Skip to content

Refactor: strategy pattern, security fixes, DRY index extraction (audit fixes)#326

Merged
avoidwork merged 4 commits intomasterfrom
audit-fixes
Apr 25, 2026
Merged

Refactor: strategy pattern, security fixes, DRY index extraction (audit fixes)#326
avoidwork merged 4 commits intomasterfrom
audit-fixes

Conversation

@avoidwork
Copy link
Copy Markdown
Owner

@avoidwork avoidwork commented Apr 25, 2026

Summary

Addresses an SRP/DRY/YAGNI/SOLID/OWASP audit of haro.js with 9 changes across 4 files:

New Files

  • src/query-strategy.js — Strategy pattern module with ValueMatcher and PredicateStrategy classes, replacing #matchesPredicate
  • tests/unit/query-strategy.test.js — 22 new tests for the strategy classes and integration

Core Fixes

Issue Principle Fix
#matchesPredicate complexity SRP, SOLID (Open/Closed) Extracted to src/query-strategy.js with extensible PredicateStrategy and ValueMatcher
Duplicated index value extraction DRY Added #getIndexValues(field, source) helper used by both #setIndex() and #deleteIndex()
Prototype pollution via spread OWASP set() now filters __proto__, constructor, prototype keys before storing
ReDoS via unbounded RegExp OWASP search() rejects RegExp with source.length > 256
where() returning void/undefined SOLID (correctness) Fixed to always return empty array when indexed queries find no candidates

Cleanup (YAGNI/SRP)

  • Removed redundant frozen parameter from sort() — immutable mode handles freezing via #freezeResult()
  • Fixed sort() crash in immutable mode (frozen array + .sort() mutation) — now extracts data safely
  • Removed unused override parameter from #merge()

Files Updated

  • src/constants.js — Added INT_1, INT_256
  • src/haro.js — All core fixes
  • tests/unit/utilities.test.js — Updated sort() test
  • AGENTS.md — Updated project guide with new helpers/signatures
  • docs/API.md — New Query Strategy section, updated method docs
  • docs/TECHNICAL_DOCUMENTATION.md — New Security Model section
  • types/haro.d.ts — Removed matchesPredicate, updated sort/merge signatures
  • dist/ — Regenerated build files

Test Results

  • 253 tests pass (up from 231, +22 new)
  • 0 lint warnings, 0 lint errors

@avoidwork
Refactor: strategy pattern, security fixes, DRY index extraction (aud…
10d8085 
…it fixes)

- Extract #matchesPredicate into standalone Strategy module (query-strategy.js)
  with PredicateStrategy and ValueMatcher classes (SRP/SOLID)
- Add #getIndexValues() helper to deduplicate index value extraction
  in #setIndex and #deleteIndex (DRY)
- Filter prototype pollution keys (__proto__, constructor, prototype)
  before spread in set() (OWASP)
- Reject RegExp patterns with source.length > 256 in search() (REDoS)
- Fix where() returning undefined when indexes match nothing
- Remove dead 'frozen' param from sort()
- Remove unused 'override' parameter from #merge()
@avoidwork
chore: docs, types, and build updates for audit changes
28d2f62 
- AGENTS.md: add query-strategy module, new helper, signature updates
- docs/API.md: Query Strategy section, new helpers, sort/where/set/search updates
- docs/TECHNICAL_DOCUMENTATION.md: Security Model, Query Strategy, SORT complexity
- types/haro.d.ts: remove frozen override, update merge, remove matchesPredicate
- dist: regenerated build files
@avoidwork
test: verify sort() returns records in correct age order
8b00921
@avoidwork
test: add coverage for remaining gaps (100% line coverage)
9e5ce0b
@avoidwork avoidwork merged commit b2249e9 into master Apr 25, 2026
4 checks passed
@avoidwork avoidwork deleted the audit-fixes branch April 25, 2026 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avoidwork