release: prepare v4.8.5 security hardening release

2026-05-17 14:48:52 -04:00
parent 4b8c8829f1
commit 0a42aa13c3
35 changed files with 2975 additions and 11976 deletions
@@ -0,0 +1,87 @@
+import assert from 'node:assert/strict';
+
+let compareCalls = 0;
+globalThis.window = {
+    EnhancedSecureCryptoUtils: {
+        constantTimeCompare(a, b) {
+            compareCalls += 1;
+            return a === b;
+        }
+    }
+};
+
+const { EnhancedSecureWebRTCManager } = await import('../src/network/EnhancedSecureWebRTCManager.js');
+
+function createFakeManager() {
+    const sent = [];
+    return {
+        sent,
+        verificationCode: 'A1-B2-C3',
+        sasValidationAttempts: 0,
+        localVerificationConfirmed: false,
+        remoteVerificationConfirmed: false,
+        bothVerificationsConfirmed: false,
+        disconnected: false,
+        _validateSASCode: EnhancedSecureWebRTCManager.prototype._validateSASCode,
+        _secureLog() {},
+        deliverMessageToUI() {},
+        disconnect() {
+            this.disconnected = true;
+        },
+        dataChannel: {
+            send(payload) {
+                sent.push(JSON.parse(payload));
+            }
+        },
+        _checkBothVerificationsConfirmed() {},
+        processMessageQueue() {}
+    };
+}
+
+// testSASNormalization
+{
+    const manager = createFakeManager();
+    assert.equal(EnhancedSecureWebRTCManager.prototype._validateSASCode.call(manager, 'a1 b2 c3'), true);
+    assert.equal(EnhancedSecureWebRTCManager.prototype._validateSASCode.call(manager, 'A1B2C3'), true);
+}
+
+// testConstantTimeCompare
+{
+    const manager = createFakeManager();
+    compareCalls = 0;
+    assert.equal(EnhancedSecureWebRTCManager.prototype._validateSASCode.call(manager, 'A1-B2-C3'), true);
+    assert.equal(compareCalls, 1);
+}
+
+// testInvalidInputs
+{
+    const manager = createFakeManager();
+    assert.equal(EnhancedSecureWebRTCManager.prototype._validateSASCode.call(manager, null), false);
+    assert.equal(EnhancedSecureWebRTCManager.prototype._validateSASCode.call(manager, 'A1B2'), false);
+    assert.equal(EnhancedSecureWebRTCManager.prototype._validateSASCode.call(manager, 'FFFFFF'), false);
+}
+
+// three failed attempts disconnect; a correct attempt signals only after validation
+{
+    const manager = createFakeManager();
+    for (let i = 0; i < 2; i += 1) {
+        assert.throws(
+            () => EnhancedSecureWebRTCManager.prototype.confirmVerification.call(manager, 'FFFFFF'),
+            /SAS_MISMATCH/
+        );
+    }
+    assert.equal(manager.disconnected, false);
+    assert.throws(
+        () => EnhancedSecureWebRTCManager.prototype.confirmVerification.call(manager, 'FFFFFF'),
+        /SAS_MAX_ATTEMPTS/
+    );
+    assert.equal(manager.disconnected, true);
+
+    const validManager = createFakeManager();
+    EnhancedSecureWebRTCManager.prototype.confirmVerification.call(validManager, 'a1 b2 c3');
+    assert.equal(validManager.localVerificationConfirmed, true);
+    assert.equal(validManager.sent[0].type, 'verification_confirmed');
+    assert.equal(validManager.sent[0].data.verificationMethod, 'MANUAL_SAS_ENTRY');
+}
+
+console.log('SAS verification tests passed');