Security: add husky + secretlint pre-commit hook and parser fuzz/security tests

Author: Admin

.husky/pre-commit

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+echo "🔍 [Security] Running pre-commit secret scanning..."
+npm run secretlint || {
+  echo "⛔ Secretlint detected possible secrets. Commit aborted." >&2
+  exit 1
+}
+

.secretlintrc.json

@@ -0,0 +1,7 @@
+{
+  "rules": [
+    {
+      "id": "@secretlint/secretlint-rule-preset-recommend"
+    }
+  ]
+}

package.json

@@ -3,15 +3,20 @@
   "version": "0.1.0",
   "private": true,
   "scripts": {
-    "test": "mocha -r ts-node/register tests/**/*.test.ts --reporter spec"
+    "test": "mocha -r ts-node/register tests/**/*.test.ts --reporter spec",
+    "prepare": "husky install",
+    "secretlint": "secretlint \"**/*\""
   },
   "devDependencies": {
     "@types/js-yaml": "^4.0.9",
     "@types/mocha": "^10.0.1",
     "@types/node": "^20.0.0",
     "mocha": "^10.2.0",
     "ts-node": "^10.9.1",
-    "typescript": "^5.0.0"
+    "typescript": "^5.0.0",
+    "husky": "^9.0.11",
+    "secretlint": "^8.2.4",
+    "@secretlint/secretlint-rule-preset-recommend": "^8.2.4"
   },
   "dependencies": {
     "js-yaml": "^4.2.0"

tests/parsePlanReview.security.test.ts

@@ -0,0 +1,41 @@
+import { strict as assert } from 'assert';
+import { parsePlanReviewOptions } from '../src/parsePlanReview';
+
+describe('Parser security & fuzz tests', () => {
+  it('handles very large input gracefully (<=50KB) and returns fallback when too large)', () => {
+    const hugeInput = 'A'.repeat(60 * 1024); // 60KB
+    const out = parsePlanReviewOptions(hugeInput, undefined, { enableFallback: true });
+    // Should not throw and should return minimal fallback (2 items)
+    assert.ok(Array.isArray(out));
+    assert.ok(out.length <= 50);
+  });
+
+  it('rejects/neutralizes dangerous YAML tags (no functions)', () => {
+    const maliciousYaml = "target: !!js/function \"function() { require('child_process').execSync('id'); }\"\n";
+    const out = parsePlanReviewOptions(maliciousYaml, undefined, { enableFallback: true });
+    // The parser should not return executable JS values
+    assert.ok(!out.some(item => typeof (item as any).target === 'function'));
+  });
+
+  it('handles deeply nested JSON without crashing (returns fallback or sanitizes)', () => {
+    let deep: any = {};
+    let cur = deep;
+    for (let i = 0; i < 1000; i++) { cur.n = {}; cur = cur.n; }
+    const payload = JSON.stringify(deep);
+    const out = parsePlanReviewOptions(payload, undefined, { enableFallback: true });
+    assert.ok(Array.isArray(out));
+  });
+
+  it('strips control characters from labels', () => {
+    const payload = JSON.stringify({ id: '1', label: "\u001b[31mBad\u001b[0m" });
+    const out = parsePlanReviewOptions(payload, undefined, { enableFallback: true });
+    assert.ok(!out[0].label.includes('\u001b[31m'));
+  });
+
+  it('caps menu items at MAX_MENU_ITEMS (50)', () => {
+    const items = Array.from({ length: 100 }, (_, i) => ({ id: `i${i}`, label: `Item ${i}` }));
+    const payload = JSON.stringify(items);
+    const out = parsePlanReviewOptions(payload, undefined, { enableFallback: true });
+    assert.ok(out.length <= 50);
+  });
+});