SSR migrated to Rust
This commit is contained in:
54
cores/mizan-rust-ssr/tests/no_rsc.rs
Normal file
54
cores/mizan-rust-ssr/tests/no_rsc.rs
Normal file
@@ -0,0 +1,54 @@
|
||||
//! Guard — Mizan SSR is hand-rolled (bare renderer + AFI data injection +
|
||||
//! injected kernel). No frontend adapter imports an SSR runtime / meta-framework
|
||||
//! (Next, Nuxt, SvelteKit) or a server-functions layer (RSC / Flight).
|
||||
//!
|
||||
//! React Server Components and the Flight serialization protocol carry
|
||||
//! CVE-2025-55182 ("React2Shell" — unauthenticated remote code execution,
|
||||
//! CVSS 10.0): the server deserializes a client-supplied Flight payload and an
|
||||
//! attacker reaches prototype-pollution → RCE.
|
||||
//!
|
||||
//! Mizan renders **synchronously from props** — data is fetched server-side
|
||||
//! through the AFI and passed in, never deserialized from a client payload — so
|
||||
//! it sits structurally outside that attack surface. This test keeps it there:
|
||||
//! it goes red the instant any RSC / Flight / streaming surface enters the
|
||||
//! authored SSR source or its dependencies. Absence is not enough; this is the
|
||||
//! forcing function that makes re-entry loud.
|
||||
|
||||
/// Tokens that only appear when RSC / Flight / streaming rendering is in play.
|
||||
const FORBIDDEN: &[&str] = &[
|
||||
// React Server Components / Flight — CVE-2025-55182 (pre-auth RCE, CVSS 10.0)
|
||||
"react-server-dom",
|
||||
"renderToReadableStream",
|
||||
"renderToPipeableStream",
|
||||
"createFromReadableStream",
|
||||
"createFromFetch",
|
||||
"use server",
|
||||
// SSR runtimes / meta-frameworks — forbidden across every frontend adapter
|
||||
"next/",
|
||||
"nuxt",
|
||||
"@sveltejs/kit",
|
||||
"sveltekit",
|
||||
];
|
||||
|
||||
const SCANNED: &[&str] = &[
|
||||
concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/entry.js"),
|
||||
concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/Hello.js"),
|
||||
concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/package.json"),
|
||||
];
|
||||
|
||||
#[test]
|
||||
fn ssr_has_no_rsc_or_flight_surface() {
|
||||
for path in SCANNED {
|
||||
let Ok(src) = std::fs::read_to_string(path) else {
|
||||
continue; // a generated/optional file absent is fine; authored source is the point
|
||||
};
|
||||
for needle in FORBIDDEN {
|
||||
assert!(
|
||||
!src.contains(needle),
|
||||
"RSC/Flight surface {needle:?} found in {path} — forbidden. \
|
||||
RSC carries CVE-2025-55182 (unauth RCE, CVSS 10.0); Mizan SSR is \
|
||||
classic renderToString-family only, rendered synchronously from props.",
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user