mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-06 21:46:40 +02:00
Garry Tan
d784013406
- server-auth: verify token removed from /health, auth on /refs, /activity/* - cookie-picker: auth required on data routes, HTML page unauthenticated - path-validation: symlink bypass blocked, realpathSync failure throws - gstack-config: regex key rejected, sed special chars preserved - state-ttl: savedAt timestamp, 7-day TTL warning - telemetry: branch/repo with quotes don't corrupt JSON - adversarial: sidepanel escapes entry.command, freeze prefix collision
33 lines
1.2 KiB
TypeScript
33 lines
1.2 KiB
TypeScript
/**
|
|
* Adversarial security tests — XSS and boundary-check hardening
|
|
*
|
|
* Test 19: Sidepanel escapes entry.command in activity feed (prevents XSS)
|
|
* Test 20: Freeze hook uses trailing slash in boundary check (prevents prefix collision)
|
|
*/
|
|
|
|
import { describe, test, expect } from 'bun:test';
|
|
import * as fs from 'fs';
|
|
import * as path from 'path';
|
|
|
|
describe('Adversarial security', () => {
|
|
test('sidepanel escapes entry.command in activity feed', () => {
|
|
const source = fs.readFileSync(
|
|
path.join(import.meta.dir, '../../extension/sidepanel.js'),
|
|
'utf-8',
|
|
);
|
|
// entry.command must be wrapped in escapeHtml() to prevent XSS injection
|
|
// via crafted command names in the activity feed
|
|
expect(source).toContain('escapeHtml(entry.command');
|
|
});
|
|
|
|
test('freeze hook uses trailing slash in boundary check', () => {
|
|
const source = fs.readFileSync(
|
|
path.join(import.meta.dir, '../../freeze/bin/check-freeze.sh'),
|
|
'utf-8',
|
|
);
|
|
// The boundary check must use "${FREEZE_DIR}/" with a trailing slash
|
|
// to prevent prefix collision (e.g., /app matching /application)
|
|
expect(source).toContain('"${FREEZE_DIR}/"');
|
|
});
|
|
});
|