Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add fast-check property tests for injection-pattern rules#138

Merged
twschiller merged 1 commit into
mainfrom
add-fast-check-injection-decoders
Jun 4, 2026
Merged

Add fast-check property tests for injection-pattern rules#138
twschiller merged 1 commit into
mainfrom
add-fast-check-injection-decoders

Conversation

@twschiller

Copy link
Copy Markdown
Contributor

Summary

Property tests for both rules that consume INJECTION_PATTERNS:

  • attribute-injection-sanitize — fuzzes (allowlisted attribute) × (shared injection fixture) × (random non-injection noise). Negative properties confirm non-allowlisted attributes (data-foo, name) and enabled <input value> are preserved; clean values on allowlisted attributes survive.
  • meta-injection-strip<meta> is removed regardless of which name convention identifies it (name/property/itemprop/http-equiv); <title> is blanked but the element is kept (so document.title keeps returning a string); benign content is preserved.

Finding worth noting

While building these I hit one shrunk counterexample worth surfacing for a separate discussion (not addressed in this PR): the injection regex set anchors with \b, so a payload concatenated against a leading/trailing word character (e.g. aria-label="0Ignore all previous instructions...") slips past the regex. Whether that's a sanitizer tightening opportunity or working-as-intended is a separate call — this PR constrains its fuzzer to whitespace-boundary contexts, matching the documented intent. Worth a real-world page sample before deciding.

Test plan

  • bun run preflight — biome, eslint, tsc (src + tests), knip, jest with coverage (1028 tests).

🤖 Generated with Claude Code

Covers `attribute-injection-sanitize` and `meta-injection-strip`. Both
rules consult the shared injection-pattern set, so the new properties
exercise that pattern set through every surface each rule scrubs.

attribute-injection-sanitize: fuzzes (allowlisted attribute) × (shared
injection fixture) × (random non-injection prefix/suffix with explicit
whitespace boundaries). Negative properties confirm non-allowlisted
attributes (`data-foo`, `name`) and enabled `<input value>` are
preserved.

meta-injection-strip: removes any `<meta content>` carrying an
injection payload regardless of name attribute convention
(`name`/`property`/`itemprop`/`http-equiv`), and blanks `<title>` text
while keeping the element so `document.title` still returns a string.
Benign meta/title content is preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@vercel

vercel Bot commented Jun 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agent-browser-shield-demo-site Ready Ready Preview, Comment Jun 4, 2026 9:54pm

Request Review

@twschiller twschiller merged commit 9a4b9af into main Jun 4, 2026
7 checks passed
@twschiller twschiller deleted the add-fast-check-injection-decoders branch June 4, 2026 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant