23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
675 lines
18 KiB
TypeScript
675 lines
18 KiB
TypeScript
/**
|
|
* V3 Claude-Flow Security Compliance Acceptance Tests
|
|
*
|
|
* Acceptance tests for security requirements
|
|
* Tests CVE prevention and security compliance
|
|
*/
|
|
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
|
import { createMock, type MockedInterface } from '../helpers/create-mock';
|
|
import { securityConfigs } from '../fixtures/configurations';
|
|
|
|
/**
|
|
* Security compliance checker interface
|
|
*/
|
|
interface ISecurityComplianceChecker {
|
|
checkPathTraversal(path: string): ComplianceResult;
|
|
checkCommandInjection(command: string, args: string[]): ComplianceResult;
|
|
checkNullByteInjection(input: string): ComplianceResult;
|
|
checkPasswordPolicy(password: string): ComplianceResult;
|
|
runFullAudit(): Promise<AuditResult>;
|
|
}
|
|
|
|
/**
|
|
* CVE scanner interface
|
|
*/
|
|
interface ICVEScanner {
|
|
scan(code: string): Promise<CVEScanResult>;
|
|
getKnownCVEs(): CVEInfo[];
|
|
validateFix(cveId: string): Promise<boolean>;
|
|
}
|
|
|
|
/**
|
|
* Security policy enforcer interface
|
|
*/
|
|
interface ISecurityPolicyEnforcer {
|
|
enforcePathPolicy(path: string): EnforcementResult;
|
|
enforceCommandPolicy(command: string): EnforcementResult;
|
|
enforceInputPolicy(input: string): EnforcementResult;
|
|
getViolations(): PolicyViolation[];
|
|
}
|
|
|
|
interface ComplianceResult {
|
|
compliant: boolean;
|
|
violations: string[];
|
|
severity: 'critical' | 'high' | 'medium' | 'low' | 'none';
|
|
recommendations: string[];
|
|
}
|
|
|
|
interface AuditResult {
|
|
passed: boolean;
|
|
checks: AuditCheck[];
|
|
overallScore: number;
|
|
timestamp: Date;
|
|
}
|
|
|
|
interface AuditCheck {
|
|
name: string;
|
|
passed: boolean;
|
|
details: string;
|
|
}
|
|
|
|
interface CVEScanResult {
|
|
vulnerabilities: CVEInfo[];
|
|
riskScore: number;
|
|
remediation: string[];
|
|
}
|
|
|
|
interface CVEInfo {
|
|
id: string;
|
|
severity: 'critical' | 'high' | 'medium' | 'low';
|
|
description: string;
|
|
affectedVersions: string[];
|
|
fixedIn?: string;
|
|
}
|
|
|
|
interface EnforcementResult {
|
|
allowed: boolean;
|
|
reason?: string;
|
|
sanitized?: string;
|
|
}
|
|
|
|
interface PolicyViolation {
|
|
type: string;
|
|
input: string;
|
|
timestamp: Date;
|
|
severity: string;
|
|
}
|
|
|
|
/**
|
|
* Security compliance checker implementation
|
|
*/
|
|
class SecurityComplianceChecker implements ISecurityComplianceChecker {
|
|
constructor(private readonly config: typeof securityConfigs.strict) {}
|
|
|
|
checkPathTraversal(path: string): ComplianceResult {
|
|
const violations: string[] = [];
|
|
const recommendations: string[] = [];
|
|
|
|
// Check for directory traversal patterns
|
|
const traversalPatterns = ['../', '..\\', '%2e%2e%2f', '%2e%2e/'];
|
|
for (const pattern of traversalPatterns) {
|
|
if (path.toLowerCase().includes(pattern.toLowerCase())) {
|
|
violations.push(`Path contains traversal pattern: ${pattern}`);
|
|
}
|
|
}
|
|
|
|
// Check for blocked patterns from config
|
|
for (const pattern of this.config.paths.blockedPatterns) {
|
|
if (path.includes(pattern)) {
|
|
violations.push(`Path contains blocked pattern: ${pattern}`);
|
|
}
|
|
}
|
|
|
|
// Check for null bytes
|
|
if (path.includes('\0')) {
|
|
violations.push('Path contains null byte');
|
|
}
|
|
|
|
if (violations.length > 0) {
|
|
recommendations.push('Sanitize path input');
|
|
recommendations.push('Use allowlist for valid paths');
|
|
recommendations.push('Validate against allowed directories');
|
|
}
|
|
|
|
return {
|
|
compliant: violations.length === 0,
|
|
violations,
|
|
severity: violations.length > 0 ? 'critical' : 'none',
|
|
recommendations,
|
|
};
|
|
}
|
|
|
|
checkCommandInjection(command: string, args: string[]): ComplianceResult {
|
|
const violations: string[] = [];
|
|
const recommendations: string[] = [];
|
|
|
|
// Check base command
|
|
const baseCommand = command.split(' ')[0];
|
|
if (this.config.execution.blockedCommands.includes(baseCommand)) {
|
|
violations.push(`Command "${baseCommand}" is blocked`);
|
|
}
|
|
|
|
if (!this.config.execution.allowedCommands.includes(baseCommand)) {
|
|
violations.push(`Command "${baseCommand}" is not in allowlist`);
|
|
}
|
|
|
|
// Check for injection patterns in args
|
|
const injectionPatterns = [';', '|', '&', '`', '$', '(', ')', '<', '>', '\n'];
|
|
for (const arg of args) {
|
|
for (const pattern of injectionPatterns) {
|
|
if (arg.includes(pattern)) {
|
|
violations.push(`Argument contains injection pattern: ${pattern}`);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (violations.length > 0) {
|
|
recommendations.push('Sanitize command arguments');
|
|
recommendations.push('Use allowlist for commands');
|
|
recommendations.push('Disable shell execution');
|
|
}
|
|
|
|
return {
|
|
compliant: violations.length === 0,
|
|
violations,
|
|
severity: violations.length > 0 ? 'critical' : 'none',
|
|
recommendations,
|
|
};
|
|
}
|
|
|
|
checkNullByteInjection(input: string): ComplianceResult {
|
|
const violations: string[] = [];
|
|
|
|
if (input.includes('\0')) {
|
|
violations.push('Input contains null byte');
|
|
}
|
|
|
|
// Check for encoded null bytes
|
|
if (input.includes('%00')) {
|
|
violations.push('Input contains URL-encoded null byte');
|
|
}
|
|
|
|
return {
|
|
compliant: violations.length === 0,
|
|
violations,
|
|
severity: violations.length > 0 ? 'high' : 'none',
|
|
recommendations: violations.length > 0 ? ['Strip null bytes from input'] : [],
|
|
};
|
|
}
|
|
|
|
checkPasswordPolicy(password: string): ComplianceResult {
|
|
const violations: string[] = [];
|
|
|
|
if (password.length < 8) {
|
|
violations.push('Password must be at least 8 characters');
|
|
}
|
|
|
|
if (!/[A-Z]/.test(password)) {
|
|
violations.push('Password must contain uppercase letter');
|
|
}
|
|
|
|
if (!/[a-z]/.test(password)) {
|
|
violations.push('Password must contain lowercase letter');
|
|
}
|
|
|
|
if (!/[0-9]/.test(password)) {
|
|
violations.push('Password must contain number');
|
|
}
|
|
|
|
if (!/[!@#$%^&*]/.test(password)) {
|
|
violations.push('Password should contain special character');
|
|
}
|
|
|
|
return {
|
|
compliant: violations.length === 0,
|
|
violations,
|
|
severity: violations.length > 2 ? 'high' : violations.length > 0 ? 'medium' : 'none',
|
|
recommendations: ['Use a password manager', 'Enable MFA'],
|
|
};
|
|
}
|
|
|
|
async runFullAudit(): Promise<AuditResult> {
|
|
const checks: AuditCheck[] = [
|
|
{
|
|
name: 'Path Traversal Protection',
|
|
passed: this.config.paths.blockedPatterns.includes('../'),
|
|
details: 'Verified blocked patterns include directory traversal',
|
|
},
|
|
{
|
|
name: 'Command Injection Protection',
|
|
passed: this.config.execution.shell === false,
|
|
details: 'Shell execution is disabled',
|
|
},
|
|
{
|
|
name: 'Dangerous Commands Blocked',
|
|
passed: this.config.execution.blockedCommands.includes('rm'),
|
|
details: 'Verified dangerous commands are blocked',
|
|
},
|
|
{
|
|
name: 'Secure Hashing Algorithm',
|
|
passed: this.config.hashing.algorithm === 'argon2',
|
|
details: 'Using recommended hashing algorithm',
|
|
},
|
|
{
|
|
name: 'Input Size Limit',
|
|
passed: this.config.validation.maxInputSize <= 10000,
|
|
details: 'Input size is properly limited',
|
|
},
|
|
];
|
|
|
|
const passed = checks.every((c) => c.passed);
|
|
const overallScore = (checks.filter((c) => c.passed).length / checks.length) * 100;
|
|
|
|
return {
|
|
passed,
|
|
checks,
|
|
overallScore,
|
|
timestamp: new Date(),
|
|
};
|
|
}
|
|
}
|
|
|
|
describe('Security Compliance Acceptance', () => {
|
|
let complianceChecker: SecurityComplianceChecker;
|
|
let mockCVEScanner: MockedInterface<ICVEScanner>;
|
|
let mockPolicyEnforcer: MockedInterface<ISecurityPolicyEnforcer>;
|
|
|
|
beforeEach(() => {
|
|
complianceChecker = new SecurityComplianceChecker(securityConfigs.strict);
|
|
mockCVEScanner = createMock<ICVEScanner>();
|
|
mockPolicyEnforcer = createMock<ISecurityPolicyEnforcer>();
|
|
|
|
// Configure CVE scanner mock
|
|
mockCVEScanner.getKnownCVEs.mockReturnValue([
|
|
{
|
|
id: 'CVE-1',
|
|
severity: 'critical',
|
|
description: 'Directory traversal vulnerability',
|
|
affectedVersions: ['<3.0.0'],
|
|
fixedIn: '3.0.0',
|
|
},
|
|
{
|
|
id: 'CVE-2',
|
|
severity: 'critical',
|
|
description: 'Absolute path injection vulnerability',
|
|
affectedVersions: ['<3.0.0'],
|
|
fixedIn: '3.0.0',
|
|
},
|
|
{
|
|
id: 'CVE-3',
|
|
severity: 'critical',
|
|
description: 'Command injection vulnerability',
|
|
affectedVersions: ['<3.0.0'],
|
|
fixedIn: '3.0.0',
|
|
},
|
|
]);
|
|
|
|
mockCVEScanner.validateFix.mockResolvedValue(true);
|
|
mockCVEScanner.scan.mockResolvedValue({
|
|
vulnerabilities: [],
|
|
riskScore: 0,
|
|
remediation: [],
|
|
});
|
|
|
|
// Configure policy enforcer mock
|
|
mockPolicyEnforcer.enforcePathPolicy.mockImplementation((path) => ({
|
|
allowed: !path.includes('../'),
|
|
reason: path.includes('../') ? 'Path traversal detected' : undefined,
|
|
}));
|
|
mockPolicyEnforcer.enforceCommandPolicy.mockImplementation((cmd) => ({
|
|
allowed: securityConfigs.strict.execution.allowedCommands.includes(cmd.split(' ')[0]),
|
|
}));
|
|
mockPolicyEnforcer.getViolations.mockReturnValue([]);
|
|
});
|
|
|
|
describe('CVE-1: Directory Traversal Prevention', () => {
|
|
it('should detect basic directory traversal', () => {
|
|
// Given
|
|
const maliciousPath = '../../../etc/passwd';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(maliciousPath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
expect(result.severity).toBe('critical');
|
|
expect(result.violations).toContainEqual(expect.stringContaining('../'));
|
|
});
|
|
|
|
it('should detect Windows-style traversal', () => {
|
|
// Given
|
|
const maliciousPath = '..\\..\\..\\Windows\\System32';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(maliciousPath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should detect URL-encoded traversal', () => {
|
|
// Given
|
|
const maliciousPath = '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(maliciousPath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should allow safe paths', () => {
|
|
// Given
|
|
const safePath = './v3/src/security/index.ts';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(safePath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(true);
|
|
expect(result.severity).toBe('none');
|
|
});
|
|
|
|
it('should validate CVE-1 fix', async () => {
|
|
// When
|
|
const isFixed = await mockCVEScanner.validateFix('CVE-1');
|
|
|
|
// Then
|
|
expect(isFixed).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('CVE-2: Absolute Path Injection Prevention', () => {
|
|
it('should detect /etc/ access attempts', () => {
|
|
// Given
|
|
const maliciousPath = '/etc/passwd';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(maliciousPath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
expect(result.violations).toContainEqual(expect.stringContaining('/etc/'));
|
|
});
|
|
|
|
it('should detect /tmp/ access attempts', () => {
|
|
// Given
|
|
const maliciousPath = '/tmp/malicious.sh';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(maliciousPath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should detect home directory access attempts', () => {
|
|
// Given
|
|
const maliciousPath = '~/.ssh/id_rsa';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPathTraversal(maliciousPath);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should validate CVE-2 fix', async () => {
|
|
// When
|
|
const isFixed = await mockCVEScanner.validateFix('CVE-2');
|
|
|
|
// Then
|
|
expect(isFixed).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('CVE-3: Command Injection Prevention', () => {
|
|
it('should detect semicolon injection', () => {
|
|
// Given
|
|
const command = 'npm';
|
|
const args = ['install; rm -rf /'];
|
|
|
|
// When
|
|
const result = complianceChecker.checkCommandInjection(command, args);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
expect(result.violations).toContainEqual(expect.stringContaining(';'));
|
|
});
|
|
|
|
it('should detect pipe injection', () => {
|
|
// Given
|
|
const command = 'npm';
|
|
const args = ['install | cat /etc/passwd'];
|
|
|
|
// When
|
|
const result = complianceChecker.checkCommandInjection(command, args);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should detect command substitution', () => {
|
|
// Given
|
|
const command = 'npm';
|
|
const args = ['install $(whoami)'];
|
|
|
|
// When
|
|
const result = complianceChecker.checkCommandInjection(command, args);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should detect backtick execution', () => {
|
|
// Given
|
|
const command = 'npm';
|
|
const args = ['install `rm -rf /`'];
|
|
|
|
// When
|
|
const result = complianceChecker.checkCommandInjection(command, args);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should block dangerous commands', () => {
|
|
// Given
|
|
const command = 'rm';
|
|
const args = ['-rf', '/'];
|
|
|
|
// When
|
|
const result = complianceChecker.checkCommandInjection(command, args);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
expect(result.violations).toContainEqual(expect.stringContaining('rm'));
|
|
});
|
|
|
|
it('should allow safe commands', () => {
|
|
// Given
|
|
const command = 'npm';
|
|
const args = ['install', '--save', 'lodash'];
|
|
|
|
// When
|
|
const result = complianceChecker.checkCommandInjection(command, args);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(true);
|
|
});
|
|
|
|
it('should validate CVE-3 fix', async () => {
|
|
// When
|
|
const isFixed = await mockCVEScanner.validateFix('CVE-3');
|
|
|
|
// Then
|
|
expect(isFixed).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('Null Byte Injection Prevention', () => {
|
|
it('should detect null byte in path', () => {
|
|
// Given
|
|
const input = 'file.txt\0.exe';
|
|
|
|
// When
|
|
const result = complianceChecker.checkNullByteInjection(input);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
expect(result.severity).toBe('high');
|
|
});
|
|
|
|
it('should detect URL-encoded null byte', () => {
|
|
// Given
|
|
const input = 'file.txt%00.exe';
|
|
|
|
// When
|
|
const result = complianceChecker.checkNullByteInjection(input);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
});
|
|
|
|
it('should allow clean input', () => {
|
|
// Given
|
|
const input = 'file.txt';
|
|
|
|
// When
|
|
const result = complianceChecker.checkNullByteInjection(input);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('Password Policy Compliance', () => {
|
|
it('should require minimum length', () => {
|
|
// Given
|
|
const weakPassword = 'Short1!';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPasswordPolicy(weakPassword);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(false);
|
|
expect(result.violations).toContainEqual(expect.stringContaining('8 characters'));
|
|
});
|
|
|
|
it('should require uppercase letter', () => {
|
|
// Given
|
|
const noUpper = 'password123!';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPasswordPolicy(noUpper);
|
|
|
|
// Then
|
|
expect(result.violations).toContainEqual(expect.stringContaining('uppercase'));
|
|
});
|
|
|
|
it('should require lowercase letter', () => {
|
|
// Given
|
|
const noLower = 'PASSWORD123!';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPasswordPolicy(noLower);
|
|
|
|
// Then
|
|
expect(result.violations).toContainEqual(expect.stringContaining('lowercase'));
|
|
});
|
|
|
|
it('should require number', () => {
|
|
// Given
|
|
const noNumber = 'Password!!';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPasswordPolicy(noNumber);
|
|
|
|
// Then
|
|
expect(result.violations).toContainEqual(expect.stringContaining('number'));
|
|
});
|
|
|
|
it('should accept strong password', () => {
|
|
// Given
|
|
const strongPassword = 'SecureP@ss123!';
|
|
|
|
// When
|
|
const result = complianceChecker.checkPasswordPolicy(strongPassword);
|
|
|
|
// Then
|
|
expect(result.compliant).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('Full Security Audit', () => {
|
|
it('should pass full audit with strict config', async () => {
|
|
// When
|
|
const audit = await complianceChecker.runFullAudit();
|
|
|
|
// Then
|
|
expect(audit.passed).toBe(true);
|
|
expect(audit.overallScore).toBe(100);
|
|
});
|
|
|
|
it('should verify all security checks pass', async () => {
|
|
// When
|
|
const audit = await complianceChecker.runFullAudit();
|
|
|
|
// Then
|
|
for (const check of audit.checks) {
|
|
expect(check.passed).toBe(true);
|
|
}
|
|
});
|
|
|
|
it('should verify path traversal protection is enabled', async () => {
|
|
// When
|
|
const audit = await complianceChecker.runFullAudit();
|
|
|
|
// Then
|
|
const pathCheck = audit.checks.find((c) => c.name === 'Path Traversal Protection');
|
|
expect(pathCheck?.passed).toBe(true);
|
|
});
|
|
|
|
it('should verify shell execution is disabled', async () => {
|
|
// When
|
|
const audit = await complianceChecker.runFullAudit();
|
|
|
|
// Then
|
|
const shellCheck = audit.checks.find((c) => c.name === 'Command Injection Protection');
|
|
expect(shellCheck?.passed).toBe(true);
|
|
});
|
|
|
|
it('should verify secure hashing is configured', async () => {
|
|
// When
|
|
const audit = await complianceChecker.runFullAudit();
|
|
|
|
// Then
|
|
const hashCheck = audit.checks.find((c) => c.name === 'Secure Hashing Algorithm');
|
|
expect(hashCheck?.passed).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('Security Configuration Compliance', () => {
|
|
it('should have 95% security test coverage target', () => {
|
|
// Given
|
|
const securityCoverageTarget = 0.95;
|
|
|
|
// Then
|
|
expect(securityCoverageTarget).toBe(0.95);
|
|
});
|
|
|
|
it('should use argon2 for password hashing', () => {
|
|
// Then
|
|
expect(securityConfigs.strict.hashing.algorithm).toBe('argon2');
|
|
});
|
|
|
|
it('should disable shell execution by default', () => {
|
|
// Then
|
|
expect(securityConfigs.strict.execution.shell).toBe(false);
|
|
});
|
|
|
|
it('should block all dangerous commands', () => {
|
|
// Then
|
|
expect(securityConfigs.strict.execution.blockedCommands).toContain('rm');
|
|
expect(securityConfigs.strict.execution.blockedCommands).toContain('del');
|
|
expect(securityConfigs.strict.execution.blockedCommands).toContain('format');
|
|
expect(securityConfigs.strict.execution.blockedCommands).toContain('dd');
|
|
});
|
|
|
|
it('should have limited allowed commands', () => {
|
|
// Then
|
|
expect(securityConfigs.strict.execution.allowedCommands).toEqual(['npm', 'node', 'git']);
|
|
});
|
|
});
|
|
});
|