mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-06 21:46:40 +02:00
Garry Tan
a7593d70ef
* fix: cookie picker auth token leak (CVE — CVSS 7.8) GET /cookie-picker served HTML that inlined the master bearer token without authentication. Any local process could extract it and use it to call /command, executing arbitrary JS in the browser context. Fix: Jupyter-style one-time code exchange. The picker URL now includes a one-time code that is consumed via 302 redirect, setting an HttpOnly session cookie. The master AUTH_TOKEN never appears in HTML. The session cookie is isolated from the scoped token system (not valid for /command). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: bump version and changelog (v0.15.17.0) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: browse-snapshot E2E turn budget too tight (7 → 9) The agent consistently uses 8 turns for 5 snapshot commands because it reads the saved annotated PNG to verify it was created. All 3 CI attempts hit error_max_turns at exactly 8. Bumping to 9 gives headroom. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
396 lines
14 KiB
TypeScript
396 lines
14 KiB
TypeScript
/**
|
|
* Tests for cookie-picker route handler
|
|
*
|
|
* Tests the HTTP glue layer directly with mock BrowserManager objects.
|
|
* Verifies auth (one-time code exchange, session cookies, Bearer tokens),
|
|
* CORS headers, and JSON response formats.
|
|
*/
|
|
|
|
import { describe, test, expect } from 'bun:test';
|
|
import { handleCookiePickerRoute, generatePickerCode } from '../src/cookie-picker-routes';
|
|
|
|
// ─── Mock BrowserManager ──────────────────────────────────────
|
|
|
|
function mockBrowserManager() {
|
|
const addedCookies: any[] = [];
|
|
const clearedDomains: string[] = [];
|
|
return {
|
|
bm: {
|
|
getPage: () => ({
|
|
context: () => ({
|
|
addCookies: (cookies: any[]) => { addedCookies.push(...cookies); },
|
|
clearCookies: (opts: { domain: string }) => { clearedDomains.push(opts.domain); },
|
|
}),
|
|
}),
|
|
} as any,
|
|
addedCookies,
|
|
clearedDomains,
|
|
};
|
|
}
|
|
|
|
function makeUrl(path: string, port = 9470): URL {
|
|
return new URL(`http://127.0.0.1:${port}${path}`);
|
|
}
|
|
|
|
function makeReq(method: string, body?: any, headers?: Record<string, string>): Request {
|
|
const opts: RequestInit = { method, headers: { ...headers } };
|
|
if (body) {
|
|
opts.body = JSON.stringify(body);
|
|
(opts.headers as any)['Content-Type'] = 'application/json';
|
|
}
|
|
return new Request('http://127.0.0.1:9470', opts);
|
|
}
|
|
|
|
/** Helper: exchange a one-time code and return the session cookie value. */
|
|
async function getSessionCookie(bm: any, authToken: string): Promise<string> {
|
|
const code = generatePickerCode();
|
|
const url = makeUrl(`/cookie-picker?code=${code}`);
|
|
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
const res = await handleCookiePickerRoute(url, req, bm, authToken);
|
|
expect(res.status).toBe(302);
|
|
const setCookie = res.headers.get('Set-Cookie') || '';
|
|
const match = setCookie.match(/gstack_picker=([^;]+)/);
|
|
expect(match).not.toBeNull();
|
|
return match![1];
|
|
}
|
|
|
|
// ─── Tests ──────────────────────────────────────────────────────
|
|
|
|
describe('cookie-picker-routes', () => {
|
|
describe('CORS', () => {
|
|
test('OPTIONS returns 204 with correct CORS headers', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/browsers');
|
|
const req = new Request('http://127.0.0.1:9470', { method: 'OPTIONS' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm);
|
|
|
|
expect(res.status).toBe(204);
|
|
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://127.0.0.1:9470');
|
|
expect(res.headers.get('Access-Control-Allow-Methods')).toContain('POST');
|
|
});
|
|
|
|
test('JSON responses include correct CORS origin with port', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/browsers', 9450);
|
|
const req = new Request('http://127.0.0.1:9450', {
|
|
method: 'GET',
|
|
headers: { 'Authorization': 'Bearer test-token' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://127.0.0.1:9450');
|
|
});
|
|
});
|
|
|
|
describe('JSON responses (with auth)', () => {
|
|
test('GET /cookie-picker/browsers returns JSON', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/browsers');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Authorization': 'Bearer test-token' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
const body = await res.json();
|
|
expect(body).toHaveProperty('browsers');
|
|
expect(Array.isArray(body.browsers)).toBe(true);
|
|
});
|
|
|
|
test('GET /cookie-picker/domains without browser param returns JSON error', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/domains');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Authorization': 'Bearer test-token' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
const body = await res.json();
|
|
expect(body).toHaveProperty('error');
|
|
expect(body).toHaveProperty('code', 'missing_param');
|
|
});
|
|
|
|
test('POST /cookie-picker/import with invalid JSON returns JSON error', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/import');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'POST',
|
|
body: 'not json',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'Authorization': 'Bearer test-token',
|
|
},
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
const body = await res.json();
|
|
expect(body.code).toBe('bad_request');
|
|
});
|
|
|
|
test('POST /cookie-picker/import missing browser field returns JSON error', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/import');
|
|
const req = makeReq('POST', { domains: ['.example.com'] }, { 'Authorization': 'Bearer test-token' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(400);
|
|
const body = await res.json();
|
|
expect(body.code).toBe('missing_param');
|
|
});
|
|
|
|
test('POST /cookie-picker/import missing domains returns JSON error', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/import');
|
|
const req = makeReq('POST', { browser: 'Chrome' }, { 'Authorization': 'Bearer test-token' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(400);
|
|
const body = await res.json();
|
|
expect(body.code).toBe('missing_param');
|
|
});
|
|
|
|
test('POST /cookie-picker/remove with invalid JSON returns JSON error', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/remove');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'POST',
|
|
body: '{bad',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'Authorization': 'Bearer test-token',
|
|
},
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
});
|
|
|
|
test('POST /cookie-picker/remove missing domains returns JSON error', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/remove');
|
|
const req = makeReq('POST', {}, { 'Authorization': 'Bearer test-token' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(400);
|
|
const body = await res.json();
|
|
expect(body.code).toBe('missing_param');
|
|
});
|
|
|
|
test('GET /cookie-picker/imported returns JSON with domain list', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/imported');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Authorization': 'Bearer test-token' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
const body = await res.json();
|
|
expect(body).toHaveProperty('domains');
|
|
expect(body).toHaveProperty('totalDomains');
|
|
expect(body).toHaveProperty('totalCookies');
|
|
});
|
|
});
|
|
|
|
describe('routing', () => {
|
|
test('unknown path returns 404 (with auth)', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/nonexistent');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Authorization': 'Bearer test-token' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(404);
|
|
});
|
|
});
|
|
|
|
describe('one-time code exchange', () => {
|
|
test('valid code returns 302 redirect with session cookie', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const code = generatePickerCode();
|
|
const url = makeUrl(`/cookie-picker?code=${code}`);
|
|
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(302);
|
|
expect(res.headers.get('Location')).toBe('/cookie-picker');
|
|
const setCookie = res.headers.get('Set-Cookie') || '';
|
|
expect(setCookie).toContain('gstack_picker=');
|
|
expect(setCookie).toContain('HttpOnly');
|
|
expect(setCookie).toContain('SameSite=Strict');
|
|
expect(setCookie).toContain('Path=/cookie-picker');
|
|
expect(setCookie).toContain('Max-Age=3600');
|
|
expect(res.headers.get('Cache-Control')).toBe('no-store');
|
|
});
|
|
|
|
test('code cannot be reused', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const code = generatePickerCode();
|
|
const url = makeUrl(`/cookie-picker?code=${code}`);
|
|
|
|
// First use: success
|
|
const req1 = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
const res1 = await handleCookiePickerRoute(url, req1, bm, 'test-token');
|
|
expect(res1.status).toBe(302);
|
|
|
|
// Second use: rejected
|
|
const req2 = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
const res2 = await handleCookiePickerRoute(url, req2, bm, 'test-token');
|
|
expect(res2.status).toBe(403);
|
|
});
|
|
|
|
test('invalid code returns 403', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker?code=not-a-valid-code');
|
|
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
test('GET /cookie-picker without code or session returns 403', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker');
|
|
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(403);
|
|
});
|
|
});
|
|
|
|
describe('session cookie auth', () => {
|
|
test('valid session cookie grants HTML access', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const session = await getSessionCookie(bm, 'test-token');
|
|
|
|
const url = makeUrl('/cookie-picker');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Cookie': `gstack_picker=${session}` },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers.get('Content-Type')).toContain('text/html');
|
|
});
|
|
|
|
test('HTML response does NOT contain auth token', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const authToken = 'super-secret-auth-token-12345';
|
|
const session = await getSessionCookie(bm, authToken);
|
|
|
|
const url = makeUrl('/cookie-picker');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Cookie': `gstack_picker=${session}` },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, authToken);
|
|
const html = await res.text();
|
|
|
|
expect(html).not.toContain(authToken);
|
|
expect(html).not.toContain('AUTH_TOKEN');
|
|
});
|
|
|
|
test('data routes accept session cookie', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const session = await getSessionCookie(bm, 'test-token');
|
|
|
|
const url = makeUrl('/cookie-picker/browsers');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Cookie': `gstack_picker=${session}` },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
const body = await res.json();
|
|
expect(body).toHaveProperty('browsers');
|
|
});
|
|
|
|
test('invalid session cookie returns 403 for HTML', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Cookie': 'gstack_picker=fake-session' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-token');
|
|
|
|
expect(res.status).toBe(403);
|
|
});
|
|
});
|
|
|
|
describe('auth gate security', () => {
|
|
test('GET /cookie-picker/browsers returns 401 without auth', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/browsers');
|
|
const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
|
|
|
|
expect(res.status).toBe(401);
|
|
const body = await res.json();
|
|
expect(body.error).toBe('Unauthorized');
|
|
});
|
|
|
|
test('POST /cookie-picker/import returns 401 without auth', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/import');
|
|
const req = makeReq('POST', { browser: 'Chrome', domains: ['.example.com'] });
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
|
|
|
|
expect(res.status).toBe(401);
|
|
const body = await res.json();
|
|
expect(body.error).toBe('Unauthorized');
|
|
});
|
|
|
|
test('GET /cookie-picker/browsers works with valid Bearer auth', async () => {
|
|
const { bm } = mockBrowserManager();
|
|
const url = makeUrl('/cookie-picker/browsers');
|
|
const req = new Request('http://127.0.0.1:9470', {
|
|
method: 'GET',
|
|
headers: { 'Authorization': 'Bearer test-secret-token' },
|
|
});
|
|
|
|
const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.headers.get('Content-Type')).toBe('application/json');
|
|
const body = await res.json();
|
|
expect(body).toHaveProperty('browsers');
|
|
});
|
|
});
|
|
});
|