68 lines
2.6 KiB
Bash
Executable File
68 lines
2.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Regression guard: scripts/security-strings.sh must allow-list the MSYS2/MinGW
|
|
# toolchain URL that the CLANG64 toolchain embeds into the static Windows binary
|
|
# (https://github.com/msys2/MINGW-packages).
|
|
#
|
|
# Reproduces the smoke-windows dry-run failure:
|
|
# BLOCKED: Unauthorized URL in binary: https://github.com/msys2/MINGW-packages
|
|
# === BINARY STRING AUDIT FAILED ===
|
|
#
|
|
# Root cause: the URL audit's hardcoded ALLOWED_URLS list did not include the
|
|
# MSYS2 package-tracker URL. That URL is a toolchain artifact, analogous to the
|
|
# gcc.gnu.org / sourceware.org / bugs.launchpad.net entries already allow-listed,
|
|
# and only appears in the Windows (.exe) build — hence Linux smoke stayed green.
|
|
#
|
|
# The negative-control case proves the fix does not weaken the audit: a genuinely
|
|
# unauthorized URL must still be BLOCKED.
|
|
set -euo pipefail
|
|
|
|
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
SCRIPT="$ROOT/scripts/security-strings.sh"
|
|
|
|
TMP="$(mktemp -d)"
|
|
trap 'rm -rf "$TMP"' EXIT
|
|
|
|
# Build a fixture that `file` classifies as binary "data" (NOT text/script), so
|
|
# security-strings.sh runs the URL audit (it intentionally skips the URL audit
|
|
# for script/text files). Leading non-printable bytes + NUL separators => data.
|
|
make_fixture() {
|
|
local out="$1"; shift
|
|
printf '\x00\x01\x02\x03\x04\x05\x06\x07\xff\xfe\xfd\xfc' > "$out"
|
|
local s
|
|
for s in "$@"; do
|
|
printf '%s\x00' "$s" >> "$out"
|
|
done
|
|
printf '\x00\x00\x00\x00\xff\xff\xff\xff' >> "$out"
|
|
}
|
|
|
|
PASS=0
|
|
FAIL=0
|
|
|
|
# ── Case 1 (the bug): toolchain URL present => audit MUST pass (exit 0) ──
|
|
GOOD="$TMP/good.bin"
|
|
make_fixture "$GOOD" \
|
|
"https://github.com/DeusData/codebase-memory-mcp" \
|
|
"https://github.com/msys2/MINGW-packages"
|
|
if bash "$SCRIPT" "$GOOD" >/dev/null 2>&1; then
|
|
echo "PASS: MSYS2 toolchain URL https://github.com/msys2/MINGW-packages is allow-listed"
|
|
PASS=$((PASS + 1))
|
|
else
|
|
echo "FAIL: security-strings.sh blocked the MSYS2 toolchain URL (regression)"
|
|
bash "$SCRIPT" "$GOOD" 2>&1 | grep -i "BLOCKED" || true
|
|
FAIL=$((FAIL + 1))
|
|
fi
|
|
|
|
# ── Case 2 (negative control): unauthorized URL MUST still be blocked ──
|
|
BAD="$TMP/bad.bin"
|
|
make_fixture "$BAD" "https://evil.example.com/exfil-payload-endpoint"
|
|
if bash "$SCRIPT" "$BAD" >/dev/null 2>&1; then
|
|
echo "FAIL: unauthorized URL https://evil.example.com was NOT blocked (audit weakened)"
|
|
FAIL=$((FAIL + 1))
|
|
else
|
|
echo "PASS: unauthorized URL https://evil.example.com still blocked"
|
|
PASS=$((PASS + 1))
|
|
fi
|
|
|
|
echo "=== security-strings allow-list test: $PASS passed, $FAIL failed ==="
|
|
[ "$FAIL" -eq 0 ]
|