Files
wehub-resource-sync 23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:02:19 +08:00

675 lines
18 KiB
TypeScript

/**
* V3 Claude-Flow Security Compliance Acceptance Tests
*
* Acceptance tests for security requirements
* Tests CVE prevention and security compliance
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { createMock, type MockedInterface } from '../helpers/create-mock';
import { securityConfigs } from '../fixtures/configurations';
/**
* Security compliance checker interface
*/
interface ISecurityComplianceChecker {
checkPathTraversal(path: string): ComplianceResult;
checkCommandInjection(command: string, args: string[]): ComplianceResult;
checkNullByteInjection(input: string): ComplianceResult;
checkPasswordPolicy(password: string): ComplianceResult;
runFullAudit(): Promise<AuditResult>;
}
/**
* CVE scanner interface
*/
interface ICVEScanner {
scan(code: string): Promise<CVEScanResult>;
getKnownCVEs(): CVEInfo[];
validateFix(cveId: string): Promise<boolean>;
}
/**
* Security policy enforcer interface
*/
interface ISecurityPolicyEnforcer {
enforcePathPolicy(path: string): EnforcementResult;
enforceCommandPolicy(command: string): EnforcementResult;
enforceInputPolicy(input: string): EnforcementResult;
getViolations(): PolicyViolation[];
}
interface ComplianceResult {
compliant: boolean;
violations: string[];
severity: 'critical' | 'high' | 'medium' | 'low' | 'none';
recommendations: string[];
}
interface AuditResult {
passed: boolean;
checks: AuditCheck[];
overallScore: number;
timestamp: Date;
}
interface AuditCheck {
name: string;
passed: boolean;
details: string;
}
interface CVEScanResult {
vulnerabilities: CVEInfo[];
riskScore: number;
remediation: string[];
}
interface CVEInfo {
id: string;
severity: 'critical' | 'high' | 'medium' | 'low';
description: string;
affectedVersions: string[];
fixedIn?: string;
}
interface EnforcementResult {
allowed: boolean;
reason?: string;
sanitized?: string;
}
interface PolicyViolation {
type: string;
input: string;
timestamp: Date;
severity: string;
}
/**
* Security compliance checker implementation
*/
class SecurityComplianceChecker implements ISecurityComplianceChecker {
constructor(private readonly config: typeof securityConfigs.strict) {}
checkPathTraversal(path: string): ComplianceResult {
const violations: string[] = [];
const recommendations: string[] = [];
// Check for directory traversal patterns
const traversalPatterns = ['../', '..\\', '%2e%2e%2f', '%2e%2e/'];
for (const pattern of traversalPatterns) {
if (path.toLowerCase().includes(pattern.toLowerCase())) {
violations.push(`Path contains traversal pattern: ${pattern}`);
}
}
// Check for blocked patterns from config
for (const pattern of this.config.paths.blockedPatterns) {
if (path.includes(pattern)) {
violations.push(`Path contains blocked pattern: ${pattern}`);
}
}
// Check for null bytes
if (path.includes('\0')) {
violations.push('Path contains null byte');
}
if (violations.length > 0) {
recommendations.push('Sanitize path input');
recommendations.push('Use allowlist for valid paths');
recommendations.push('Validate against allowed directories');
}
return {
compliant: violations.length === 0,
violations,
severity: violations.length > 0 ? 'critical' : 'none',
recommendations,
};
}
checkCommandInjection(command: string, args: string[]): ComplianceResult {
const violations: string[] = [];
const recommendations: string[] = [];
// Check base command
const baseCommand = command.split(' ')[0];
if (this.config.execution.blockedCommands.includes(baseCommand)) {
violations.push(`Command "${baseCommand}" is blocked`);
}
if (!this.config.execution.allowedCommands.includes(baseCommand)) {
violations.push(`Command "${baseCommand}" is not in allowlist`);
}
// Check for injection patterns in args
const injectionPatterns = [';', '|', '&', '`', '$', '(', ')', '<', '>', '\n'];
for (const arg of args) {
for (const pattern of injectionPatterns) {
if (arg.includes(pattern)) {
violations.push(`Argument contains injection pattern: ${pattern}`);
}
}
}
if (violations.length > 0) {
recommendations.push('Sanitize command arguments');
recommendations.push('Use allowlist for commands');
recommendations.push('Disable shell execution');
}
return {
compliant: violations.length === 0,
violations,
severity: violations.length > 0 ? 'critical' : 'none',
recommendations,
};
}
checkNullByteInjection(input: string): ComplianceResult {
const violations: string[] = [];
if (input.includes('\0')) {
violations.push('Input contains null byte');
}
// Check for encoded null bytes
if (input.includes('%00')) {
violations.push('Input contains URL-encoded null byte');
}
return {
compliant: violations.length === 0,
violations,
severity: violations.length > 0 ? 'high' : 'none',
recommendations: violations.length > 0 ? ['Strip null bytes from input'] : [],
};
}
checkPasswordPolicy(password: string): ComplianceResult {
const violations: string[] = [];
if (password.length < 8) {
violations.push('Password must be at least 8 characters');
}
if (!/[A-Z]/.test(password)) {
violations.push('Password must contain uppercase letter');
}
if (!/[a-z]/.test(password)) {
violations.push('Password must contain lowercase letter');
}
if (!/[0-9]/.test(password)) {
violations.push('Password must contain number');
}
if (!/[!@#$%^&*]/.test(password)) {
violations.push('Password should contain special character');
}
return {
compliant: violations.length === 0,
violations,
severity: violations.length > 2 ? 'high' : violations.length > 0 ? 'medium' : 'none',
recommendations: ['Use a password manager', 'Enable MFA'],
};
}
async runFullAudit(): Promise<AuditResult> {
const checks: AuditCheck[] = [
{
name: 'Path Traversal Protection',
passed: this.config.paths.blockedPatterns.includes('../'),
details: 'Verified blocked patterns include directory traversal',
},
{
name: 'Command Injection Protection',
passed: this.config.execution.shell === false,
details: 'Shell execution is disabled',
},
{
name: 'Dangerous Commands Blocked',
passed: this.config.execution.blockedCommands.includes('rm'),
details: 'Verified dangerous commands are blocked',
},
{
name: 'Secure Hashing Algorithm',
passed: this.config.hashing.algorithm === 'argon2',
details: 'Using recommended hashing algorithm',
},
{
name: 'Input Size Limit',
passed: this.config.validation.maxInputSize <= 10000,
details: 'Input size is properly limited',
},
];
const passed = checks.every((c) => c.passed);
const overallScore = (checks.filter((c) => c.passed).length / checks.length) * 100;
return {
passed,
checks,
overallScore,
timestamp: new Date(),
};
}
}
describe('Security Compliance Acceptance', () => {
let complianceChecker: SecurityComplianceChecker;
let mockCVEScanner: MockedInterface<ICVEScanner>;
let mockPolicyEnforcer: MockedInterface<ISecurityPolicyEnforcer>;
beforeEach(() => {
complianceChecker = new SecurityComplianceChecker(securityConfigs.strict);
mockCVEScanner = createMock<ICVEScanner>();
mockPolicyEnforcer = createMock<ISecurityPolicyEnforcer>();
// Configure CVE scanner mock
mockCVEScanner.getKnownCVEs.mockReturnValue([
{
id: 'CVE-1',
severity: 'critical',
description: 'Directory traversal vulnerability',
affectedVersions: ['<3.0.0'],
fixedIn: '3.0.0',
},
{
id: 'CVE-2',
severity: 'critical',
description: 'Absolute path injection vulnerability',
affectedVersions: ['<3.0.0'],
fixedIn: '3.0.0',
},
{
id: 'CVE-3',
severity: 'critical',
description: 'Command injection vulnerability',
affectedVersions: ['<3.0.0'],
fixedIn: '3.0.0',
},
]);
mockCVEScanner.validateFix.mockResolvedValue(true);
mockCVEScanner.scan.mockResolvedValue({
vulnerabilities: [],
riskScore: 0,
remediation: [],
});
// Configure policy enforcer mock
mockPolicyEnforcer.enforcePathPolicy.mockImplementation((path) => ({
allowed: !path.includes('../'),
reason: path.includes('../') ? 'Path traversal detected' : undefined,
}));
mockPolicyEnforcer.enforceCommandPolicy.mockImplementation((cmd) => ({
allowed: securityConfigs.strict.execution.allowedCommands.includes(cmd.split(' ')[0]),
}));
mockPolicyEnforcer.getViolations.mockReturnValue([]);
});
describe('CVE-1: Directory Traversal Prevention', () => {
it('should detect basic directory traversal', () => {
// Given
const maliciousPath = '../../../etc/passwd';
// When
const result = complianceChecker.checkPathTraversal(maliciousPath);
// Then
expect(result.compliant).toBe(false);
expect(result.severity).toBe('critical');
expect(result.violations).toContainEqual(expect.stringContaining('../'));
});
it('should detect Windows-style traversal', () => {
// Given
const maliciousPath = '..\\..\\..\\Windows\\System32';
// When
const result = complianceChecker.checkPathTraversal(maliciousPath);
// Then
expect(result.compliant).toBe(false);
});
it('should detect URL-encoded traversal', () => {
// Given
const maliciousPath = '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd';
// When
const result = complianceChecker.checkPathTraversal(maliciousPath);
// Then
expect(result.compliant).toBe(false);
});
it('should allow safe paths', () => {
// Given
const safePath = './v3/src/security/index.ts';
// When
const result = complianceChecker.checkPathTraversal(safePath);
// Then
expect(result.compliant).toBe(true);
expect(result.severity).toBe('none');
});
it('should validate CVE-1 fix', async () => {
// When
const isFixed = await mockCVEScanner.validateFix('CVE-1');
// Then
expect(isFixed).toBe(true);
});
});
describe('CVE-2: Absolute Path Injection Prevention', () => {
it('should detect /etc/ access attempts', () => {
// Given
const maliciousPath = '/etc/passwd';
// When
const result = complianceChecker.checkPathTraversal(maliciousPath);
// Then
expect(result.compliant).toBe(false);
expect(result.violations).toContainEqual(expect.stringContaining('/etc/'));
});
it('should detect /tmp/ access attempts', () => {
// Given
const maliciousPath = '/tmp/malicious.sh';
// When
const result = complianceChecker.checkPathTraversal(maliciousPath);
// Then
expect(result.compliant).toBe(false);
});
it('should detect home directory access attempts', () => {
// Given
const maliciousPath = '~/.ssh/id_rsa';
// When
const result = complianceChecker.checkPathTraversal(maliciousPath);
// Then
expect(result.compliant).toBe(false);
});
it('should validate CVE-2 fix', async () => {
// When
const isFixed = await mockCVEScanner.validateFix('CVE-2');
// Then
expect(isFixed).toBe(true);
});
});
describe('CVE-3: Command Injection Prevention', () => {
it('should detect semicolon injection', () => {
// Given
const command = 'npm';
const args = ['install; rm -rf /'];
// When
const result = complianceChecker.checkCommandInjection(command, args);
// Then
expect(result.compliant).toBe(false);
expect(result.violations).toContainEqual(expect.stringContaining(';'));
});
it('should detect pipe injection', () => {
// Given
const command = 'npm';
const args = ['install | cat /etc/passwd'];
// When
const result = complianceChecker.checkCommandInjection(command, args);
// Then
expect(result.compliant).toBe(false);
});
it('should detect command substitution', () => {
// Given
const command = 'npm';
const args = ['install $(whoami)'];
// When
const result = complianceChecker.checkCommandInjection(command, args);
// Then
expect(result.compliant).toBe(false);
});
it('should detect backtick execution', () => {
// Given
const command = 'npm';
const args = ['install `rm -rf /`'];
// When
const result = complianceChecker.checkCommandInjection(command, args);
// Then
expect(result.compliant).toBe(false);
});
it('should block dangerous commands', () => {
// Given
const command = 'rm';
const args = ['-rf', '/'];
// When
const result = complianceChecker.checkCommandInjection(command, args);
// Then
expect(result.compliant).toBe(false);
expect(result.violations).toContainEqual(expect.stringContaining('rm'));
});
it('should allow safe commands', () => {
// Given
const command = 'npm';
const args = ['install', '--save', 'lodash'];
// When
const result = complianceChecker.checkCommandInjection(command, args);
// Then
expect(result.compliant).toBe(true);
});
it('should validate CVE-3 fix', async () => {
// When
const isFixed = await mockCVEScanner.validateFix('CVE-3');
// Then
expect(isFixed).toBe(true);
});
});
describe('Null Byte Injection Prevention', () => {
it('should detect null byte in path', () => {
// Given
const input = 'file.txt\0.exe';
// When
const result = complianceChecker.checkNullByteInjection(input);
// Then
expect(result.compliant).toBe(false);
expect(result.severity).toBe('high');
});
it('should detect URL-encoded null byte', () => {
// Given
const input = 'file.txt%00.exe';
// When
const result = complianceChecker.checkNullByteInjection(input);
// Then
expect(result.compliant).toBe(false);
});
it('should allow clean input', () => {
// Given
const input = 'file.txt';
// When
const result = complianceChecker.checkNullByteInjection(input);
// Then
expect(result.compliant).toBe(true);
});
});
describe('Password Policy Compliance', () => {
it('should require minimum length', () => {
// Given
const weakPassword = 'Short1!';
// When
const result = complianceChecker.checkPasswordPolicy(weakPassword);
// Then
expect(result.compliant).toBe(false);
expect(result.violations).toContainEqual(expect.stringContaining('8 characters'));
});
it('should require uppercase letter', () => {
// Given
const noUpper = 'password123!';
// When
const result = complianceChecker.checkPasswordPolicy(noUpper);
// Then
expect(result.violations).toContainEqual(expect.stringContaining('uppercase'));
});
it('should require lowercase letter', () => {
// Given
const noLower = 'PASSWORD123!';
// When
const result = complianceChecker.checkPasswordPolicy(noLower);
// Then
expect(result.violations).toContainEqual(expect.stringContaining('lowercase'));
});
it('should require number', () => {
// Given
const noNumber = 'Password!!';
// When
const result = complianceChecker.checkPasswordPolicy(noNumber);
// Then
expect(result.violations).toContainEqual(expect.stringContaining('number'));
});
it('should accept strong password', () => {
// Given
const strongPassword = 'SecureP@ss123!';
// When
const result = complianceChecker.checkPasswordPolicy(strongPassword);
// Then
expect(result.compliant).toBe(true);
});
});
describe('Full Security Audit', () => {
it('should pass full audit with strict config', async () => {
// When
const audit = await complianceChecker.runFullAudit();
// Then
expect(audit.passed).toBe(true);
expect(audit.overallScore).toBe(100);
});
it('should verify all security checks pass', async () => {
// When
const audit = await complianceChecker.runFullAudit();
// Then
for (const check of audit.checks) {
expect(check.passed).toBe(true);
}
});
it('should verify path traversal protection is enabled', async () => {
// When
const audit = await complianceChecker.runFullAudit();
// Then
const pathCheck = audit.checks.find((c) => c.name === 'Path Traversal Protection');
expect(pathCheck?.passed).toBe(true);
});
it('should verify shell execution is disabled', async () => {
// When
const audit = await complianceChecker.runFullAudit();
// Then
const shellCheck = audit.checks.find((c) => c.name === 'Command Injection Protection');
expect(shellCheck?.passed).toBe(true);
});
it('should verify secure hashing is configured', async () => {
// When
const audit = await complianceChecker.runFullAudit();
// Then
const hashCheck = audit.checks.find((c) => c.name === 'Secure Hashing Algorithm');
expect(hashCheck?.passed).toBe(true);
});
});
describe('Security Configuration Compliance', () => {
it('should have 95% security test coverage target', () => {
// Given
const securityCoverageTarget = 0.95;
// Then
expect(securityCoverageTarget).toBe(0.95);
});
it('should use argon2 for password hashing', () => {
// Then
expect(securityConfigs.strict.hashing.algorithm).toBe('argon2');
});
it('should disable shell execution by default', () => {
// Then
expect(securityConfigs.strict.execution.shell).toBe(false);
});
it('should block all dangerous commands', () => {
// Then
expect(securityConfigs.strict.execution.blockedCommands).toContain('rm');
expect(securityConfigs.strict.execution.blockedCommands).toContain('del');
expect(securityConfigs.strict.execution.blockedCommands).toContain('format');
expect(securityConfigs.strict.execution.blockedCommands).toContain('dd');
});
it('should have limited allowed commands', () => {
// Then
expect(securityConfigs.strict.execution.allowedCommands).toEqual(['npm', 'node', 'git']);
});
});
});