chore: import upstream snapshot with attribution
This commit is contained in:
Executable
+67
@@ -0,0 +1,67 @@
|
||||
#!/usr/bin/env bash
|
||||
# Regression guard: scripts/security-strings.sh must allow-list the MSYS2/MinGW
|
||||
# toolchain URL that the CLANG64 toolchain embeds into the static Windows binary
|
||||
# (https://github.com/msys2/MINGW-packages).
|
||||
#
|
||||
# Reproduces the smoke-windows dry-run failure:
|
||||
# BLOCKED: Unauthorized URL in binary: https://github.com/msys2/MINGW-packages
|
||||
# === BINARY STRING AUDIT FAILED ===
|
||||
#
|
||||
# Root cause: the URL audit's hardcoded ALLOWED_URLS list did not include the
|
||||
# MSYS2 package-tracker URL. That URL is a toolchain artifact, analogous to the
|
||||
# gcc.gnu.org / sourceware.org / bugs.launchpad.net entries already allow-listed,
|
||||
# and only appears in the Windows (.exe) build — hence Linux smoke stayed green.
|
||||
#
|
||||
# The negative-control case proves the fix does not weaken the audit: a genuinely
|
||||
# unauthorized URL must still be BLOCKED.
|
||||
set -euo pipefail
|
||||
|
||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
SCRIPT="$ROOT/scripts/security-strings.sh"
|
||||
|
||||
TMP="$(mktemp -d)"
|
||||
trap 'rm -rf "$TMP"' EXIT
|
||||
|
||||
# Build a fixture that `file` classifies as binary "data" (NOT text/script), so
|
||||
# security-strings.sh runs the URL audit (it intentionally skips the URL audit
|
||||
# for script/text files). Leading non-printable bytes + NUL separators => data.
|
||||
make_fixture() {
|
||||
local out="$1"; shift
|
||||
printf '\x00\x01\x02\x03\x04\x05\x06\x07\xff\xfe\xfd\xfc' > "$out"
|
||||
local s
|
||||
for s in "$@"; do
|
||||
printf '%s\x00' "$s" >> "$out"
|
||||
done
|
||||
printf '\x00\x00\x00\x00\xff\xff\xff\xff' >> "$out"
|
||||
}
|
||||
|
||||
PASS=0
|
||||
FAIL=0
|
||||
|
||||
# ── Case 1 (the bug): toolchain URL present => audit MUST pass (exit 0) ──
|
||||
GOOD="$TMP/good.bin"
|
||||
make_fixture "$GOOD" \
|
||||
"https://github.com/DeusData/codebase-memory-mcp" \
|
||||
"https://github.com/msys2/MINGW-packages"
|
||||
if bash "$SCRIPT" "$GOOD" >/dev/null 2>&1; then
|
||||
echo "PASS: MSYS2 toolchain URL https://github.com/msys2/MINGW-packages is allow-listed"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo "FAIL: security-strings.sh blocked the MSYS2 toolchain URL (regression)"
|
||||
bash "$SCRIPT" "$GOOD" 2>&1 | grep -i "BLOCKED" || true
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
|
||||
# ── Case 2 (negative control): unauthorized URL MUST still be blocked ──
|
||||
BAD="$TMP/bad.bin"
|
||||
make_fixture "$BAD" "https://evil.example.com/exfil-payload-endpoint"
|
||||
if bash "$SCRIPT" "$BAD" >/dev/null 2>&1; then
|
||||
echo "FAIL: unauthorized URL https://evil.example.com was NOT blocked (audit weakened)"
|
||||
FAIL=$((FAIL + 1))
|
||||
else
|
||||
echo "PASS: unauthorized URL https://evil.example.com still blocked"
|
||||
PASS=$((PASS + 1))
|
||||
fi
|
||||
|
||||
echo "=== security-strings allow-list test: $PASS passed, $FAIL failed ==="
|
||||
[ "$FAIL" -eq 0 ]
|
||||
Reference in New Issue
Block a user