438 lines
16 KiB
TypeScript
438 lines
16 KiB
TypeScript
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import {
|
|
encodeSelectedImageBody,
|
|
encodeAgentRunRequest,
|
|
type EncodedImage,
|
|
} from "../../open-sse/utils/cursorAgentProtobuf";
|
|
import dns from "node:dns";
|
|
import {
|
|
resolveCursorImages,
|
|
extractImageUrls,
|
|
assertResolvedAddressesPublic,
|
|
CursorImageError,
|
|
MAX_CURSOR_IMAGE_BYTES,
|
|
MAX_CURSOR_IMAGES,
|
|
} from "../../open-sse/utils/cursorImages";
|
|
import { CursorExecutor } from "../../open-sse/executors/cursor";
|
|
|
|
// A public IP for mocking DNS so the redirect tests (which use non-resolvable
|
|
// example hostnames) pass the DNS-rebinding gate.
|
|
const PUBLIC_IP = [{ address: "93.184.216.34", family: 4 }];
|
|
|
|
// ─── Minimal protobuf field walker (test-only) ──────────────────────────────
|
|
// Mirrors the production decoder enough to assert field layout without exposing
|
|
// the internal decodeFields helper.
|
|
type WalkField =
|
|
| { fn: number; wt: 0; varint: bigint }
|
|
| { fn: number; wt: 2; bytes: Buffer };
|
|
|
|
function walk(buf: Buffer): WalkField[] {
|
|
const out: WalkField[] = [];
|
|
let pos = 0;
|
|
const varint = (): bigint => {
|
|
let r = 0n;
|
|
let s = 0n;
|
|
for (;;) {
|
|
const b = buf[pos++];
|
|
r |= BigInt(b & 0x7f) << s;
|
|
if (!(b & 0x80)) break;
|
|
s += 7n;
|
|
}
|
|
return r;
|
|
};
|
|
while (pos < buf.length) {
|
|
const tag = varint();
|
|
const fn = Number(tag >> 3n);
|
|
const wt = Number(tag & 7n);
|
|
if (wt === 0) {
|
|
out.push({ fn, wt: 0, varint: varint() });
|
|
} else if (wt === 2) {
|
|
const len = Number(varint());
|
|
out.push({ fn, wt: 2, bytes: buf.subarray(pos, pos + len) });
|
|
pos += len;
|
|
} else if (wt === 5) {
|
|
pos += 4;
|
|
} else if (wt === 1) {
|
|
pos += 8;
|
|
} else {
|
|
throw new Error(`bad wireType ${wt}`);
|
|
}
|
|
}
|
|
return out;
|
|
}
|
|
const find = (fields: WalkField[], fn: number) => fields.find((f) => f.fn === fn);
|
|
const lenBytes = (fields: WalkField[], fn: number): Buffer => {
|
|
const f = find(fields, fn);
|
|
assert.ok(f && f.wt === 2, `expected len field ${fn}`);
|
|
return Buffer.from((f as { bytes: Buffer }).bytes);
|
|
};
|
|
|
|
// Navigate AgentClientMessage(1) -> AgentRunRequest -> action(2) ->
|
|
// ConversationAction -> user_message_action(1) -> UserMessageAction ->
|
|
// user_message(1) -> UserMessage.
|
|
function navUserMessage(req: Buffer): WalkField[] {
|
|
const acm = walk(req);
|
|
const arr = walk(lenBytes(acm, 1));
|
|
const action = walk(lenBytes(arr, 2));
|
|
const uma = walk(lenBytes(action, 1));
|
|
return walk(lenBytes(uma, 1));
|
|
}
|
|
|
|
// ─── encodeSelectedImageBody field layout ───────────────────────────────────
|
|
|
|
test("encodeSelectedImageBody emits uuid(2), dimension(4), mime_type(7), data(8)", () => {
|
|
const data = Buffer.from([1, 2, 3, 4, 5]);
|
|
const body = encodeSelectedImageBody({
|
|
data,
|
|
mimeType: "image/png",
|
|
width: 10,
|
|
height: 20,
|
|
uuid: "abc-123",
|
|
});
|
|
const fields = walk(body);
|
|
|
|
assert.equal(lenBytes(fields, 2).toString("utf8"), "abc-123"); // uuid
|
|
const dim = walk(lenBytes(fields, 4)); // dimension submessage
|
|
assert.equal(Number((find(dim, 1) as { varint: bigint }).varint), 10); // width
|
|
assert.equal(Number((find(dim, 2) as { varint: bigint }).varint), 20); // height
|
|
assert.equal(lenBytes(fields, 7).toString("utf8"), "image/png"); // mime_type
|
|
assert.deepEqual(lenBytes(fields, 8), data); // inline data (oneof case)
|
|
});
|
|
|
|
test("encodeSelectedImageBody omits dimension/mime_type when not provided", () => {
|
|
const body = encodeSelectedImageBody({ data: Buffer.from([9]), uuid: "u" });
|
|
const fields = walk(body);
|
|
assert.equal(find(fields, 4), undefined, "no dimension");
|
|
assert.equal(find(fields, 7), undefined, "no mime_type");
|
|
assert.ok(find(fields, 2), "uuid present");
|
|
assert.deepEqual(lenBytes(fields, 8), Buffer.from([9]), "data present");
|
|
});
|
|
|
|
test("encodeSelectedImageBody omits dimension when width/height are invalid", () => {
|
|
const body = encodeSelectedImageBody({
|
|
data: Buffer.from([1]),
|
|
uuid: "u",
|
|
width: 0,
|
|
height: -5,
|
|
});
|
|
assert.equal(find(walk(body), 4), undefined, "zero/negative dims dropped");
|
|
});
|
|
|
|
// ─── No-image path is byte-identical to today ───────────────────────────────
|
|
|
|
test("no-image request is byte-identical to images:undefined and images:[]", () => {
|
|
const base = {
|
|
modelId: "auto",
|
|
userText: "hello world",
|
|
conversationId: "fixed-conv",
|
|
messageId: "fixed-msg",
|
|
};
|
|
const plain = encodeAgentRunRequest({ ...base });
|
|
const undef = encodeAgentRunRequest({ ...base, images: undefined });
|
|
const empty = encodeAgentRunRequest({ ...base, images: [] });
|
|
assert.ok(plain.equals(undef), "images:undefined matches no images");
|
|
assert.ok(plain.equals(empty), "images:[] matches no images");
|
|
|
|
// And selected_context (field 3) is present but empty in the no-image case.
|
|
const um = navUserMessage(plain);
|
|
const sc = find(um, 3);
|
|
assert.ok(sc && sc.wt === 2, "selected_context present");
|
|
assert.equal((sc as { bytes: Buffer }).bytes.length, 0, "selected_context empty");
|
|
});
|
|
|
|
// ─── Images attach under UserMessage.selected_context.selected_images ────────
|
|
|
|
test("images attach as selected_context.selected_images[] with inline data", () => {
|
|
const imgs: EncodedImage[] = [
|
|
{ data: Buffer.from([0xaa, 0xbb]), mimeType: "image/png", uuid: "u1" },
|
|
{ data: Buffer.from([0xcc]), mimeType: "image/jpeg", uuid: "u2" },
|
|
];
|
|
const req = encodeAgentRunRequest({
|
|
modelId: "gpt-5.2",
|
|
userText: "what colors?",
|
|
conversationId: "c",
|
|
messageId: "m",
|
|
images: imgs,
|
|
});
|
|
const um = navUserMessage(req);
|
|
const sc = walk(lenBytes(um, 3)); // SelectedContext
|
|
const selectedImages = sc.filter((f) => f.fn === 1 && f.wt === 2);
|
|
assert.equal(selectedImages.length, 2, "two selected_images entries");
|
|
|
|
const first = walk(Buffer.from((selectedImages[0] as { bytes: Buffer }).bytes));
|
|
assert.equal(lenBytes(first, 2).toString("utf8"), "u1");
|
|
assert.equal(lenBytes(first, 7).toString("utf8"), "image/png");
|
|
assert.deepEqual(lenBytes(first, 8), Buffer.from([0xaa, 0xbb]));
|
|
|
|
const second = walk(Buffer.from((selectedImages[1] as { bytes: Buffer }).bytes));
|
|
assert.deepEqual(lenBytes(second, 8), Buffer.from([0xcc]));
|
|
|
|
// UserMessage.text (field 1) still carries the prompt text alongside images.
|
|
assert.equal(lenBytes(um, 1).toString("utf8"), "what colors?");
|
|
});
|
|
|
|
// ─── extractImageUrls ───────────────────────────────────────────────────────
|
|
|
|
test("extractImageUrls pulls urls from object and string image_url parts", () => {
|
|
assert.deepEqual(
|
|
extractImageUrls([
|
|
{ type: "text", text: "hi" },
|
|
{ type: "image_url", image_url: { url: "data:image/png;base64,AA" } },
|
|
{ type: "image_url", image_url: "https://x.test/y.png" },
|
|
{ type: "image_url", image_url: { detail: "high" } }, // no url -> ignored
|
|
]),
|
|
["data:image/png;base64,AA", "https://x.test/y.png"]
|
|
);
|
|
assert.deepEqual(extractImageUrls("plain string content"), []);
|
|
assert.deepEqual(extractImageUrls(null), []);
|
|
});
|
|
|
|
// ─── resolveCursorImages: happy path ────────────────────────────────────────
|
|
|
|
test("resolveCursorImages decodes a valid base64 data URI", async () => {
|
|
const png = Buffer.from([137, 80, 78, 71, 13, 10, 26, 10]);
|
|
const out = await resolveCursorImages([`data:image/png;base64,${png.toString("base64")}`]);
|
|
assert.equal(out.length, 1);
|
|
assert.deepEqual(out[0].data, png);
|
|
assert.equal(out[0].mimeType, "image/png");
|
|
assert.ok(out[0].uuid && out[0].uuid.length > 0);
|
|
});
|
|
|
|
// ─── resolveCursorImages: rejections (all CursorImageError, all sanitized) ───
|
|
|
|
test("resolveCursorImages rejects a non-image data URI", async () => {
|
|
await assert.rejects(
|
|
() => resolveCursorImages(["data:text/plain;base64,aGVsbG8="]),
|
|
(e) => e instanceof CursorImageError
|
|
);
|
|
});
|
|
|
|
test("resolveCursorImages rejects invalid base64", async () => {
|
|
await assert.rejects(
|
|
() => resolveCursorImages(["data:image/png;base64,@@@@"]),
|
|
(e) => e instanceof CursorImageError
|
|
);
|
|
});
|
|
|
|
test("resolveCursorImages rejects a non-base64 data URI", async () => {
|
|
await assert.rejects(
|
|
() => resolveCursorImages(["data:image/png,not-base64-payload"]),
|
|
(e) => e instanceof CursorImageError
|
|
);
|
|
});
|
|
|
|
test("resolveCursorImages rejects an oversized image (>1 MiB)", async () => {
|
|
const big = Buffer.alloc(MAX_CURSOR_IMAGE_BYTES + 16).toString("base64");
|
|
await assert.rejects(
|
|
() => resolveCursorImages([`data:image/png;base64,${big}`]),
|
|
(e) => e instanceof CursorImageError
|
|
);
|
|
});
|
|
|
|
test("resolveCursorImages blocks SSRF targets (localhost, link-local, file://)", async () => {
|
|
for (const url of [
|
|
"http://127.0.0.1/x.png",
|
|
"http://localhost:8080/x.png",
|
|
"http://169.254.169.254/latest/meta-data/",
|
|
"http://[::1]/x.png",
|
|
"http://10.0.0.5/x.png",
|
|
"file:///etc/passwd",
|
|
]) {
|
|
await assert.rejects(
|
|
() => resolveCursorImages([url]),
|
|
(e) => e instanceof CursorImageError,
|
|
`expected ${url} to be blocked`
|
|
);
|
|
}
|
|
});
|
|
|
|
test("resolveCursorImages rejects too many images", async () => {
|
|
const one = "data:image/png;base64,AAAA";
|
|
await assert.rejects(
|
|
() => resolveCursorImages(Array.from({ length: MAX_CURSOR_IMAGES + 1 }, () => one)),
|
|
(e) => e instanceof CursorImageError
|
|
);
|
|
});
|
|
|
|
test("resolveCursorImages accepts an uppercase DATA: scheme (RFC 2397 case-insensitive)", async () => {
|
|
const png = Buffer.from([137, 80, 78, 71]);
|
|
const out = await resolveCursorImages([`DATA:image/png;base64,${png.toString("base64")}`]);
|
|
assert.equal(out.length, 1);
|
|
assert.deepEqual(out[0].data, png);
|
|
assert.equal(out[0].mimeType, "image/png");
|
|
});
|
|
|
|
test("assertResolvedAddressesPublic blocks private/metadata IPs, allows public", () => {
|
|
for (const ip of ["127.0.0.1", "10.0.0.1", "169.254.169.254", "192.168.1.1", "::1", "fd00::1"]) {
|
|
assert.throws(() => assertResolvedAddressesPublic([ip]), CursorImageError, `should block ${ip}`);
|
|
}
|
|
assert.doesNotThrow(() => assertResolvedAddressesPublic(["93.184.216.34", "1.1.1.1"]));
|
|
// A single private answer among public ones still blocks (DNS-rebinding).
|
|
assert.throws(() => assertResolvedAddressesPublic(["8.8.8.8", "127.0.0.1"]), CursorImageError);
|
|
});
|
|
|
|
test("resolveCursorImages blocks DNS rebinding (public host resolving to a private IP)", async (t) => {
|
|
t.mock.method(dns.promises, "lookup", async () => [{ address: "127.0.0.1", family: 4 }]);
|
|
const realFetch = globalThis.fetch;
|
|
// fetch should never be reached — the DNS gate blocks first.
|
|
globalThis.fetch = async () => {
|
|
throw new Error("fetch must not run for a rebinding host");
|
|
};
|
|
try {
|
|
await assert.rejects(
|
|
() => resolveCursorImages(["https://rebind.attacker.example/a.png"]),
|
|
(e) => e instanceof CursorImageError && /blocked address/i.test((e as Error).message)
|
|
);
|
|
} finally {
|
|
globalThis.fetch = realFetch;
|
|
}
|
|
});
|
|
|
|
test("resolveCursorImages re-validates redirects: a 30x to a private host is blocked (SSRF)", async (t) => {
|
|
// fetch() follows redirects by default; the resolver uses redirect:"manual"
|
|
// and re-validates each hop. A public URL that 302s to 127.0.0.1 must be
|
|
// blocked, not followed.
|
|
t.mock.method(dns.promises, "lookup", async () => PUBLIC_IP);
|
|
const realFetch = globalThis.fetch;
|
|
globalThis.fetch = async () =>
|
|
new Response(null, { status: 302, headers: { location: "http://127.0.0.1/secret.png" } });
|
|
try {
|
|
await assert.rejects(
|
|
() => resolveCursorImages(["https://public.example/a.png"]),
|
|
(e) => e instanceof CursorImageError && /blocked address/i.test((e as Error).message)
|
|
);
|
|
} finally {
|
|
globalThis.fetch = realFetch;
|
|
}
|
|
});
|
|
|
|
test("resolveCursorImages follows a redirect to another public host and reads the image", async (t) => {
|
|
t.mock.method(dns.promises, "lookup", async () => PUBLIC_IP);
|
|
const png = Buffer.from([137, 80, 78, 71, 13, 10, 26, 10]);
|
|
const realFetch = globalThis.fetch;
|
|
let call = 0;
|
|
globalThis.fetch = async () => {
|
|
call++;
|
|
if (call === 1) {
|
|
return new Response(null, {
|
|
status: 302,
|
|
headers: { location: "https://cdn.public.example/a.png" },
|
|
});
|
|
}
|
|
return new Response(new Uint8Array(png), {
|
|
status: 200,
|
|
headers: { "content-type": "image/png" },
|
|
});
|
|
};
|
|
try {
|
|
const out = await resolveCursorImages(["https://public.example/a.png"]);
|
|
assert.equal(out.length, 1);
|
|
assert.deepEqual(out[0].data, png);
|
|
assert.equal(out[0].mimeType, "image/png");
|
|
} finally {
|
|
globalThis.fetch = realFetch;
|
|
}
|
|
});
|
|
|
|
test("resolveCursorImages rejects an over-long redirect chain", async (t) => {
|
|
t.mock.method(dns.promises, "lookup", async () => PUBLIC_IP);
|
|
const realFetch = globalThis.fetch;
|
|
globalThis.fetch = async () =>
|
|
new Response(null, {
|
|
status: 302,
|
|
headers: { location: "https://public.example/loop.png" },
|
|
});
|
|
try {
|
|
await assert.rejects(
|
|
() => resolveCursorImages(["https://public.example/start.png"]),
|
|
(e) => e instanceof CursorImageError && /too many redirects/i.test((e as Error).message)
|
|
);
|
|
} finally {
|
|
globalThis.fetch = realFetch;
|
|
}
|
|
});
|
|
|
|
// ─── Executor-level error body (response path, hard rule #12) ───────────────
|
|
|
|
test("executor returns a sanitized 400 for an oversized image", async () => {
|
|
// buildRequest throws CursorImageError before any network/session/DB work,
|
|
// so this stays fully offline (no token needed).
|
|
const exec = new CursorExecutor();
|
|
const big = Buffer.alloc(MAX_CURSOR_IMAGE_BYTES + 16).toString("base64");
|
|
const result = await exec.execute({
|
|
model: "gpt-5.2",
|
|
body: {
|
|
messages: [
|
|
{
|
|
role: "user",
|
|
content: [
|
|
{ type: "text", text: "what color?" },
|
|
{ type: "image_url", image_url: { url: `data:image/png;base64,${big}` } },
|
|
],
|
|
},
|
|
],
|
|
},
|
|
stream: false,
|
|
credentials: { accessToken: "test-token" },
|
|
signal: undefined,
|
|
log: () => {},
|
|
upstreamExtraHeaders: undefined,
|
|
});
|
|
assert.equal(result.response.status, 400);
|
|
const body = await result.response.json();
|
|
assert.ok(body.error, "error envelope present");
|
|
assert.match(body.error.message, /too large/i);
|
|
// No stack-trace / source-path leakage in the response body (hard rule #12).
|
|
assert.ok(!body.error.message.includes("at /"), "no stack frame in error body");
|
|
assert.ok(!/\/(root|home|usr)\//.test(body.error.message), "no absolute path in error body");
|
|
});
|
|
|
|
test("executor returns a sanitized 400 for an SSRF-blocked image URL", async () => {
|
|
const exec = new CursorExecutor();
|
|
const result = await exec.execute({
|
|
model: "gpt-5.2",
|
|
body: {
|
|
messages: [
|
|
{
|
|
role: "user",
|
|
content: [
|
|
{ type: "text", text: "what color?" },
|
|
{ type: "image_url", image_url: { url: "http://169.254.169.254/latest/" } },
|
|
],
|
|
},
|
|
],
|
|
},
|
|
stream: false,
|
|
credentials: { accessToken: "test-token" },
|
|
signal: undefined,
|
|
log: () => {},
|
|
upstreamExtraHeaders: undefined,
|
|
});
|
|
assert.equal(result.response.status, 400);
|
|
const body = await result.response.json();
|
|
assert.ok(!body.error.message.includes("at /"), "no stack frame in error body");
|
|
});
|
|
|
|
test("CursorImageError messages never leak stack traces or paths", async () => {
|
|
// Every rejection message must be a clean human string (no "at /" frames,
|
|
// no absolute paths) so the executor's sanitized 400 body stays clean
|
|
// (hard rule #12).
|
|
const triggers = [
|
|
"data:text/plain;base64,aGVsbG8=",
|
|
"data:image/png;base64,@@@@",
|
|
"http://127.0.0.1/x.png",
|
|
"file:///etc/passwd",
|
|
];
|
|
for (const url of triggers) {
|
|
await resolveCursorImages([url]).then(
|
|
() => assert.fail(`expected rejection for ${url}`),
|
|
(e) => {
|
|
assert.ok(e instanceof CursorImageError);
|
|
assert.ok(!/\bat \//.test(e.message), `no stack frame in: ${e.message}`);
|
|
assert.ok(!/\/(root|home|usr)\//.test(e.message), `no abs path in: ${e.message}`);
|
|
}
|
|
);
|
|
}
|
|
});
|