Add tests for security fixes and input validation

Author: jdalton

test/integration.test.mts

@@ -30,7 +30,7 @@ describe('Integration tests', () => {
   it('should load PackageURLBuilder and work correctly', async () => {
     const { pkgPath } = await isolatePackage(packagePath)
 
-    const { PackageURLBuilder } = await import(`${pkgPath}/dist/package-url.js`)
+    const { PackageURLBuilder } = await import(`${pkgPath}/dist/index.js`)
     expect(PackageURLBuilder).toBeDefined()
     expect(typeof PackageURLBuilder.create).toBe('function')
 

test/package-url-builder.test.mts

@@ -25,7 +25,8 @@ SOFTWARE.
  */
 import { describe, expect, it } from 'vitest'
 
-import { PackageURL, PackageURLBuilder } from '../src/package-url.js'
+import { PackageURLBuilder } from '../src/package-url-builder.js'
+import { PackageURL } from '../src/package-url.js'
 
 describe('PackageURLBuilder', () => {
   describe('basic construction', () => {

test/package-url.test.mts

@@ -466,4 +466,52 @@ describe('PackageURL', () => {
       expect(purl1.version).toBe(purl2.version)
     })
   })
+
+  describe('Input validation', () => {
+    it('should reject JSON strings exceeding maximum size', () => {
+      const largeJson = JSON.stringify({ name: 'x'.repeat(1024 * 1024) })
+      expect(() => PackageURL.fromJSON(largeJson)).toThrow(
+        'JSON string exceeds maximum size limit of 1048576 bytes',
+      )
+    })
+
+    it('should reject non-object JSON', () => {
+      expect(() => PackageURL.fromJSON('[]')).toThrow(
+        'JSON must parse to an object',
+      )
+      expect(() => PackageURL.fromJSON('"string"')).toThrow(
+        'JSON must parse to an object',
+      )
+      expect(() => PackageURL.fromJSON('null')).toThrow(
+        'JSON must parse to an object',
+      )
+    })
+
+    it('should prevent prototype pollution in fromJSON', () => {
+      const maliciousJson =
+        '{"__proto__":{"isAdmin":true},"type":"npm","name":"test"}'
+      const purl = PackageURL.fromJSON(maliciousJson)
+      expect(purl.type).toBe('npm')
+      expect(purl.name).toBe('test')
+      // Verify prototype pollution didn't occur.
+      expect(({} as any).isAdmin).toBeUndefined()
+    })
+
+    it('should reject package URLs exceeding maximum length', () => {
+      const longUrl = 'pkg:npm/' + 'x'.repeat(4090)
+      expect(() => PackageURL.fromString(longUrl)).toThrow(
+        'Package URL exceeds maximum length of 4096 characters',
+      )
+    })
+
+    it('should handle bounded regex patterns without ReDoS', () => {
+      // These used to be potential ReDoS vectors with unbounded quantifiers.
+      const longScheme = 'a'.repeat(300) + '://'
+      const longType = 'a'.repeat(300) + '/'
+
+      // Should not hang with bounded patterns.
+      expect(() => PackageURL.fromString(longScheme)).toThrow()
+      expect(() => PackageURL.fromString(longType)).toThrow()
+    })
+  })
 })

test/purl-edge-cases.test.mts

@@ -210,19 +210,29 @@ describe('Edge cases and additional coverage', () => {
     })
 
     it('should handle very long component values', () => {
-      // Tests no length limits on components (stress test)
-      const longString = 'a'.repeat(1000)
+      // Test with maximum allowed lengths for components.
+      const maxNamespace = 'a'.repeat(512) // Max namespace length.
+      const maxName = 'b'.repeat(214) // Max name length.
+      const maxVersion = 'c'.repeat(256) // Max version length.
       const purl = new PackageURL(
         'type',
-        longString,
-        longString,
-        longString,
+        maxNamespace,
+        maxName,
+        maxVersion,
         undefined,
         undefined,
       )
-      expect(purl.namespace).toBe(longString)
-      expect(purl.name).toBe(longString)
-      expect(purl.version).toBe(longString)
+      expect(purl.namespace).toBe(maxNamespace)
+      expect(purl.name).toBe(maxName)
+      expect(purl.version).toBe(maxVersion)
+
+      // Test that exceeding limits throws errors.
+      expect(
+        () => new PackageURL('type', 'a'.repeat(513), 'name', undefined),
+      ).toThrow('"namespace" exceeds maximum length of 512 characters')
+      expect(() => new PackageURL('type', undefined, 'a'.repeat(215))).toThrow(
+        '"name" exceeds maximum length of 214 characters',
+      )
     })
 
     it('should preserve exact qualifier order in toString', () => {
@@ -2414,9 +2424,7 @@ describe('Edge cases and additional coverage', () => {
             undefined,
             undefined,
           ),
-      ).toThrow(
-        'npm "namespace" and "name" components can not collectively be more than 214 characters',
-      )
+      ).toThrow('"name" exceeds maximum length of 214 characters')
 
       // Test npm core module name with throws (line 355)
       // Use a builtin that's not a legacy name (legacy names skip the builtin check)
@@ -2855,4 +2863,45 @@ describe('Edge cases and additional coverage', () => {
       expect(result3).toBe(false)
     })
   })
+
+  describe('Length validation', () => {
+    it('should reject names exceeding maximum length', () => {
+      const longName = 'x'.repeat(215)
+      expect(validateName(longName, { throws: false })).toBe(false)
+      expect(() => validateName(longName, { throws: true })).toThrow(
+        '"name" exceeds maximum length of 214 characters',
+      )
+    })
+
+    it('should accept names at maximum length', () => {
+      const maxName = 'x'.repeat(214)
+      expect(validateName(maxName, { throws: false })).toBe(true)
+    })
+
+    it('should reject namespaces exceeding maximum length', () => {
+      const longNamespace = 'x'.repeat(513)
+      expect(validateNamespace(longNamespace, { throws: false })).toBe(false)
+      expect(() => validateNamespace(longNamespace, { throws: true })).toThrow(
+        '"namespace" exceeds maximum length of 512 characters',
+      )
+    })
+
+    it('should accept namespaces at maximum length', () => {
+      const maxNamespace = 'x'.repeat(512)
+      expect(validateNamespace(maxNamespace, { throws: false })).toBe(true)
+    })
+
+    it('should reject versions exceeding maximum length', () => {
+      const longVersion = 'x'.repeat(257)
+      expect(validateVersion(longVersion, { throws: false })).toBe(false)
+      expect(() => validateVersion(longVersion, { throws: true })).toThrow(
+        '"version" exceeds maximum length of 256 characters',
+      )
+    })
+
+    it('should accept versions at maximum length', () => {
+      const maxVersion = 'x'.repeat(256)
+      expect(validateVersion(maxVersion, { throws: false })).toBe(true)
+    })
+  })
 })