security audit fix start

web/src/middleware.test.ts

@@ -0,0 +1,73 @@
+import { describe, it, expect } from "vitest";
+
+/**
+ * Mirrors the isValidCorsOrigin function from middleware.ts
+ */
+function isValidCorsOrigin(origin: string): boolean {
+  if (!origin || !origin.trim()) return false;
+  if (origin === "*") return false;
+
+  try {
+    const parsed = new URL(origin);
+    if (!parsed.protocol.match(/^https?:$/)) return false;
+    if (!parsed.hostname) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+describe("isValidCorsOrigin", () => {
+  describe("accepted origins", () => {
+    it("accepts valid HTTPS origins", () => {
+      expect(isValidCorsOrigin("https://app.kordant.com")).toBe(true);
+      expect(isValidCorsOrigin("https://admin.kordant.com")).toBe(true);
+      expect(isValidCorsOrigin("https://localhost:3000")).toBe(true);
+    });
+
+    it("accepts valid HTTP origins", () => {
+      expect(isValidCorsOrigin("http://localhost:3000")).toBe(true);
+      expect(isValidCorsOrigin("http://localhost:3001")).toBe(true);
+      expect(isValidCorsOrigin("http://127.0.0.1:8080")).toBe(true);
+    });
+
+    it("accepts origins with ports", () => {
+      expect(isValidCorsOrigin("https://app.kordant.com:8443")).toBe(true);
+      expect(isValidCorsOrigin("http://localhost:5173")).toBe(true);
+    });
+
+    it("accepts origins with paths", () => {
+      expect(isValidCorsOrigin("https://app.kordant.com/api")).toBe(true);
+    });
+  });
+
+  describe("rejected origins", () => {
+    it("rejects wildcard", () => {
+      expect(isValidCorsOrigin("*")).toBe(false);
+    });
+
+    it("rejects missing scheme", () => {
+      expect(isValidCorsOrigin("evil.com")).toBe(false);
+      expect(isValidCorsOrigin("localhost")).toBe(false);
+      expect(isValidCorsOrigin("app.kordant.com")).toBe(false);
+    });
+
+    it("rejects non-HTTP schemes", () => {
+      expect(isValidCorsOrigin("ftp://evil.com")).toBe(false);
+      expect(isValidCorsOrigin("file:///etc/passwd")).toBe(false);
+      expect(isValidCorsOrigin("javascript:alert(1)")).toBe(false);
+      expect(isValidCorsOrigin("data:text/html,test")).toBe(false);
+    });
+
+    it("rejects empty and whitespace strings", () => {
+      expect(isValidCorsOrigin("")).toBe(false);
+      expect(isValidCorsOrigin("   ")).toBe(false);
+      expect(isValidCorsOrigin("\t")).toBe(false);
+    });
+
+    it("rejects malformed URLs", () => {
+      expect(isValidCorsOrigin("not a url")).toBe(false);
+      expect(isValidCorsOrigin("://missing-protocol")).toBe(false);
+    });
+  });
+});