import test from "node:test"; import assert from "node:assert/strict"; import { encodeSelectedImageBody, encodeAgentRunRequest, type EncodedImage, } from "../../open-sse/utils/cursorAgentProtobuf"; import dns from "node:dns"; import { resolveCursorImages, extractImageUrls, assertResolvedAddressesPublic, CursorImageError, MAX_CURSOR_IMAGE_BYTES, MAX_CURSOR_IMAGES, } from "../../open-sse/utils/cursorImages"; import { CursorExecutor } from "../../open-sse/executors/cursor"; // A public IP for mocking DNS so the redirect tests (which use non-resolvable // example hostnames) pass the DNS-rebinding gate. const PUBLIC_IP = [{ address: "93.184.216.34", family: 4 }]; // ─── Minimal protobuf field walker (test-only) ────────────────────────────── // Mirrors the production decoder enough to assert field layout without exposing // the internal decodeFields helper. type WalkField = | { fn: number; wt: 0; varint: bigint } | { fn: number; wt: 2; bytes: Buffer }; function walk(buf: Buffer): WalkField[] { const out: WalkField[] = []; let pos = 0; const varint = (): bigint => { let r = 0n; let s = 0n; for (;;) { const b = buf[pos++]; r |= BigInt(b & 0x7f) << s; if (!(b & 0x80)) break; s += 7n; } return r; }; while (pos < buf.length) { const tag = varint(); const fn = Number(tag >> 3n); const wt = Number(tag & 7n); if (wt === 0) { out.push({ fn, wt: 0, varint: varint() }); } else if (wt === 2) { const len = Number(varint()); out.push({ fn, wt: 2, bytes: buf.subarray(pos, pos + len) }); pos += len; } else if (wt === 5) { pos += 4; } else if (wt === 1) { pos += 8; } else { throw new Error(`bad wireType ${wt}`); } } return out; } const find = (fields: WalkField[], fn: number) => fields.find((f) => f.fn === fn); const lenBytes = (fields: WalkField[], fn: number): Buffer => { const f = find(fields, fn); assert.ok(f && f.wt === 2, `expected len field ${fn}`); return Buffer.from((f as { bytes: Buffer }).bytes); }; // Navigate AgentClientMessage(1) -> AgentRunRequest -> action(2) -> // ConversationAction -> user_message_action(1) -> UserMessageAction -> // user_message(1) -> UserMessage. function navUserMessage(req: Buffer): WalkField[] { const acm = walk(req); const arr = walk(lenBytes(acm, 1)); const action = walk(lenBytes(arr, 2)); const uma = walk(lenBytes(action, 1)); return walk(lenBytes(uma, 1)); } // ─── encodeSelectedImageBody field layout ─────────────────────────────────── test("encodeSelectedImageBody emits uuid(2), dimension(4), mime_type(7), data(8)", () => { const data = Buffer.from([1, 2, 3, 4, 5]); const body = encodeSelectedImageBody({ data, mimeType: "image/png", width: 10, height: 20, uuid: "abc-123", }); const fields = walk(body); assert.equal(lenBytes(fields, 2).toString("utf8"), "abc-123"); // uuid const dim = walk(lenBytes(fields, 4)); // dimension submessage assert.equal(Number((find(dim, 1) as { varint: bigint }).varint), 10); // width assert.equal(Number((find(dim, 2) as { varint: bigint }).varint), 20); // height assert.equal(lenBytes(fields, 7).toString("utf8"), "image/png"); // mime_type assert.deepEqual(lenBytes(fields, 8), data); // inline data (oneof case) }); test("encodeSelectedImageBody omits dimension/mime_type when not provided", () => { const body = encodeSelectedImageBody({ data: Buffer.from([9]), uuid: "u" }); const fields = walk(body); assert.equal(find(fields, 4), undefined, "no dimension"); assert.equal(find(fields, 7), undefined, "no mime_type"); assert.ok(find(fields, 2), "uuid present"); assert.deepEqual(lenBytes(fields, 8), Buffer.from([9]), "data present"); }); test("encodeSelectedImageBody omits dimension when width/height are invalid", () => { const body = encodeSelectedImageBody({ data: Buffer.from([1]), uuid: "u", width: 0, height: -5, }); assert.equal(find(walk(body), 4), undefined, "zero/negative dims dropped"); }); // ─── No-image path is byte-identical to today ─────────────────────────────── test("no-image request is byte-identical to images:undefined and images:[]", () => { const base = { modelId: "auto", userText: "hello world", conversationId: "fixed-conv", messageId: "fixed-msg", }; const plain = encodeAgentRunRequest({ ...base }); const undef = encodeAgentRunRequest({ ...base, images: undefined }); const empty = encodeAgentRunRequest({ ...base, images: [] }); assert.ok(plain.equals(undef), "images:undefined matches no images"); assert.ok(plain.equals(empty), "images:[] matches no images"); // And selected_context (field 3) is present but empty in the no-image case. const um = navUserMessage(plain); const sc = find(um, 3); assert.ok(sc && sc.wt === 2, "selected_context present"); assert.equal((sc as { bytes: Buffer }).bytes.length, 0, "selected_context empty"); }); // ─── Images attach under UserMessage.selected_context.selected_images ──────── test("images attach as selected_context.selected_images[] with inline data", () => { const imgs: EncodedImage[] = [ { data: Buffer.from([0xaa, 0xbb]), mimeType: "image/png", uuid: "u1" }, { data: Buffer.from([0xcc]), mimeType: "image/jpeg", uuid: "u2" }, ]; const req = encodeAgentRunRequest({ modelId: "gpt-5.2", userText: "what colors?", conversationId: "c", messageId: "m", images: imgs, }); const um = navUserMessage(req); const sc = walk(lenBytes(um, 3)); // SelectedContext const selectedImages = sc.filter((f) => f.fn === 1 && f.wt === 2); assert.equal(selectedImages.length, 2, "two selected_images entries"); const first = walk(Buffer.from((selectedImages[0] as { bytes: Buffer }).bytes)); assert.equal(lenBytes(first, 2).toString("utf8"), "u1"); assert.equal(lenBytes(first, 7).toString("utf8"), "image/png"); assert.deepEqual(lenBytes(first, 8), Buffer.from([0xaa, 0xbb])); const second = walk(Buffer.from((selectedImages[1] as { bytes: Buffer }).bytes)); assert.deepEqual(lenBytes(second, 8), Buffer.from([0xcc])); // UserMessage.text (field 1) still carries the prompt text alongside images. assert.equal(lenBytes(um, 1).toString("utf8"), "what colors?"); }); // ─── extractImageUrls ─────────────────────────────────────────────────────── test("extractImageUrls pulls urls from object and string image_url parts", () => { assert.deepEqual( extractImageUrls([ { type: "text", text: "hi" }, { type: "image_url", image_url: { url: "data:image/png;base64,AA" } }, { type: "image_url", image_url: "https://x.test/y.png" }, { type: "image_url", image_url: { detail: "high" } }, // no url -> ignored ]), ["data:image/png;base64,AA", "https://x.test/y.png"] ); assert.deepEqual(extractImageUrls("plain string content"), []); assert.deepEqual(extractImageUrls(null), []); }); // ─── resolveCursorImages: happy path ──────────────────────────────────────── test("resolveCursorImages decodes a valid base64 data URI", async () => { const png = Buffer.from([137, 80, 78, 71, 13, 10, 26, 10]); const out = await resolveCursorImages([`data:image/png;base64,${png.toString("base64")}`]); assert.equal(out.length, 1); assert.deepEqual(out[0].data, png); assert.equal(out[0].mimeType, "image/png"); assert.ok(out[0].uuid && out[0].uuid.length > 0); }); // ─── resolveCursorImages: rejections (all CursorImageError, all sanitized) ─── test("resolveCursorImages rejects a non-image data URI", async () => { await assert.rejects( () => resolveCursorImages(["data:text/plain;base64,aGVsbG8="]), (e) => e instanceof CursorImageError ); }); test("resolveCursorImages rejects invalid base64", async () => { await assert.rejects( () => resolveCursorImages(["data:image/png;base64,@@@@"]), (e) => e instanceof CursorImageError ); }); test("resolveCursorImages rejects a non-base64 data URI", async () => { await assert.rejects( () => resolveCursorImages(["data:image/png,not-base64-payload"]), (e) => e instanceof CursorImageError ); }); test("resolveCursorImages rejects an oversized image (>1 MiB)", async () => { const big = Buffer.alloc(MAX_CURSOR_IMAGE_BYTES + 16).toString("base64"); await assert.rejects( () => resolveCursorImages([`data:image/png;base64,${big}`]), (e) => e instanceof CursorImageError ); }); test("resolveCursorImages blocks SSRF targets (localhost, link-local, file://)", async () => { for (const url of [ "http://127.0.0.1/x.png", "http://localhost:8080/x.png", "http://169.254.169.254/latest/meta-data/", "http://[::1]/x.png", "http://10.0.0.5/x.png", "file:///etc/passwd", ]) { await assert.rejects( () => resolveCursorImages([url]), (e) => e instanceof CursorImageError, `expected ${url} to be blocked` ); } }); test("resolveCursorImages rejects too many images", async () => { const one = "data:image/png;base64,AAAA"; await assert.rejects( () => resolveCursorImages(Array.from({ length: MAX_CURSOR_IMAGES + 1 }, () => one)), (e) => e instanceof CursorImageError ); }); test("resolveCursorImages accepts an uppercase DATA: scheme (RFC 2397 case-insensitive)", async () => { const png = Buffer.from([137, 80, 78, 71]); const out = await resolveCursorImages([`DATA:image/png;base64,${png.toString("base64")}`]); assert.equal(out.length, 1); assert.deepEqual(out[0].data, png); assert.equal(out[0].mimeType, "image/png"); }); test("assertResolvedAddressesPublic blocks private/metadata IPs, allows public", () => { for (const ip of ["127.0.0.1", "10.0.0.1", "169.254.169.254", "192.168.1.1", "::1", "fd00::1"]) { assert.throws(() => assertResolvedAddressesPublic([ip]), CursorImageError, `should block ${ip}`); } assert.doesNotThrow(() => assertResolvedAddressesPublic(["93.184.216.34", "1.1.1.1"])); // A single private answer among public ones still blocks (DNS-rebinding). assert.throws(() => assertResolvedAddressesPublic(["8.8.8.8", "127.0.0.1"]), CursorImageError); }); test("resolveCursorImages blocks DNS rebinding (public host resolving to a private IP)", async (t) => { t.mock.method(dns.promises, "lookup", async () => [{ address: "127.0.0.1", family: 4 }]); const realFetch = globalThis.fetch; // fetch should never be reached — the DNS gate blocks first. globalThis.fetch = async () => { throw new Error("fetch must not run for a rebinding host"); }; try { await assert.rejects( () => resolveCursorImages(["https://rebind.attacker.example/a.png"]), (e) => e instanceof CursorImageError && /blocked address/i.test((e as Error).message) ); } finally { globalThis.fetch = realFetch; } }); test("resolveCursorImages re-validates redirects: a 30x to a private host is blocked (SSRF)", async (t) => { // fetch() follows redirects by default; the resolver uses redirect:"manual" // and re-validates each hop. A public URL that 302s to 127.0.0.1 must be // blocked, not followed. t.mock.method(dns.promises, "lookup", async () => PUBLIC_IP); const realFetch = globalThis.fetch; globalThis.fetch = async () => new Response(null, { status: 302, headers: { location: "http://127.0.0.1/secret.png" } }); try { await assert.rejects( () => resolveCursorImages(["https://public.example/a.png"]), (e) => e instanceof CursorImageError && /blocked address/i.test((e as Error).message) ); } finally { globalThis.fetch = realFetch; } }); test("resolveCursorImages follows a redirect to another public host and reads the image", async (t) => { t.mock.method(dns.promises, "lookup", async () => PUBLIC_IP); const png = Buffer.from([137, 80, 78, 71, 13, 10, 26, 10]); const realFetch = globalThis.fetch; let call = 0; globalThis.fetch = async () => { call++; if (call === 1) { return new Response(null, { status: 302, headers: { location: "https://cdn.public.example/a.png" }, }); } return new Response(new Uint8Array(png), { status: 200, headers: { "content-type": "image/png" }, }); }; try { const out = await resolveCursorImages(["https://public.example/a.png"]); assert.equal(out.length, 1); assert.deepEqual(out[0].data, png); assert.equal(out[0].mimeType, "image/png"); } finally { globalThis.fetch = realFetch; } }); test("resolveCursorImages rejects an over-long redirect chain", async (t) => { t.mock.method(dns.promises, "lookup", async () => PUBLIC_IP); const realFetch = globalThis.fetch; globalThis.fetch = async () => new Response(null, { status: 302, headers: { location: "https://public.example/loop.png" }, }); try { await assert.rejects( () => resolveCursorImages(["https://public.example/start.png"]), (e) => e instanceof CursorImageError && /too many redirects/i.test((e as Error).message) ); } finally { globalThis.fetch = realFetch; } }); // ─── Executor-level error body (response path, hard rule #12) ─────────────── test("executor returns a sanitized 400 for an oversized image", async () => { // buildRequest throws CursorImageError before any network/session/DB work, // so this stays fully offline (no token needed). const exec = new CursorExecutor(); const big = Buffer.alloc(MAX_CURSOR_IMAGE_BYTES + 16).toString("base64"); const result = await exec.execute({ model: "gpt-5.2", body: { messages: [ { role: "user", content: [ { type: "text", text: "what color?" }, { type: "image_url", image_url: { url: `data:image/png;base64,${big}` } }, ], }, ], }, stream: false, credentials: { accessToken: "test-token" }, signal: undefined, log: () => {}, upstreamExtraHeaders: undefined, }); assert.equal(result.response.status, 400); const body = await result.response.json(); assert.ok(body.error, "error envelope present"); assert.match(body.error.message, /too large/i); // No stack-trace / source-path leakage in the response body (hard rule #12). assert.ok(!body.error.message.includes("at /"), "no stack frame in error body"); assert.ok(!/\/(root|home|usr)\//.test(body.error.message), "no absolute path in error body"); }); test("executor returns a sanitized 400 for an SSRF-blocked image URL", async () => { const exec = new CursorExecutor(); const result = await exec.execute({ model: "gpt-5.2", body: { messages: [ { role: "user", content: [ { type: "text", text: "what color?" }, { type: "image_url", image_url: { url: "http://169.254.169.254/latest/" } }, ], }, ], }, stream: false, credentials: { accessToken: "test-token" }, signal: undefined, log: () => {}, upstreamExtraHeaders: undefined, }); assert.equal(result.response.status, 400); const body = await result.response.json(); assert.ok(!body.error.message.includes("at /"), "no stack frame in error body"); }); test("CursorImageError messages never leak stack traces or paths", async () => { // Every rejection message must be a clean human string (no "at /" frames, // no absolute paths) so the executor's sanitized 400 body stays clean // (hard rule #12). const triggers = [ "data:text/plain;base64,aGVsbG8=", "data:image/png;base64,@@@@", "http://127.0.0.1/x.png", "file:///etc/passwd", ]; for (const url of triggers) { await resolveCursorImages([url]).then( () => assert.fail(`expected rejection for ${url}`), (e) => { assert.ok(e instanceof CursorImageError); assert.ok(!/\bat \//.test(e.message), `no stack frame in: ${e.message}`); assert.ok(!/\/(root|home|usr)\//.test(e.message), `no abs path in: ${e.message}`); } ); } });