|
|
@@ -0,0 +1,291 @@
|
|
|
+/**
|
|
|
+ * Security Hardening Tests
|
|
|
+ *
|
|
|
+ * Tests for path validation, safe JSON parsing, input clamping,
|
|
|
+ * file locking, and atomic config writes.
|
|
|
+ */
|
|
|
+
|
|
|
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
|
|
|
+import * as fs from 'fs';
|
|
|
+import * as path from 'path';
|
|
|
+import * as os from 'os';
|
|
|
+import { validatePathWithinRoot, safeJsonParse, clamp, FileLock } from '../src/utils';
|
|
|
+import { saveConfig, loadConfig, getConfigPath } from '../src/config';
|
|
|
+import { DEFAULT_CONFIG } from '../src/types';
|
|
|
+
|
|
|
+// Create a temporary directory for each test
|
|
|
+function createTempDir(): string {
|
|
|
+ return fs.mkdtempSync(path.join(os.tmpdir(), 'codegraph-security-test-'));
|
|
|
+}
|
|
|
+
|
|
|
+// Clean up temporary directory
|
|
|
+function cleanupTempDir(dir: string): void {
|
|
|
+ if (fs.existsSync(dir)) {
|
|
|
+ fs.rmSync(dir, { recursive: true, force: true });
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+describe('Security Hardening', () => {
|
|
|
+ let tempDir: string;
|
|
|
+
|
|
|
+ beforeEach(() => {
|
|
|
+ tempDir = createTempDir();
|
|
|
+ });
|
|
|
+
|
|
|
+ afterEach(() => {
|
|
|
+ cleanupTempDir(tempDir);
|
|
|
+ });
|
|
|
+
|
|
|
+ // ==========================================================================
|
|
|
+ // Path Validation
|
|
|
+ // ==========================================================================
|
|
|
+
|
|
|
+ describe('validatePathWithinRoot', () => {
|
|
|
+ it('should accept paths within the root', () => {
|
|
|
+ const result = validatePathWithinRoot(tempDir, 'src/index.ts');
|
|
|
+ expect(result).toBe(path.resolve(tempDir, 'src/index.ts'));
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should accept nested paths within the root', () => {
|
|
|
+ const result = validatePathWithinRoot(tempDir, 'src/db/queries.ts');
|
|
|
+ expect(result).toBe(path.resolve(tempDir, 'src/db/queries.ts'));
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should reject paths that traverse above the root', () => {
|
|
|
+ const result = validatePathWithinRoot(tempDir, '../../etc/passwd');
|
|
|
+ expect(result).toBeNull();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should reject paths with embedded traversal', () => {
|
|
|
+ const result = validatePathWithinRoot(tempDir, 'src/../../etc/passwd');
|
|
|
+ expect(result).toBeNull();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should accept the root directory itself', () => {
|
|
|
+ const result = validatePathWithinRoot(tempDir, '.');
|
|
|
+ expect(result).toBe(path.resolve(tempDir));
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should reject absolute paths outside the root', () => {
|
|
|
+ const outsidePath = path.resolve(tempDir, '..', 'outside-file.txt');
|
|
|
+ const result = validatePathWithinRoot(tempDir, outsidePath);
|
|
|
+ expect(result).toBeNull();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should accept absolute paths within the root', () => {
|
|
|
+ const insidePath = path.join(tempDir, 'src', 'file.ts');
|
|
|
+ const result = validatePathWithinRoot(tempDir, insidePath);
|
|
|
+ expect(result).toBe(insidePath);
|
|
|
+ });
|
|
|
+ });
|
|
|
+
|
|
|
+ // ==========================================================================
|
|
|
+ // Safe JSON Parsing
|
|
|
+ // ==========================================================================
|
|
|
+
|
|
|
+ describe('safeJsonParse', () => {
|
|
|
+ it('should parse valid JSON', () => {
|
|
|
+ const result = safeJsonParse('{"key": "value"}', {});
|
|
|
+ expect(result).toEqual({ key: 'value' });
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should parse valid JSON arrays', () => {
|
|
|
+ const result = safeJsonParse('["a", "b", "c"]', []);
|
|
|
+ expect(result).toEqual(['a', 'b', 'c']);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should return fallback for invalid JSON', () => {
|
|
|
+ const result = safeJsonParse('not valid json{{{', { default: true });
|
|
|
+ expect(result).toEqual({ default: true });
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should return fallback for empty string', () => {
|
|
|
+ const result = safeJsonParse('', []);
|
|
|
+ expect(result).toEqual([]);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should return fallback for truncated JSON', () => {
|
|
|
+ const result = safeJsonParse('{"key": "val', undefined);
|
|
|
+ expect(result).toBeUndefined();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should parse valid primitives', () => {
|
|
|
+ expect(safeJsonParse('42', 0)).toBe(42);
|
|
|
+ expect(safeJsonParse('"hello"', '')).toBe('hello');
|
|
|
+ expect(safeJsonParse('true', false)).toBe(true);
|
|
|
+ expect(safeJsonParse('null', 'fallback')).toBeNull();
|
|
|
+ });
|
|
|
+ });
|
|
|
+
|
|
|
+ // ==========================================================================
|
|
|
+ // Input Clamping
|
|
|
+ // ==========================================================================
|
|
|
+
|
|
|
+ describe('clamp', () => {
|
|
|
+ it('should return value when within range', () => {
|
|
|
+ expect(clamp(5, 1, 10)).toBe(5);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should clamp to minimum', () => {
|
|
|
+ expect(clamp(-5, 1, 10)).toBe(1);
|
|
|
+ expect(clamp(0, 1, 10)).toBe(1);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should clamp to maximum', () => {
|
|
|
+ expect(clamp(100, 1, 10)).toBe(10);
|
|
|
+ expect(clamp(11, 1, 10)).toBe(10);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should handle exact boundary values', () => {
|
|
|
+ expect(clamp(1, 1, 10)).toBe(1);
|
|
|
+ expect(clamp(10, 1, 10)).toBe(10);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should handle negative ranges', () => {
|
|
|
+ expect(clamp(0, -10, -1)).toBe(-1);
|
|
|
+ expect(clamp(-20, -10, -1)).toBe(-10);
|
|
|
+ expect(clamp(-5, -10, -1)).toBe(-5);
|
|
|
+ });
|
|
|
+ });
|
|
|
+
|
|
|
+ // ==========================================================================
|
|
|
+ // File Lock
|
|
|
+ // ==========================================================================
|
|
|
+
|
|
|
+ describe('FileLock', () => {
|
|
|
+ it('should acquire and release a lock', async () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lock = new FileLock(lockTarget);
|
|
|
+
|
|
|
+ const acquired = await lock.acquire();
|
|
|
+ expect(acquired).toBe(true);
|
|
|
+ expect(fs.existsSync(lockTarget + '.lock')).toBe(true);
|
|
|
+
|
|
|
+ lock.release();
|
|
|
+ expect(fs.existsSync(lockTarget + '.lock')).toBe(false);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should fail to acquire when another lock is held', async () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lock1 = new FileLock(lockTarget);
|
|
|
+ const lock2 = new FileLock(lockTarget);
|
|
|
+
|
|
|
+ const acquired1 = await lock1.acquire();
|
|
|
+ expect(acquired1).toBe(true);
|
|
|
+
|
|
|
+ // Second lock should time out quickly
|
|
|
+ const acquired2 = await lock2.acquire(300);
|
|
|
+ expect(acquired2).toBe(false);
|
|
|
+
|
|
|
+ lock1.release();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should allow re-acquiring after release', async () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lock = new FileLock(lockTarget);
|
|
|
+
|
|
|
+ const acquired1 = await lock.acquire();
|
|
|
+ expect(acquired1).toBe(true);
|
|
|
+ lock.release();
|
|
|
+
|
|
|
+ const acquired2 = await lock.acquire();
|
|
|
+ expect(acquired2).toBe(true);
|
|
|
+ lock.release();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should clean up stale locks', async () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lockPath = lockTarget + '.lock';
|
|
|
+
|
|
|
+ // Create a stale lock file manually
|
|
|
+ fs.writeFileSync(lockPath, '99999', { flag: 'wx' });
|
|
|
+ // Set its mtime to 60 seconds ago
|
|
|
+ const pastTime = new Date(Date.now() - 60000);
|
|
|
+ fs.utimesSync(lockPath, pastTime, pastTime);
|
|
|
+
|
|
|
+ const lock = new FileLock(lockTarget);
|
|
|
+ // staleLockMs=1000 means locks older than 1s are considered stale
|
|
|
+ const acquired = await lock.acquire(5000, 1000);
|
|
|
+ expect(acquired).toBe(true);
|
|
|
+
|
|
|
+ lock.release();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should be safe to call release when not acquired', () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lock = new FileLock(lockTarget);
|
|
|
+
|
|
|
+ // Should not throw
|
|
|
+ expect(() => lock.release()).not.toThrow();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should be safe to call release multiple times', async () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lock = new FileLock(lockTarget);
|
|
|
+
|
|
|
+ await lock.acquire();
|
|
|
+ lock.release();
|
|
|
+ // Second release should not throw
|
|
|
+ expect(() => lock.release()).not.toThrow();
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should write PID to lock file', async () => {
|
|
|
+ const lockTarget = path.join(tempDir, 'test.db');
|
|
|
+ const lock = new FileLock(lockTarget);
|
|
|
+
|
|
|
+ await lock.acquire();
|
|
|
+ const content = fs.readFileSync(lockTarget + '.lock', 'utf-8');
|
|
|
+ expect(content).toBe(String(process.pid));
|
|
|
+
|
|
|
+ lock.release();
|
|
|
+ });
|
|
|
+ });
|
|
|
+
|
|
|
+ // ==========================================================================
|
|
|
+ // Atomic Config Writes
|
|
|
+ // ==========================================================================
|
|
|
+
|
|
|
+ describe('Atomic Config Writes', () => {
|
|
|
+ it('should not leave .tmp files after save', () => {
|
|
|
+ const configDir = path.join(tempDir, '.codegraph');
|
|
|
+ fs.mkdirSync(configDir, { recursive: true });
|
|
|
+
|
|
|
+ const config = { ...DEFAULT_CONFIG, rootDir: tempDir };
|
|
|
+ saveConfig(tempDir, config);
|
|
|
+
|
|
|
+ const configPath = getConfigPath(tempDir);
|
|
|
+ expect(fs.existsSync(configPath)).toBe(true);
|
|
|
+ expect(fs.existsSync(configPath + '.tmp')).toBe(false);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should produce valid JSON after atomic save', () => {
|
|
|
+ const configDir = path.join(tempDir, '.codegraph');
|
|
|
+ fs.mkdirSync(configDir, { recursive: true });
|
|
|
+
|
|
|
+ const config = { ...DEFAULT_CONFIG, rootDir: tempDir };
|
|
|
+ saveConfig(tempDir, config);
|
|
|
+
|
|
|
+ const loaded = loadConfig(tempDir);
|
|
|
+ expect(loaded.version).toBe(DEFAULT_CONFIG.version);
|
|
|
+ expect(loaded.enableEmbeddings).toBe(DEFAULT_CONFIG.enableEmbeddings);
|
|
|
+ expect(loaded.rootDir).toBe(tempDir);
|
|
|
+ });
|
|
|
+
|
|
|
+ it('should overwrite existing config atomically', () => {
|
|
|
+ const configDir = path.join(tempDir, '.codegraph');
|
|
|
+ fs.mkdirSync(configDir, { recursive: true });
|
|
|
+
|
|
|
+ // Save initial config
|
|
|
+ const config1 = { ...DEFAULT_CONFIG, rootDir: tempDir, maxFileSize: 100000 };
|
|
|
+ saveConfig(tempDir, config1);
|
|
|
+
|
|
|
+ // Overwrite with new config
|
|
|
+ const config2 = { ...DEFAULT_CONFIG, rootDir: tempDir, maxFileSize: 200000 };
|
|
|
+ saveConfig(tempDir, config2);
|
|
|
+
|
|
|
+ const loaded = loadConfig(tempDir);
|
|
|
+ expect(loaded.maxFileSize).toBe(200000);
|
|
|
+ expect(fs.existsSync(getConfigPath(tempDir) + '.tmp')).toBe(false);
|
|
|
+ });
|
|
|
+ });
|
|
|
+});
|
Colby McHenry