d804a436d7
Polyfill capabilities landed for Festipod's T02 features (all generic,
zero-domain — the consumer injects the domain).
- inbox: implement the previously-stubbed namespace. post(target,{from?,
payload,ts?}) deposits {from,payload,ts} as RDF via docs.sparqlUpdate (the
real injected ng, never makeNg); read/materialize + watch emulate the curator
in-lib (deposits read via docs.sparqlQuery). `from` optional = anonymity.
- write-guard: caps.hasWritePolicy() + ng-proxy.sparql_update rejects when the
target doc is under a write policy and the current user lacks its write cap;
passthrough otherwise (no regression). Read-cap registry unchanged.
- sparql.ts (new): escapeLiteral / escapeIri / assertNuri, exported from index.
store-registry now escapes every literal and validates/encodes every IRI-
position value — closes a SPARQL-injection hole where an untrusted username
could inject triples into the shim (the account→doc-NURI trust root).
Tests: inbox, sparql (incl. injection), ng-proxy write-guard, isolation-active.
68 tests pass; tsc --noEmit rc=0.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
79 lines
3.1 KiB
TypeScript
79 lines
3.1 KiB
TypeScript
import { test, expect } from "bun:test";
|
|
import { escapeLiteral, escapeIri, assertNuri } from "../src/sparql";
|
|
|
|
// --- escapeLiteral --------------------------------------------------------
|
|
|
|
test("escapeLiteral escapes backslash, quote and whitespace controls", () => {
|
|
expect(escapeLiteral('a"b')).toBe('a\\"b');
|
|
expect(escapeLiteral("a\\b")).toBe("a\\\\b");
|
|
expect(escapeLiteral("a\nb")).toBe("a\\nb");
|
|
expect(escapeLiteral("a\rb")).toBe("a\\rb");
|
|
expect(escapeLiteral("a\tb")).toBe("a\\tb");
|
|
});
|
|
|
|
test("escapeLiteral backslash-then-quote order does not double-escape", () => {
|
|
// `\` first so a raw `"` never becomes `\"` before the quote pass mangles it.
|
|
expect(escapeLiteral('\\"')).toBe('\\\\\\"');
|
|
});
|
|
|
|
test("escapeLiteral output can no longer close a SPARQL literal", () => {
|
|
const injected = '" ; <urn:evil> "pwn';
|
|
const escaped = escapeLiteral(injected);
|
|
// No RAW double-quote survives — every `"` is preceded by a backslash.
|
|
expect(/(^|[^\\])"/.test(escaped)).toBe(false);
|
|
});
|
|
|
|
// --- escapeIri ------------------------------------------------------------
|
|
|
|
test("escapeIri passes ordinary printable identifier chars through unchanged", () => {
|
|
expect(escapeIri("alice")).toBe("alice");
|
|
expect(escapeIri("a.b-c_d:e/f")).toBe("a.b-c_d:e/f");
|
|
});
|
|
|
|
test("escapeIri percent-encodes every IRI-breaking character", () => {
|
|
expect(escapeIri("a>b")).toBe("a%3Eb");
|
|
expect(escapeIri("a<b")).toBe("a%3Cb");
|
|
expect(escapeIri('a"b')).toBe("a%22b");
|
|
expect(escapeIri("a b")).toBe("a%20b");
|
|
expect(escapeIri("a\nb")).toBe("a%0Ab");
|
|
expect(escapeIri("a\tb")).toBe("a%09b");
|
|
expect(escapeIri("a\\b")).toBe("a%5Cb");
|
|
});
|
|
|
|
test("escapeIri neutralises a full breakout attempt", () => {
|
|
const attack = 'x> <urn:evil> "pwn';
|
|
const encoded = escapeIri(attack);
|
|
// The encoded username cannot contain a raw `>`, `<`, `"` or space, so it
|
|
// cannot escape the surrounding <PREFIX:...> IRI.
|
|
expect(encoded).not.toMatch(/[<>" ]/);
|
|
});
|
|
|
|
test("escapeIri handles unicode without corrupting it (round-trips via decode)", () => {
|
|
const u = "élan";
|
|
// "é" is a printable letter → left as-is; a space would be encoded.
|
|
expect(escapeIri(u)).toBe("élan");
|
|
expect(escapeIri("é ")).toBe("é%20");
|
|
});
|
|
|
|
// --- assertNuri -----------------------------------------------------------
|
|
|
|
test("assertNuri returns valid NURIs unchanged", () => {
|
|
expect(assertNuri("did:ng:o:doc1")).toBe("did:ng:o:doc1");
|
|
expect(assertNuri("urn:ng-eventually:shim")).toBe("urn:ng-eventually:shim");
|
|
expect(assertNuri("did:ng:PRIV")).toBe("did:ng:PRIV");
|
|
});
|
|
|
|
test("assertNuri throws on empty / non-string", () => {
|
|
expect(() => assertNuri("")).toThrow(/invalid NURI/);
|
|
// @ts-expect-error deliberately wrong type
|
|
expect(() => assertNuri(null)).toThrow(/invalid NURI/);
|
|
});
|
|
|
|
test("assertNuri throws on IRI-breaking characters", () => {
|
|
expect(() => assertNuri("did:ng:o> <urn:evil")).toThrow(/IRI-forbidden/);
|
|
expect(() => assertNuri('did:ng:"x')).toThrow(/IRI-forbidden/);
|
|
expect(() => assertNuri("did:ng: x")).toThrow(/IRI-forbidden/);
|
|
expect(() => assertNuri("did:ng:\nx")).toThrow(/IRI-forbidden/);
|
|
expect(() => assertNuri("did:ng:\tx")).toThrow(/IRI-forbidden/);
|
|
});
|