Files
diegosouzapw--omniroute/tests/unit/error-message-sanitization.test.ts
2026-07-13 13:39:12 +08:00

396 lines
17 KiB
TypeScript

/**
* Verifies that API routes sanitize error messages (CodeQL js/stack-trace-exposure)
* and that security-critical helpers behave correctly.
*/
import test from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-err-sanitize-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.API_KEY_SECRET = "test-api-key-secret-32chars-long!!";
const core = await import("../../src/lib/db/core.ts");
const combosDb = await import("../../src/lib/db/combos.ts");
const mappingsRoute = await import("../../src/app/api/model-combo-mappings/route.ts");
const mappingsIdRoute = await import("../../src/app/api/model-combo-mappings/[id]/route.ts");
const syncTokens = await import("../../src/lib/sync/tokens.ts");
const repoRoot = path.resolve(import.meta.dirname, "../..");
const read = (relPath: string) => fs.readFileSync(path.join(repoRoot, relPath), "utf8");
function makeRequest(url: string, options: { method?: string; body?: unknown } = {}) {
const { method = "GET", body } = options;
return new Request(url, {
method,
headers: body !== undefined ? { "content-type": "application/json" } : undefined,
body: body !== undefined ? JSON.stringify(body) : undefined,
});
}
async function resetStorage() {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
}
test.beforeEach(async () => {
await resetStorage();
});
test.after(() => {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
});
async function createCombo(name: string, model: string) {
return combosDb.createCombo({
name,
models: [{ provider: "openai", model }],
strategy: "priority",
config: {},
});
}
// ── model-combo-mappings routes ──────────────────────────────────────────────
test("GET /model-combo-mappings returns empty list on fresh DB", async () => {
const res = await mappingsRoute.GET();
assert.equal(res.status, 200);
const body = (await res.json()) as any;
assert.ok(Array.isArray(body.mappings), "body.mappings must be an array");
assert.equal(body.mappings.length, 0);
assert.ok(!("error" in body), "success response must not contain error field");
});
test("GET /model-combo-mappings error response never leaks raw error.message", async () => {
const res = await mappingsRoute.GET();
// In the success case, there is no error field at all
const body = (await res.json()) as any;
if (res.status >= 500) {
assert.equal(body.error, "Failed to list model-combo mappings");
assert.ok(!("stack" in body), "stack trace must not be present in response");
}
});
test("POST /model-combo-mappings returns 400 for empty pattern", async () => {
const res = await mappingsRoute.POST(
makeRequest("http://localhost/api/model-combo-mappings", {
method: "POST",
body: { pattern: "", comboId: "combo-1" },
})
);
assert.equal(res.status, 400);
const body = (await res.json()) as any;
assert.ok("error" in body);
assert.ok(!("stack" in body), "400 response must not contain stack trace");
});
test("POST /model-combo-mappings returns 400 for missing comboId", async () => {
const res = await mappingsRoute.POST(
makeRequest("http://localhost/api/model-combo-mappings", {
method: "POST",
body: { pattern: "gpt-*" },
})
);
assert.equal(res.status, 400);
});
test("POST /model-combo-mappings creates a mapping and response has no error field", async () => {
const combo = await createCombo("test-combo", "gpt-4o");
const res = await mappingsRoute.POST(
makeRequest("http://localhost/api/model-combo-mappings", {
method: "POST",
body: { pattern: "gpt-*", comboId: combo.id },
})
);
assert.equal(res.status, 201);
const body = (await res.json()) as any;
assert.ok("mapping" in body, "response must have mapping field");
assert.ok(!("error" in body), "success response must not contain error field");
assert.ok(!("stack" in body));
assert.equal(body.mapping.pattern, "gpt-*");
});
test("GET /model-combo-mappings/[id] returns 404 for non-existent id", async () => {
const res = await mappingsIdRoute.GET(
makeRequest("http://localhost/api/model-combo-mappings/nonexistent"),
{ params: Promise.resolve({ id: "nonexistent" }) }
);
assert.equal(res.status, 404);
const body = (await res.json()) as any;
assert.equal(body.error, "Mapping not found");
assert.ok(!("stack" in body), "404 response must not contain stack trace");
});
test("GET /model-combo-mappings/[id] error response never leaks internal details", async () => {
const res = await mappingsIdRoute.GET(
makeRequest("http://localhost/api/model-combo-mappings/some-id"),
{ params: Promise.resolve({ id: "some-id" }) }
);
const body = (await res.json()) as any;
if (res.status >= 500) {
assert.equal(body.error, "Failed to get mapping");
assert.ok(!body.error.includes("SQLITE"), "SQLite internals must not be exposed");
assert.ok(!("stack" in body));
}
});
test("DELETE /model-combo-mappings/[id] returns 404 for non-existent mapping", async () => {
const res = await mappingsIdRoute.DELETE(
makeRequest("http://localhost/api/model-combo-mappings/nonexistent", { method: "DELETE" }),
{ params: Promise.resolve({ id: "nonexistent" }) }
);
assert.equal(res.status, 404);
const body = (await res.json()) as any;
assert.equal(body.error, "Mapping not found");
assert.ok(!("stack" in body));
});
test("PUT /model-combo-mappings/[id] returns 404 for non-existent mapping", async () => {
const res = await mappingsIdRoute.PUT(
makeRequest("http://localhost/api/model-combo-mappings/nonexistent", {
method: "PUT",
body: { pattern: "new-*" },
}),
{ params: Promise.resolve({ id: "nonexistent" }) }
);
assert.equal(res.status, 404);
const body = (await res.json()) as any;
assert.equal(body.error, "Mapping not found");
assert.ok(!("stack" in body));
});
// ── sync token hashing (src/lib/sync/tokens.ts) ──────────────────────────────
test("hashSyncToken returns a 64-character hex string (SHA-256 output)", () => {
const token = syncTokens.generatePlaintextSyncToken();
const hash = syncTokens.hashSyncToken(token);
assert.match(hash, /^[0-9a-f]{64}$/, "hash must be 64 lowercase hex chars");
});
test("hashSyncToken is deterministic — same input always produces same output", () => {
const token = syncTokens.generatePlaintextSyncToken();
assert.equal(
syncTokens.hashSyncToken(token),
syncTokens.hashSyncToken(token),
"hashing the same token twice must yield the same result"
);
});
test("hashSyncToken produces different hashes for different tokens", () => {
const a = syncTokens.generatePlaintextSyncToken();
const b = syncTokens.generatePlaintextSyncToken();
assert.notEqual(
syncTokens.hashSyncToken(a),
syncTokens.hashSyncToken(b),
"different tokens must produce different hashes"
);
});
test("generatePlaintextSyncToken starts with osync_ prefix", () => {
const token = syncTokens.generatePlaintextSyncToken();
assert.ok(
token.startsWith("osync_"),
`token must start with 'osync_', got: ${token.slice(0, 10)}`
);
});
test("hashSyncToken output is never the plain token (not stored in clear text)", () => {
const token = syncTokens.generatePlaintextSyncToken();
const hash = syncTokens.hashSyncToken(token);
assert.notEqual(hash, token, "hash must differ from plaintext token");
assert.ok(!hash.startsWith("osync_"), "hash must not start with the token prefix");
});
test("sanitizeErrorMessage strips multi-line stack traces", async () => {
const { sanitizeErrorMessage } = await import("../../open-sse/utils/error.ts");
const input =
"Cannot read property 'foo' of undefined\n at handler (/srv/app/src/lib/x.ts:42:11)\n at next (internal)";
const out = sanitizeErrorMessage(input);
assert.equal(out, "Cannot read property 'foo' of undefined");
assert.ok(!out.includes("at handler"));
});
test("sanitizeErrorMessage replaces absolute paths with <path>", async () => {
const { sanitizeErrorMessage } = await import("../../open-sse/utils/error.ts");
const out1 = sanitizeErrorMessage("Failed to open /home/user/secret-project/src/config.ts:10");
assert.ok(!out1.includes("/home/user/secret-project"));
assert.ok(out1.includes("<path>"));
const out2 = sanitizeErrorMessage("Module not found: C:\\Users\\admin\\app\\index.js:1:1");
assert.ok(!out2.includes("C:\\Users\\admin"));
assert.ok(out2.includes("<path>"));
});
test("sanitizeErrorMessage handles non-string inputs safely", async () => {
const { sanitizeErrorMessage } = await import("../../open-sse/utils/error.ts");
assert.equal(sanitizeErrorMessage(undefined), "");
assert.equal(sanitizeErrorMessage(null), "");
assert.equal(sanitizeErrorMessage(42), "42");
assert.equal(sanitizeErrorMessage(new Error("boom")), "Error: boom");
});
test("buildErrorBody never exposes stack traces in its message", async () => {
const { buildErrorBody } = await import("../../open-sse/utils/error.ts");
const body = buildErrorBody(
500,
"Internal error\n at /opt/app/src/server.ts:99:7\n at next (internal)"
);
assert.equal(body.error.message, "Internal error");
assert.ok(!body.error.message.includes("at /opt"));
});
test("types barrel keeps the model cooldown payload export only", async () => {
const src = await read("src/types/index.ts");
assert.match(src, /ModelCooldownErrorPayload/);
assert.doesNotMatch(src, /ProviderConnection/);
assert.doesNotMatch(src, /ProviderNode/);
});
// ── sanitizeUpstreamDetails ──────────────────────────────────────────────────
test("sanitizeUpstreamDetails — basic pass-through for safe fields", async () => {
const { sanitizeUpstreamDetails } = await import("../../open-sse/utils/error.ts");
const input = { error: { message: "context_length_exceeded", type: "invalid_request_error" } };
const out = sanitizeUpstreamDetails(input) as any;
assert.equal(out.error.message, "context_length_exceeded");
assert.equal(out.error.type, "invalid_request_error");
});
test("sanitizeUpstreamDetails — sanitizes string values (absolute path)", async () => {
const { sanitizeUpstreamDetails } = await import("../../open-sse/utils/error.ts");
const input = { error: { message: "bad input at /srv/app/src/lib/db.ts:42" } };
const out = sanitizeUpstreamDetails(input) as any;
assert.ok(
!out.error.message.includes("/srv/app/src/lib/db.ts"),
"absolute path must be stripped"
);
assert.ok(out.error.message.includes("<path>"), "path placeholder must be present");
});
test("sanitizeUpstreamDetails — removes blocked keys (stack, apiKey)", async () => {
const { sanitizeUpstreamDetails } = await import("../../open-sse/utils/error.ts");
const input = {
error: { message: "oops" },
stack: "Error\n at foo.ts:1",
apiKey: "sk-secret",
};
const out = sanitizeUpstreamDetails(input) as any;
assert.ok(!("stack" in out), "stack key must be removed");
assert.ok(!("apiKey" in out), "apiKey key must be removed");
assert.equal(out.error.message, "oops");
});
test("sanitizeUpstreamDetails — depth cap replaces nested value at depth > 4", async () => {
const { sanitizeUpstreamDetails } = await import("../../open-sse/utils/error.ts");
// Build depth-6 nesting: a.b.c.d.e.f = "leaf"
const input = { a: { b: { c: { d: { e: { f: "leaf" } } } } } };
const out = sanitizeUpstreamDetails(input) as any;
// depth 0:a, 1:b, 2:c, 3:d, 4:e → e is at depth 4, f would be depth 5 → truncated
assert.equal(out.a.b.c.d.e, "[truncated]");
});
// ── buildErrorBody with upstreamDetails ──────────────────────────────────────
test("buildErrorBody — without upstream details omits upstream_details field", async () => {
const { buildErrorBody } = await import("../../open-sse/utils/error.ts");
const body = buildErrorBody(400, "bad request");
assert.ok(!("upstream_details" in body), "upstream_details must be absent when not provided");
});
test("buildErrorBody — with safe upstream details embeds upstream_details", async () => {
const { buildErrorBody } = await import("../../open-sse/utils/error.ts");
const body = buildErrorBody(400, "bad request", {
error: { message: "context_length_exceeded" },
});
assert.ok("upstream_details" in body, "upstream_details must be present");
assert.equal((body.upstream_details as any).error.message, "context_length_exceeded");
});
test("buildErrorBody — upstream details with stack key are stripped", async () => {
const { buildErrorBody } = await import("../../open-sse/utils/error.ts");
const body = buildErrorBody(500, "err", { stack: "Error\n at foo.ts:1", code: "internal" });
assert.ok("upstream_details" in body, "upstream_details must be present");
assert.ok(
!("stack" in (body.upstream_details as any)),
"stack must be stripped from upstream_details"
);
assert.equal((body.upstream_details as any).code, "internal");
});
// ── createErrorResult with upstreamDetails ───────────────────────────────────
test("createErrorResult — response body includes upstream_details when provided", async () => {
const { createErrorResult } = await import("../../open-sse/utils/error.ts");
const result = createErrorResult(
400,
"context too long",
null,
"context_length_exceeded",
"invalid_request_error",
{ error: { message: "context_length_exceeded" } }
);
const body = (await result.response.clone().json()) as any;
assert.ok("upstream_details" in body, "upstream_details must be in response body");
assert.equal(body.upstream_details.error.message, "context_length_exceeded");
});
test("createErrorResult — response body excludes upstream_details when not provided", async () => {
const { createErrorResult } = await import("../../open-sse/utils/error.ts");
const result = createErrorResult(400, "bad request", null, "bad_request");
const body = (await result.response.clone().json()) as any;
assert.ok(!("upstream_details" in body), "upstream_details must be absent when not provided");
});
test("createErrorResult — exposes error code/type on the result object", async () => {
const { createErrorResult } = await import("../../open-sse/utils/error.ts");
const result = createErrorResult(504, "upstream timeout", null, "UPSTREAM_TIMEOUT", "timeout");
assert.equal(result.errorCode, "UPSTREAM_TIMEOUT");
assert.equal(result.errorType, "timeout");
});
test("buildModelCooldownBody returns the public cooldown error payload shape", async () => {
const { buildModelCooldownBody } = await import("../../open-sse/utils/error.ts");
const body = buildModelCooldownBody({ model: "gpt-4o", retryAfterSec: 1.2 });
assert.deepEqual(body, {
error: {
message: "All credentials for model gpt-4o are cooling down",
type: "rate_limit_error",
code: "model_cooldown",
model: "gpt-4o",
reset_seconds: 2,
},
});
});
test("regression: upstream_details never contains stack trace text", async () => {
const { createErrorResult } = await import("../../open-sse/utils/error.ts");
const upstream = { error: { message: "err" }, stack: "Error\n at /abs/path.ts:1:2" };
const result = createErrorResult(500, "upstream err", null, undefined, undefined, upstream);
const body = (await result.response.clone().json()) as any;
const serialized = JSON.stringify(body);
assert.ok(
!serialized.includes("at /abs/path.ts"),
"stack trace path must not appear in response body"
);
assert.ok(!("stack" in (body.upstream_details || {})), "stack key must not be present");
});
// ── existing tests continue ──────────────────────────────────────────────────
test("GET /token-health response never leaks stack frames or absolute paths", async () => {
const tokenHealthRoute = await import("../../src/app/api/token-health/route.ts");
const res = await tokenHealthRoute.GET();
const body = (await res.json()) as any;
assert.ok(!("stack" in body), "response must not contain stack trace");
if (typeof body.error === "string") {
assert.ok(!body.error.includes(" at "), "stack frame must not leak in error");
assert.ok(!/^\//.test(body.error), "absolute POSIX path must not leak");
assert.ok(!/^[A-Za-z]:[\\/]/.test(body.error), "absolute Windows path must not leak");
}
});