Merge pull request #27 from script-development/security/storage-prefix-validation

security(storage): reject prefixes containing ":"

Author: Goosterhof

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@script-development/fs-storage",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Framework-agnostic localStorage service factory with prefix namespacing",
   "homepage": "https://packages.script.nl/packages/storage",
   "license": "MIT",

packages/storage/package.json

@@ -1,6 +1,12 @@
 import type { StorageService, Get } from "./types";
 
 export const createStorageService = (prefix: string): StorageService => {
+  if (prefix.includes(":")) {
+    throw new Error(
+      `createStorageService: prefix must not contain ":" — got ${JSON.stringify(prefix)}. The colon is reserved as the prefix/key separator; a prefix containing ":" would allow clear() to match and delete keys from other prefixes (e.g., prefix "app" would delete everything stored under "app:admin").`,
+    );
+  }
+
   const prefixKey = (key: string): string => `${prefix}:${key}`;
 
   const put = (key: string, value: unknown): void => {

packages/storage/src/storage.ts

@@ -28,6 +28,16 @@ describe("storage service", () => {
       expect(storage).toHaveProperty("remove");
       expect(storage).toHaveProperty("clear");
     });
+
+    it("should throw when the prefix contains a colon", () => {
+      expect(() => createStorageService("app:admin")).toThrow(/must not contain ":"/u);
+      expect(() => createStorageService(":leading")).toThrow(/must not contain ":"/u);
+      expect(() => createStorageService("trailing:")).toThrow(/must not contain ":"/u);
+    });
+
+    it("should include the offending prefix in the error message", () => {
+      expect(() => createStorageService("bad:prefix")).toThrow(/"bad:prefix"/u);
+    });
   });
 
   describe("put", () => {