/iframe>/gi,
/<object[^>]*>.*?<\/object>/gi,
/<embed[^>]*>/gi,
/<link[^>]*>/gi,
/<meta[^>]*>/gi,
/javascript:/gi,
/vbscript:/gi,
/data:/gi,
/on\w+\s*=/gi
];
const testInput = '<script>alert("xss")</script>';
console.log('Testing input:', testInput);
for (let i = 0; i < xssPatterns.length; i++) {
const pattern = xssPatterns[i];
const isMatch = pattern.test(testInput);
console.log(`Pattern ${i} (${pattern}): ${isMatch}`);
// Reset regex state
pattern.lastIndex = 0;
}
const anyMatch = xssPatterns.some(pattern => {
const result = pattern.test(testInput);
pattern.lastIndex = 0; // Reset state
return result;
});
console.log('Any pattern matches:', anyMatch);
console.log('Should be invalid (return false for valid):', !anyMatch ? 'PASS' : 'FAIL');
}
// Run the debug functions
debugSanitization();
debugXSSValidation();