codegraph/__tests__/security.test.ts

/**
 * Security Hardening Tests
 *
 * Tests for path validation, safe JSON parsing, input clamping,
 * file locking, and atomic config writes.
 */

import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import * as fs from 'fs';
import * as path from 'path';
import * as os from 'os';
import { validatePathWithinRoot, safeJsonParse, clamp, FileLock } from '../src/utils';
import { saveConfig, loadConfig, getConfigPath } from '../src/config';
import { DEFAULT_CONFIG } from '../src/types';

// Create a temporary directory for each test
function createTempDir(): string {
  return fs.mkdtempSync(path.join(os.tmpdir(), 'codegraph-security-test-'));
}

// Clean up temporary directory
function cleanupTempDir(dir: string): void {
  if (fs.existsSync(dir)) {
    fs.rmSync(dir, { recursive: true, force: true });
  }
}

describe('Security Hardening', () => {
  let tempDir: string;

  beforeEach(() => {
    tempDir = createTempDir();
  });

  afterEach(() => {
    cleanupTempDir(tempDir);
  });

  // ==========================================================================
  // Path Validation
  // ==========================================================================

  describe('validatePathWithinRoot', () => {
    it('should accept paths within the root', () => {
      const result = validatePathWithinRoot(tempDir, 'src/index.ts');
      expect(result).toBe(path.resolve(tempDir, 'src/index.ts'));
    });

    it('should accept nested paths within the root', () => {
      const result = validatePathWithinRoot(tempDir, 'src/db/queries.ts');
      expect(result).toBe(path.resolve(tempDir, 'src/db/queries.ts'));
    });

    it('should reject paths that traverse above the root', () => {
      const result = validatePathWithinRoot(tempDir, '../../etc/passwd');
      expect(result).toBeNull();
    });

    it('should reject paths with embedded traversal', () => {
      const result = validatePathWithinRoot(tempDir, 'src/../../etc/passwd');
      expect(result).toBeNull();
    });

    it('should accept the root directory itself', () => {
      const result = validatePathWithinRoot(tempDir, '.');
      expect(result).toBe(path.resolve(tempDir));
    });

    it('should reject absolute paths outside the root', () => {
      const outsidePath = path.resolve(tempDir, '..', 'outside-file.txt');
      const result = validatePathWithinRoot(tempDir, outsidePath);
      expect(result).toBeNull();
    });

    it('should accept absolute paths within the root', () => {
      const insidePath = path.join(tempDir, 'src', 'file.ts');
      const result = validatePathWithinRoot(tempDir, insidePath);
      expect(result).toBe(insidePath);
    });
  });

  // ==========================================================================
  // Safe JSON Parsing
  // ==========================================================================

  describe('safeJsonParse', () => {
    it('should parse valid JSON', () => {
      const result = safeJsonParse('{"key": "value"}', {});
      expect(result).toEqual({ key: 'value' });
    });

    it('should parse valid JSON arrays', () => {
      const result = safeJsonParse('["a", "b", "c"]', []);
      expect(result).toEqual(['a', 'b', 'c']);
    });

    it('should return fallback for invalid JSON', () => {
      const result = safeJsonParse('not valid json{{{', { default: true });
      expect(result).toEqual({ default: true });
    });

    it('should return fallback for empty string', () => {
      const result = safeJsonParse('', []);
      expect(result).toEqual([]);
    });

    it('should return fallback for truncated JSON', () => {
      const result = safeJsonParse('{"key": "val', undefined);
      expect(result).toBeUndefined();
    });

    it('should parse valid primitives', () => {
      expect(safeJsonParse('42', 0)).toBe(42);
      expect(safeJsonParse('"hello"', '')).toBe('hello');
      expect(safeJsonParse('true', false)).toBe(true);
      expect(safeJsonParse('null', 'fallback')).toBeNull();
    });
  });

  // ==========================================================================
  // Input Clamping
  // ==========================================================================

  describe('clamp', () => {
    it('should return value when within range', () => {
      expect(clamp(5, 1, 10)).toBe(5);
    });

    it('should clamp to minimum', () => {
      expect(clamp(-5, 1, 10)).toBe(1);
      expect(clamp(0, 1, 10)).toBe(1);
    });

    it('should clamp to maximum', () => {
      expect(clamp(100, 1, 10)).toBe(10);
      expect(clamp(11, 1, 10)).toBe(10);
    });

    it('should handle exact boundary values', () => {
      expect(clamp(1, 1, 10)).toBe(1);
      expect(clamp(10, 1, 10)).toBe(10);
    });

    it('should handle negative ranges', () => {
      expect(clamp(0, -10, -1)).toBe(-1);
      expect(clamp(-20, -10, -1)).toBe(-10);
      expect(clamp(-5, -10, -1)).toBe(-5);
    });
  });

  // ==========================================================================
  // File Lock
  // ==========================================================================

  describe('FileLock', () => {
    it('should acquire and release a lock', async () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lock = new FileLock(lockTarget);

      const acquired = await lock.acquire();
      expect(acquired).toBe(true);
      expect(fs.existsSync(lockTarget + '.lock')).toBe(true);

      lock.release();
      expect(fs.existsSync(lockTarget + '.lock')).toBe(false);
    });

    it('should fail to acquire when another lock is held', async () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lock1 = new FileLock(lockTarget);
      const lock2 = new FileLock(lockTarget);

      const acquired1 = await lock1.acquire();
      expect(acquired1).toBe(true);

      // Second lock should time out quickly
      const acquired2 = await lock2.acquire(300);
      expect(acquired2).toBe(false);

      lock1.release();
    });

    it('should allow re-acquiring after release', async () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lock = new FileLock(lockTarget);

      const acquired1 = await lock.acquire();
      expect(acquired1).toBe(true);
      lock.release();

      const acquired2 = await lock.acquire();
      expect(acquired2).toBe(true);
      lock.release();
    });

    it('should clean up stale locks', async () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lockPath = lockTarget + '.lock';

      // Create a stale lock file manually
      fs.writeFileSync(lockPath, '99999', { flag: 'wx' });
      // Set its mtime to 60 seconds ago
      const pastTime = new Date(Date.now() - 60000);
      fs.utimesSync(lockPath, pastTime, pastTime);

      const lock = new FileLock(lockTarget);
      // staleLockMs=1000 means locks older than 1s are considered stale
      const acquired = await lock.acquire(5000, 1000);
      expect(acquired).toBe(true);

      lock.release();
    });

    it('should be safe to call release when not acquired', () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lock = new FileLock(lockTarget);

      // Should not throw
      expect(() => lock.release()).not.toThrow();
    });

    it('should be safe to call release multiple times', async () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lock = new FileLock(lockTarget);

      await lock.acquire();
      lock.release();
      // Second release should not throw
      expect(() => lock.release()).not.toThrow();
    });

    it('should write PID to lock file', async () => {
      const lockTarget = path.join(tempDir, 'test.db');
      const lock = new FileLock(lockTarget);

      await lock.acquire();
      const content = fs.readFileSync(lockTarget + '.lock', 'utf-8');
      expect(content).toBe(String(process.pid));

      lock.release();
    });
  });

  // ==========================================================================
  // Atomic Config Writes
  // ==========================================================================

  describe('Atomic Config Writes', () => {
    it('should not leave .tmp files after save', () => {
      const configDir = path.join(tempDir, '.codegraph');
      fs.mkdirSync(configDir, { recursive: true });

      const config = { ...DEFAULT_CONFIG, rootDir: tempDir };
      saveConfig(tempDir, config);

      const configPath = getConfigPath(tempDir);
      expect(fs.existsSync(configPath)).toBe(true);
      expect(fs.existsSync(configPath + '.tmp')).toBe(false);
    });

    it('should produce valid JSON after atomic save', () => {
      const configDir = path.join(tempDir, '.codegraph');
      fs.mkdirSync(configDir, { recursive: true });

      const config = { ...DEFAULT_CONFIG, rootDir: tempDir };
      saveConfig(tempDir, config);

      const loaded = loadConfig(tempDir);
      expect(loaded.version).toBe(DEFAULT_CONFIG.version);
      expect(loaded.enableEmbeddings).toBe(DEFAULT_CONFIG.enableEmbeddings);
      expect(loaded.rootDir).toBe(tempDir);
    });

    it('should overwrite existing config atomically', () => {
      const configDir = path.join(tempDir, '.codegraph');
      fs.mkdirSync(configDir, { recursive: true });

      // Save initial config
      const config1 = { ...DEFAULT_CONFIG, rootDir: tempDir, maxFileSize: 100000 };
      saveConfig(tempDir, config1);

      // Overwrite with new config
      const config2 = { ...DEFAULT_CONFIG, rootDir: tempDir, maxFileSize: 200000 };
      saveConfig(tempDir, config2);

      const loaded = loadConfig(tempDir);
      expect(loaded.maxFileSize).toBe(200000);
      expect(fs.existsSync(getConfigPath(tempDir) + '.tmp')).toBe(false);
    });
  });
});