CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-07 05:56:41 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
feat/browser-batch-multitab
gstack/browse/test/cookie-picker-routes.test.ts
T
Garry Tan 7450b5160b fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0) (#595) 
* fix: remove auth token from /health, secure extension bootstrap (CRITICAL-02 + HIGH-03)

- Remove token from /health response (was leaked to any localhost process)
- Write .auth.json to extension dir for Manifest V3 bootstrap
- sidebar-agent reads token from state file via BROWSE_STATE_FILE env var
- Remove getToken handler from extension (token via health broadcast)
- Extension loads token before first health poll to prevent race condition

* fix: require auth on cookie-picker data routes (CRITICAL-01)

- Add Bearer token auth gate on all /cookie-picker/* data/action routes
- GET /cookie-picker HTML page stays unauthenticated (UI shell)
- Token embedded in served HTML for picker's fetch calls
- CORS preflight now allows Authorization header

* fix: add state file TTL and plaintext cookie warning (HIGH-02)

- Add savedAt timestamp to state save output
- Warn on load if state file older than 7 days
- Auto-delete stale state files (>7 days) on server startup
- Warning about plaintext cookie storage in save message

* fix: innerHTML XSS in extension content script and sidepanel (MEDIUM-01)

- content.js: replace innerHTML with createElement/textContent for ref panel
- sidepanel.js: escape entry.command with escapeHtml() in activity feed
- Both found by security audit + Codex adversarial red team

* fix: symlink bypass in validateReadPath (MEDIUM-02)

- Always resolve to absolute path first (fixes relative path bypass)
- Use realpathSync to follow symlinks before boundary check
- Throw on non-ENOENT realpathSync failures (explicit over silent)
- Resolve SAFE_DIRECTORIES through realpathSync (macOS /tmp → /private/tmp)
- Resolve directory part for non-existent files (ENOENT with symlinked parent)

* fix: freeze hook symlink bypass and prefix collision (MEDIUM-03)

- Add POSIX-portable path resolution (cd + pwd -P, works on macOS)
- Fix prefix collision: /project-evil no longer matches /project freeze dir
- Use trailing slash in boundary check to require directory boundary

* fix: shell script injection in gstack-config and telemetry (MEDIUM-04)

- gstack-config: validate keys (alphanumeric+underscore only)
- gstack-config: use grep -F (fixed string) instead of -E (regex)
- gstack-config: escape sed special chars in values, drop newlines
- gstack-telemetry-log: sanitize REPO_SLUG and BRANCH via json_safe()

* test: 20 security tests for audit remediation

- server-auth: verify token removed from /health, auth on /refs, /activity/*
- cookie-picker: auth required on data routes, HTML page unauthenticated
- path-validation: symlink bypass blocked, realpathSync failure throws
- gstack-config: regex key rejected, sed special chars preserved
- state-ttl: savedAt timestamp, 7-day TTL warning
- telemetry: branch/repo with quotes don't corrupt JSON
- adversarial: sidepanel escapes entry.command, freeze prefix collision

* chore: bump version and changelog (v0.13.1.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: tone down changelog — defense in depth, not catastrophic bugs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-28 08:35:24 -06:00

261 lines
9.5 KiB
TypeScript
Raw Permalink Blame History

/**
* Tests for cookie-picker route handler
*
* Tests the HTTP glue layer directly with mock BrowserManager objects.
* Verifies that all routes return valid JSON (not HTML) with correct CORS headers.
*/
import { describe, test, expect } from 'bun:test';
import { handleCookiePickerRoute } from '../src/cookie-picker-routes';
// ─── Mock BrowserManager ──────────────────────────────────────
function mockBrowserManager() {
const addedCookies: any[] = [];
const clearedDomains: string[] = [];
return {
bm: {
getPage: () => ({
context: () => ({
addCookies: (cookies: any[]) => { addedCookies.push(...cookies); },
clearCookies: (opts: { domain: string }) => { clearedDomains.push(opts.domain); },
}),
}),
} as any,
addedCookies,
clearedDomains,
};
}
function makeUrl(path: string, port = 9470): URL {
return new URL(`http://127.0.0.1:${port}${path}`);
}
function makeReq(method: string, body?: any): Request {
const opts: RequestInit = { method };
if (body) {
opts.body = JSON.stringify(body);
opts.headers = { 'Content-Type': 'application/json' };
}
return new Request('http://127.0.0.1:9470', opts);
}
// ─── Tests ──────────────────────────────────────────────────────
describe('cookie-picker-routes', () => {
describe('CORS', () => {
test('OPTIONS returns 204 with correct CORS headers', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/browsers');
const req = new Request('http://127.0.0.1:9470', { method: 'OPTIONS' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(204);
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://127.0.0.1:9470');
expect(res.headers.get('Access-Control-Allow-Methods')).toContain('POST');
});
test('JSON responses include correct CORS origin with port', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/browsers', 9450);
const req = new Request('http://127.0.0.1:9450', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://127.0.0.1:9450');
});
});
describe('JSON responses (not HTML)', () => {
test('GET /cookie-picker/browsers returns JSON', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/browsers');
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(200);
expect(res.headers.get('Content-Type')).toBe('application/json');
const body = await res.json();
expect(body).toHaveProperty('browsers');
expect(Array.isArray(body.browsers)).toBe(true);
});
test('GET /cookie-picker/domains without browser param returns JSON error', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/domains');
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(400);
expect(res.headers.get('Content-Type')).toBe('application/json');
const body = await res.json();
expect(body).toHaveProperty('error');
expect(body).toHaveProperty('code', 'missing_param');
});
test('POST /cookie-picker/import with invalid JSON returns JSON error', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/import');
const req = new Request('http://127.0.0.1:9470', {
method: 'POST',
body: 'not json',
headers: { 'Content-Type': 'application/json' },
});
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(400);
expect(res.headers.get('Content-Type')).toBe('application/json');
const body = await res.json();
expect(body.code).toBe('bad_request');
});
test('POST /cookie-picker/import missing browser field returns JSON error', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/import');
const req = makeReq('POST', { domains: ['.example.com'] });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(400);
const body = await res.json();
expect(body.code).toBe('missing_param');
});
test('POST /cookie-picker/import missing domains returns JSON error', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/import');
const req = makeReq('POST', { browser: 'Chrome' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(400);
const body = await res.json();
expect(body.code).toBe('missing_param');
});
test('POST /cookie-picker/remove with invalid JSON returns JSON error', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/remove');
const req = new Request('http://127.0.0.1:9470', {
method: 'POST',
body: '{bad',
headers: { 'Content-Type': 'application/json' },
});
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(400);
expect(res.headers.get('Content-Type')).toBe('application/json');
});
test('POST /cookie-picker/remove missing domains returns JSON error', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/remove');
const req = makeReq('POST', {});
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(400);
const body = await res.json();
expect(body.code).toBe('missing_param');
});
test('GET /cookie-picker/imported returns JSON with domain list', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/imported');
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(200);
expect(res.headers.get('Content-Type')).toBe('application/json');
const body = await res.json();
expect(body).toHaveProperty('domains');
expect(body).toHaveProperty('totalDomains');
expect(body).toHaveProperty('totalCookies');
});
});
describe('routing', () => {
test('GET /cookie-picker returns HTML', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker');
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(200);
expect(res.headers.get('Content-Type')).toContain('text/html');
});
test('unknown path returns 404', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/nonexistent');
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm);
expect(res.status).toBe(404);
});
});
describe('auth gate security', () => {
test('GET /cookie-picker HTML page works without auth token', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker');
// Request with no Authorization header, but authToken is set on the server
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
expect(res.status).toBe(200);
expect(res.headers.get('Content-Type')).toContain('text/html');
});
test('GET /cookie-picker/browsers returns 401 without auth', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/browsers');
// No Authorization header
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
expect(res.status).toBe(401);
const body = await res.json();
expect(body.error).toBe('Unauthorized');
});
test('POST /cookie-picker/import returns 401 without auth', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/import');
const req = makeReq('POST', { browser: 'Chrome', domains: ['.example.com'] });
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
expect(res.status).toBe(401);
const body = await res.json();
expect(body.error).toBe('Unauthorized');
});
test('GET /cookie-picker/browsers works with valid auth', async () => {
const { bm } = mockBrowserManager();
const url = makeUrl('/cookie-picker/browsers');
const req = new Request('http://127.0.0.1:9470', {
method: 'GET',
headers: { 'Authorization': 'Bearer test-secret-token' },
});
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
expect(res.status).toBe(200);
expect(res.headers.get('Content-Type')).toBe('application/json');
const body = await res.json();
expect(body).toHaveProperty('browsers');
});
});
});
Reference in New Issue View Git Blame Copy Permalink