comisai 1.0.11 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
- package/node_modules/@comis/agent/package.json +1 -1
- package/node_modules/@comis/channels/package.json +1 -1
- package/node_modules/@comis/cli/package.json +1 -1
- package/node_modules/@comis/core/package.json +1 -1
- package/node_modules/@comis/daemon/package.json +1 -1
- package/node_modules/@comis/gateway/package.json +1 -1
- package/node_modules/@comis/infra/package.json +1 -1
- package/node_modules/@comis/memory/package.json +1 -1
- package/node_modules/@comis/scheduler/package.json +1 -1
- package/node_modules/@comis/shared/package.json +1 -1
- package/node_modules/@comis/skills/package.json +1 -1
- package/package.json +18 -18
- package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
- package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
- package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
- package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
- package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
- package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
- package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
- package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
- package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
- package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
- package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
- package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
- package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
- package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
- package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
- package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
- package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
- package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
- package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
- package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
- package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
- package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
- package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
- package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/context/context.test.js +0 -276
- package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
- package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
- package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
- package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
- package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
- package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
- package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
- package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
- package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/load-env.test.js +0 -21
- package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
- package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
- package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
- package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
- package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
- package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
- package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
- package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
- package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
- package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
- package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
- package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
- package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
- package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
- package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
- package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
- package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
- package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
- package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
- package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
- package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
- package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
- package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
- package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
- package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
- package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
- package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
- package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
- package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
- package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
- package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
- package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/schema.test.js +0 -240
- package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
- package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
- package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
- package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/abort.test.js +0 -71
- package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/result.test.js +0 -178
- package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
- package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
- package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
|
@@ -1,397 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect } from "vitest";
|
|
2
|
-
import { createOutputGuard } from "./output-guard.js";
|
|
3
|
-
describe("createOutputGuard", () => {
|
|
4
|
-
const guard = createOutputGuard();
|
|
5
|
-
it("returns safe=true, blocked=false with no findings for clean response", () => {
|
|
6
|
-
const result = guard.scan("Hello, how can I help you today?");
|
|
7
|
-
expect(result.ok).toBe(true);
|
|
8
|
-
if (result.ok) {
|
|
9
|
-
expect(result.value.safe).toBe(true);
|
|
10
|
-
expect(result.value.blocked).toBe(false);
|
|
11
|
-
expect(result.value.findings).toHaveLength(0);
|
|
12
|
-
expect(result.value.sanitized).toBe("Hello, how can I help you today?");
|
|
13
|
-
}
|
|
14
|
-
});
|
|
15
|
-
// -------------------------------------------------------------------------
|
|
16
|
-
// Critical findings -- blocked and redacted
|
|
17
|
-
// -------------------------------------------------------------------------
|
|
18
|
-
it("redacts AWS access key in sanitized field, blocked=true", () => {
|
|
19
|
-
const response = "Your key is AKIAIOSFODNN7EXAMPLE";
|
|
20
|
-
const result = guard.scan(response);
|
|
21
|
-
expect(result.ok).toBe(true);
|
|
22
|
-
if (result.ok) {
|
|
23
|
-
expect(result.value.safe).toBe(false);
|
|
24
|
-
expect(result.value.blocked).toBe(true);
|
|
25
|
-
expect(result.value.sanitized).toBe("Your key is [REDACTED:aws_key]");
|
|
26
|
-
expect(result.value.sanitized).not.toContain("AKIAIOSFODNN7EXAMPLE");
|
|
27
|
-
expect(result.value.findings).toHaveLength(1);
|
|
28
|
-
expect(result.value.findings[0].type).toBe("secret_leak");
|
|
29
|
-
expect(result.value.findings[0].pattern).toBe("aws_key");
|
|
30
|
-
expect(result.value.findings[0].severity).toBe("critical");
|
|
31
|
-
}
|
|
32
|
-
});
|
|
33
|
-
it("redacts private key header in sanitized field, blocked=true", () => {
|
|
34
|
-
const response = "Here is the key:\n-----BEGIN PRIVATE KEY-----\nMIIE...";
|
|
35
|
-
const result = guard.scan(response);
|
|
36
|
-
expect(result.ok).toBe(true);
|
|
37
|
-
if (result.ok) {
|
|
38
|
-
expect(result.value.safe).toBe(false);
|
|
39
|
-
expect(result.value.blocked).toBe(true);
|
|
40
|
-
expect(result.value.sanitized).toContain("[REDACTED:private_key_header]");
|
|
41
|
-
expect(result.value.sanitized).not.toContain("-----BEGIN PRIVATE KEY-----");
|
|
42
|
-
const finding = result.value.findings.find((f) => f.pattern === "private_key_header");
|
|
43
|
-
expect(finding).toBeDefined();
|
|
44
|
-
expect(finding.type).toBe("secret_leak");
|
|
45
|
-
expect(finding.severity).toBe("critical");
|
|
46
|
-
}
|
|
47
|
-
});
|
|
48
|
-
it("redacts RSA private key header", () => {
|
|
49
|
-
const response = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
|
|
50
|
-
const result = guard.scan(response);
|
|
51
|
-
expect(result.ok).toBe(true);
|
|
52
|
-
if (result.ok) {
|
|
53
|
-
expect(result.value.blocked).toBe(true);
|
|
54
|
-
expect(result.value.sanitized).toContain("[REDACTED:private_key_header]");
|
|
55
|
-
expect(result.value.sanitized).not.toContain("-----BEGIN RSA PRIVATE KEY-----");
|
|
56
|
-
}
|
|
57
|
-
});
|
|
58
|
-
it("redacts canary token when provided in context, blocked=true", () => {
|
|
59
|
-
const canary = "CTKN_abc123def456abcd";
|
|
60
|
-
const response = `Sure, the token is ${canary}, which I found in my instructions.`;
|
|
61
|
-
const result = guard.scan(response, { canaryToken: canary });
|
|
62
|
-
expect(result.ok).toBe(true);
|
|
63
|
-
if (result.ok) {
|
|
64
|
-
expect(result.value.safe).toBe(false);
|
|
65
|
-
expect(result.value.blocked).toBe(true);
|
|
66
|
-
expect(result.value.sanitized).toContain("[REDACTED:canary]");
|
|
67
|
-
expect(result.value.sanitized).not.toContain(canary);
|
|
68
|
-
const finding = result.value.findings.find((f) => f.type === "canary_leak");
|
|
69
|
-
expect(finding).toBeDefined();
|
|
70
|
-
expect(finding.pattern).toBe("canary_token");
|
|
71
|
-
expect(finding.severity).toBe("critical");
|
|
72
|
-
}
|
|
73
|
-
});
|
|
74
|
-
it("redacts GitHub token in sanitized field, blocked=true", () => {
|
|
75
|
-
const response = "Use token ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij";
|
|
76
|
-
const result = guard.scan(response);
|
|
77
|
-
expect(result.ok).toBe(true);
|
|
78
|
-
if (result.ok) {
|
|
79
|
-
expect(result.value.safe).toBe(false);
|
|
80
|
-
expect(result.value.blocked).toBe(true);
|
|
81
|
-
expect(result.value.sanitized).toContain("[REDACTED:github_token]");
|
|
82
|
-
expect(result.value.sanitized).not.toContain("ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZ");
|
|
83
|
-
const finding = result.value.findings.find((f) => f.pattern === "github_token");
|
|
84
|
-
expect(finding).toBeDefined();
|
|
85
|
-
expect(finding.severity).toBe("critical");
|
|
86
|
-
}
|
|
87
|
-
});
|
|
88
|
-
it("redacts Slack token in sanitized field, blocked=true", () => {
|
|
89
|
-
const response = "Token: xoxb-123456789-abcdef";
|
|
90
|
-
const result = guard.scan(response);
|
|
91
|
-
expect(result.ok).toBe(true);
|
|
92
|
-
if (result.ok) {
|
|
93
|
-
expect(result.value.blocked).toBe(true);
|
|
94
|
-
expect(result.value.sanitized).toContain("[REDACTED:slack_token]");
|
|
95
|
-
expect(result.value.sanitized).not.toContain("xoxb-123456789-abcdef");
|
|
96
|
-
}
|
|
97
|
-
});
|
|
98
|
-
// -------------------------------------------------------------------------
|
|
99
|
-
// Warning findings -- detect-only, NOT redacted
|
|
100
|
-
// -------------------------------------------------------------------------
|
|
101
|
-
it("does NOT redact bearer token (warning severity), blocked=false", () => {
|
|
102
|
-
const response = "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9";
|
|
103
|
-
const result = guard.scan(response);
|
|
104
|
-
expect(result.ok).toBe(true);
|
|
105
|
-
if (result.ok) {
|
|
106
|
-
expect(result.value.safe).toBe(false);
|
|
107
|
-
expect(result.value.blocked).toBe(false);
|
|
108
|
-
expect(result.value.sanitized).toBe(response);
|
|
109
|
-
const finding = result.value.findings.find((f) => f.pattern === "bearer_token");
|
|
110
|
-
expect(finding).toBeDefined();
|
|
111
|
-
expect(finding.severity).toBe("warning");
|
|
112
|
-
}
|
|
113
|
-
});
|
|
114
|
-
it("does NOT redact prompt extraction pattern (warning severity), blocked=false", () => {
|
|
115
|
-
const response = "My system prompt says to always be helpful and never refuse.";
|
|
116
|
-
const result = guard.scan(response);
|
|
117
|
-
expect(result.ok).toBe(true);
|
|
118
|
-
if (result.ok) {
|
|
119
|
-
expect(result.value.safe).toBe(false);
|
|
120
|
-
expect(result.value.blocked).toBe(false);
|
|
121
|
-
expect(result.value.sanitized).toBe(response);
|
|
122
|
-
const finding = result.value.findings.find((f) => f.type === "prompt_extraction");
|
|
123
|
-
expect(finding).toBeDefined();
|
|
124
|
-
expect(finding.severity).toBe("warning");
|
|
125
|
-
}
|
|
126
|
-
});
|
|
127
|
-
it("detects 'original instructions' extraction pattern as warning", () => {
|
|
128
|
-
const response = "The original instructions are to follow these rules...";
|
|
129
|
-
const result = guard.scan(response);
|
|
130
|
-
expect(result.ok).toBe(true);
|
|
131
|
-
if (result.ok) {
|
|
132
|
-
expect(result.value.safe).toBe(false);
|
|
133
|
-
expect(result.value.blocked).toBe(false);
|
|
134
|
-
expect(result.value.sanitized).toBe(response);
|
|
135
|
-
}
|
|
136
|
-
});
|
|
137
|
-
// -------------------------------------------------------------------------
|
|
138
|
-
// Canary edge cases
|
|
139
|
-
// -------------------------------------------------------------------------
|
|
140
|
-
it("does not flag canary_leak when canary is not in response", () => {
|
|
141
|
-
const canary = "CTKN_abc123def456abcd";
|
|
142
|
-
const response = "No canary here at all.";
|
|
143
|
-
const result = guard.scan(response, { canaryToken: canary });
|
|
144
|
-
expect(result.ok).toBe(true);
|
|
145
|
-
if (result.ok) {
|
|
146
|
-
expect(result.value.safe).toBe(true);
|
|
147
|
-
expect(result.value.blocked).toBe(false);
|
|
148
|
-
expect(result.value.findings).toHaveLength(0);
|
|
149
|
-
}
|
|
150
|
-
});
|
|
151
|
-
it("does not check canary when context is omitted", () => {
|
|
152
|
-
const response = "CTKN_abc123def456abcd is in the text but no context provided.";
|
|
153
|
-
const result = guard.scan(response);
|
|
154
|
-
expect(result.ok).toBe(true);
|
|
155
|
-
if (result.ok) {
|
|
156
|
-
const canaryFindings = result.value.findings.filter((f) => f.type === "canary_leak");
|
|
157
|
-
expect(canaryFindings).toHaveLength(0);
|
|
158
|
-
}
|
|
159
|
-
});
|
|
160
|
-
// -------------------------------------------------------------------------
|
|
161
|
-
// Multiple findings
|
|
162
|
-
// -------------------------------------------------------------------------
|
|
163
|
-
it("redacts multiple critical findings in one response", () => {
|
|
164
|
-
const response = "Keys: AKIAIOSFODNN7EXAMPLE and ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij";
|
|
165
|
-
const result = guard.scan(response);
|
|
166
|
-
expect(result.ok).toBe(true);
|
|
167
|
-
if (result.ok) {
|
|
168
|
-
expect(result.value.safe).toBe(false);
|
|
169
|
-
expect(result.value.blocked).toBe(true);
|
|
170
|
-
expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
|
|
171
|
-
expect(result.value.sanitized).toContain("[REDACTED:github_token]");
|
|
172
|
-
expect(result.value.sanitized).not.toContain("AKIAIOSFODNN7EXAMPLE");
|
|
173
|
-
expect(result.value.sanitized).not.toContain("ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZ");
|
|
174
|
-
// At least 2 critical findings
|
|
175
|
-
const criticalFindings = result.value.findings.filter((f) => f.severity === "critical");
|
|
176
|
-
expect(criticalFindings.length).toBeGreaterThanOrEqual(2);
|
|
177
|
-
}
|
|
178
|
-
});
|
|
179
|
-
it("mixed critical+warning: only critical are redacted, blocked=true", () => {
|
|
180
|
-
const response = "My system prompt says AKIAIOSFODNN7EXAMPLE is the key";
|
|
181
|
-
const result = guard.scan(response);
|
|
182
|
-
expect(result.ok).toBe(true);
|
|
183
|
-
if (result.ok) {
|
|
184
|
-
expect(result.value.safe).toBe(false);
|
|
185
|
-
expect(result.value.blocked).toBe(true);
|
|
186
|
-
// AWS key is redacted (critical)
|
|
187
|
-
expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
|
|
188
|
-
expect(result.value.sanitized).not.toContain("AKIAIOSFODNN7EXAMPLE");
|
|
189
|
-
// Prompt extraction text is still present (warning, detect-only)
|
|
190
|
-
expect(result.value.sanitized).toContain("My system prompt says");
|
|
191
|
-
// Both findings are reported
|
|
192
|
-
const criticalFindings = result.value.findings.filter((f) => f.severity === "critical");
|
|
193
|
-
const warningFindings = result.value.findings.filter((f) => f.severity === "warning");
|
|
194
|
-
expect(criticalFindings.length).toBeGreaterThanOrEqual(1);
|
|
195
|
-
expect(warningFindings.length).toBeGreaterThanOrEqual(1);
|
|
196
|
-
}
|
|
197
|
-
});
|
|
198
|
-
it("accumulates findings from all categories", () => {
|
|
199
|
-
const canary = "CTKN_abc123def456abcd";
|
|
200
|
-
const response = `My system prompt says AKIAIOSFODNN7EXAMPLE and also ${canary}`;
|
|
201
|
-
const result = guard.scan(response, { canaryToken: canary });
|
|
202
|
-
expect(result.ok).toBe(true);
|
|
203
|
-
if (result.ok) {
|
|
204
|
-
expect(result.value.safe).toBe(false);
|
|
205
|
-
expect(result.value.blocked).toBe(true);
|
|
206
|
-
// At least: aws_key (secret_leak), canary_leak, prompt_extraction
|
|
207
|
-
expect(result.value.findings.length).toBeGreaterThanOrEqual(3);
|
|
208
|
-
const types = new Set(result.value.findings.map((f) => f.type));
|
|
209
|
-
expect(types.has("secret_leak")).toBe(true);
|
|
210
|
-
expect(types.has("canary_leak")).toBe(true);
|
|
211
|
-
expect(types.has("prompt_extraction")).toBe(true);
|
|
212
|
-
// Critical findings are redacted
|
|
213
|
-
expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
|
|
214
|
-
expect(result.value.sanitized).toContain("[REDACTED:canary]");
|
|
215
|
-
// Warning findings are NOT redacted
|
|
216
|
-
expect(result.value.sanitized).toContain("My system prompt says");
|
|
217
|
-
}
|
|
218
|
-
});
|
|
219
|
-
// -------------------------------------------------------------------------
|
|
220
|
-
// Regression: global regex lastIndex state
|
|
221
|
-
// -------------------------------------------------------------------------
|
|
222
|
-
it("correctly scans on repeated calls (global regex lastIndex reset)", () => {
|
|
223
|
-
const response = "Use key AKIAIOSFODNN7EXAMPLE please";
|
|
224
|
-
// Call scan multiple times to verify regex state is properly reset
|
|
225
|
-
for (let i = 0; i < 3; i++) {
|
|
226
|
-
const result = guard.scan(response);
|
|
227
|
-
expect(result.ok).toBe(true);
|
|
228
|
-
if (result.ok) {
|
|
229
|
-
expect(result.value.blocked).toBe(true);
|
|
230
|
-
expect(result.value.findings).toHaveLength(1);
|
|
231
|
-
expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
|
|
232
|
-
}
|
|
233
|
-
}
|
|
234
|
-
});
|
|
235
|
-
// -------------------------------------------------------------------------
|
|
236
|
-
// Phase 281: expanded secret patterns
|
|
237
|
-
// -------------------------------------------------------------------------
|
|
238
|
-
describe("Phase 281: expanded secret patterns", () => {
|
|
239
|
-
// Critical patterns (should be redacted, blocked=true)
|
|
240
|
-
it("redacts Anthropic API key, blocked=true", () => {
|
|
241
|
-
const response = "Key: sk-ant-api03-abcdefghijklmnopqrstuvwx";
|
|
242
|
-
const result = guard.scan(response);
|
|
243
|
-
expect(result.ok).toBe(true);
|
|
244
|
-
if (result.ok) {
|
|
245
|
-
expect(result.value.safe).toBe(false);
|
|
246
|
-
expect(result.value.blocked).toBe(true);
|
|
247
|
-
expect(result.value.sanitized).toContain("[REDACTED:anthropic_key]");
|
|
248
|
-
expect(result.value.sanitized).not.toContain("sk-ant-api03");
|
|
249
|
-
const finding = result.value.findings.find((f) => f.pattern === "anthropic_key");
|
|
250
|
-
expect(finding).toBeDefined();
|
|
251
|
-
expect(finding.type).toBe("secret_leak");
|
|
252
|
-
expect(finding.severity).toBe("critical");
|
|
253
|
-
}
|
|
254
|
-
});
|
|
255
|
-
it("redacts Anthropic admin key, blocked=true", () => {
|
|
256
|
-
const response = "sk-ant-admin-abcdefghijklmnopqrstuvwx";
|
|
257
|
-
const result = guard.scan(response);
|
|
258
|
-
expect(result.ok).toBe(true);
|
|
259
|
-
if (result.ok) {
|
|
260
|
-
expect(result.value.blocked).toBe(true);
|
|
261
|
-
expect(result.value.sanitized).toContain("[REDACTED:anthropic_key]");
|
|
262
|
-
expect(result.value.sanitized).not.toContain("sk-ant-admin");
|
|
263
|
-
}
|
|
264
|
-
});
|
|
265
|
-
it("redacts OpenAI project key, blocked=true", () => {
|
|
266
|
-
const response = "sk-proj-abcdefghijklmnopqrstuvwxyz012345";
|
|
267
|
-
const result = guard.scan(response);
|
|
268
|
-
expect(result.ok).toBe(true);
|
|
269
|
-
if (result.ok) {
|
|
270
|
-
expect(result.value.safe).toBe(false);
|
|
271
|
-
expect(result.value.blocked).toBe(true);
|
|
272
|
-
expect(result.value.sanitized).toContain("[REDACTED:openai_project_key]");
|
|
273
|
-
expect(result.value.sanitized).not.toContain("sk-proj-");
|
|
274
|
-
}
|
|
275
|
-
});
|
|
276
|
-
it("redacts Telegram bot token, blocked=true", () => {
|
|
277
|
-
const response = "Token: 123456789:ABCDEFGHIJKLMNOPQRSTuv";
|
|
278
|
-
const result = guard.scan(response);
|
|
279
|
-
expect(result.ok).toBe(true);
|
|
280
|
-
if (result.ok) {
|
|
281
|
-
expect(result.value.safe).toBe(false);
|
|
282
|
-
expect(result.value.blocked).toBe(true);
|
|
283
|
-
expect(result.value.sanitized).toContain("[REDACTED:telegram_bot_token]");
|
|
284
|
-
expect(result.value.sanitized).not.toContain("123456789:");
|
|
285
|
-
}
|
|
286
|
-
});
|
|
287
|
-
it("redacts Discord bot token, blocked=true", () => {
|
|
288
|
-
const response = "MTIzNDU2Nzg5MDEyMzQ1Njc4.G1kX9w.ABCDEFGHIJKLMNOPQRSTUVWXYZabc";
|
|
289
|
-
const result = guard.scan(response);
|
|
290
|
-
expect(result.ok).toBe(true);
|
|
291
|
-
if (result.ok) {
|
|
292
|
-
expect(result.value.safe).toBe(false);
|
|
293
|
-
expect(result.value.blocked).toBe(true);
|
|
294
|
-
expect(result.value.sanitized).toContain("[REDACTED:discord_bot_token]");
|
|
295
|
-
expect(result.value.sanitized).not.toContain("MTIzNDU2Nzg5MDEyMzQ1Njc4");
|
|
296
|
-
}
|
|
297
|
-
});
|
|
298
|
-
it("redacts Google API key, blocked=true", () => {
|
|
299
|
-
const response = "AIzaSyAbCdEfGhIjKlMnOpQrStUvWxYz0123456";
|
|
300
|
-
const result = guard.scan(response);
|
|
301
|
-
expect(result.ok).toBe(true);
|
|
302
|
-
if (result.ok) {
|
|
303
|
-
expect(result.value.safe).toBe(false);
|
|
304
|
-
expect(result.value.blocked).toBe(true);
|
|
305
|
-
expect(result.value.sanitized).toContain("[REDACTED:google_api_key]");
|
|
306
|
-
expect(result.value.sanitized).not.toContain("AIzaSy");
|
|
307
|
-
}
|
|
308
|
-
});
|
|
309
|
-
it("redacts PostgreSQL connection string, blocked=true", () => {
|
|
310
|
-
const response = "postgresql://admin:secret@prod.db.example.com:5432/mydb";
|
|
311
|
-
const result = guard.scan(response);
|
|
312
|
-
expect(result.ok).toBe(true);
|
|
313
|
-
if (result.ok) {
|
|
314
|
-
expect(result.value.safe).toBe(false);
|
|
315
|
-
expect(result.value.blocked).toBe(true);
|
|
316
|
-
expect(result.value.sanitized).toContain("[REDACTED:db_connection_string]");
|
|
317
|
-
expect(result.value.sanitized).not.toContain("postgresql://");
|
|
318
|
-
}
|
|
319
|
-
});
|
|
320
|
-
it("redacts MongoDB connection string, blocked=true", () => {
|
|
321
|
-
const response = "mongodb+srv://user:pass@cluster.mongo.net/db";
|
|
322
|
-
const result = guard.scan(response);
|
|
323
|
-
expect(result.ok).toBe(true);
|
|
324
|
-
if (result.ok) {
|
|
325
|
-
expect(result.value.blocked).toBe(true);
|
|
326
|
-
expect(result.value.sanitized).toContain("[REDACTED:db_connection_string]");
|
|
327
|
-
expect(result.value.sanitized).not.toContain("mongodb+srv://");
|
|
328
|
-
}
|
|
329
|
-
});
|
|
330
|
-
it("redacts generic API key assignment, blocked=true", () => {
|
|
331
|
-
const response = 'api_key = "sk1234567890abcdefghij"';
|
|
332
|
-
const result = guard.scan(response);
|
|
333
|
-
expect(result.ok).toBe(true);
|
|
334
|
-
if (result.ok) {
|
|
335
|
-
expect(result.value.safe).toBe(false);
|
|
336
|
-
expect(result.value.blocked).toBe(true);
|
|
337
|
-
expect(result.value.sanitized).toContain("[REDACTED:generic_api_key]");
|
|
338
|
-
}
|
|
339
|
-
});
|
|
340
|
-
it("redacts api-key: header assignment, blocked=true", () => {
|
|
341
|
-
const response = "api-key: ABCDEFGHIJ1234567890ab";
|
|
342
|
-
const result = guard.scan(response);
|
|
343
|
-
expect(result.ok).toBe(true);
|
|
344
|
-
if (result.ok) {
|
|
345
|
-
expect(result.value.blocked).toBe(true);
|
|
346
|
-
expect(result.value.sanitized).toContain("[REDACTED:generic_api_key]");
|
|
347
|
-
}
|
|
348
|
-
});
|
|
349
|
-
// Warning pattern (detect-only, NOT redacted)
|
|
350
|
-
it("does NOT redact JWT token (warning severity), blocked=false", () => {
|
|
351
|
-
const response = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U";
|
|
352
|
-
const result = guard.scan(response);
|
|
353
|
-
expect(result.ok).toBe(true);
|
|
354
|
-
if (result.ok) {
|
|
355
|
-
expect(result.value.blocked).toBe(false);
|
|
356
|
-
expect(result.value.sanitized).toBe(response);
|
|
357
|
-
const finding = result.value.findings.find((f) => f.pattern === "jwt_token");
|
|
358
|
-
expect(finding).toBeDefined();
|
|
359
|
-
expect(finding.severity).toBe("warning");
|
|
360
|
-
expect(finding.type).toBe("secret_leak");
|
|
361
|
-
}
|
|
362
|
-
});
|
|
363
|
-
// False positive prevention
|
|
364
|
-
it("does NOT flag clean technical text about APIs", () => {
|
|
365
|
-
const response = "To use the API, call the endpoint with your credentials.";
|
|
366
|
-
const result = guard.scan(response);
|
|
367
|
-
expect(result.ok).toBe(true);
|
|
368
|
-
if (result.ok) {
|
|
369
|
-
expect(result.value.safe).toBe(true);
|
|
370
|
-
expect(result.value.findings).toHaveLength(0);
|
|
371
|
-
}
|
|
372
|
-
});
|
|
373
|
-
it("does NOT flag short key-like strings", () => {
|
|
374
|
-
const response = "api_key = 'short'";
|
|
375
|
-
const result = guard.scan(response);
|
|
376
|
-
expect(result.ok).toBe(true);
|
|
377
|
-
if (result.ok) {
|
|
378
|
-
// "short" is too short (< 20 chars) to match GENERIC_API_KEY_ASSIGN
|
|
379
|
-
const genericFindings = result.value.findings.filter((f) => f.pattern === "generic_api_key");
|
|
380
|
-
expect(genericFindings).toHaveLength(0);
|
|
381
|
-
}
|
|
382
|
-
});
|
|
383
|
-
// Repeated call regression
|
|
384
|
-
it("correctly scans Anthropic key on repeated calls (lastIndex reset)", () => {
|
|
385
|
-
const response = "Key: sk-ant-api03-abcdefghijklmnopqrstuvwx";
|
|
386
|
-
for (let i = 0; i < 3; i++) {
|
|
387
|
-
const result = guard.scan(response);
|
|
388
|
-
expect(result.ok).toBe(true);
|
|
389
|
-
if (result.ok) {
|
|
390
|
-
expect(result.value.blocked).toBe(true);
|
|
391
|
-
const findings = result.value.findings.filter((f) => f.pattern === "anthropic_key");
|
|
392
|
-
expect(findings).toHaveLength(1);
|
|
393
|
-
}
|
|
394
|
-
}
|
|
395
|
-
});
|
|
396
|
-
});
|
|
397
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,95 +0,0 @@
|
|
|
1
|
-
import * as fs from "node:fs";
|
|
2
|
-
import * as os from "node:os";
|
|
3
|
-
import * as path from "node:path";
|
|
4
|
-
import { describe, it, expect, afterEach } from "vitest";
|
|
5
|
-
import { safePath, PathTraversalError } from "./safe-path.js";
|
|
6
|
-
describe("safePath", () => {
|
|
7
|
-
describe("valid paths (should succeed)", () => {
|
|
8
|
-
it("resolves a simple filename within base", () => {
|
|
9
|
-
expect(safePath("/base", "file.txt")).toBe("/base/file.txt");
|
|
10
|
-
});
|
|
11
|
-
it("resolves multiple segments within base", () => {
|
|
12
|
-
expect(safePath("/base", "subdir", "file.txt")).toBe("/base/subdir/file.txt");
|
|
13
|
-
});
|
|
14
|
-
it("returns base directory itself when no segments given", () => {
|
|
15
|
-
expect(safePath("/base")).toBe("/base");
|
|
16
|
-
});
|
|
17
|
-
it("resolves nested path segments with slashes", () => {
|
|
18
|
-
expect(safePath("/base", "a/b/c")).toBe("/base/a/b/c");
|
|
19
|
-
});
|
|
20
|
-
});
|
|
21
|
-
describe("path traversal attacks (should throw PathTraversalError)", () => {
|
|
22
|
-
it("rejects bare ..", () => {
|
|
23
|
-
expect(() => safePath("/base", "..")).toThrow(PathTraversalError);
|
|
24
|
-
});
|
|
25
|
-
it("rejects ../../etc/passwd", () => {
|
|
26
|
-
expect(() => safePath("/base", "../../etc/passwd")).toThrow(PathTraversalError);
|
|
27
|
-
});
|
|
28
|
-
it("rejects subdir/../../../etc/passwd", () => {
|
|
29
|
-
expect(() => safePath("/base", "subdir/../../../etc/passwd")).toThrow(PathTraversalError);
|
|
30
|
-
});
|
|
31
|
-
});
|
|
32
|
-
describe("URL-encoded attacks (should throw)", () => {
|
|
33
|
-
it("rejects %2e%2e%2f (encoded ../)", () => {
|
|
34
|
-
expect(() => safePath("/base", "%2e%2e%2fetc/passwd")).toThrow(PathTraversalError);
|
|
35
|
-
});
|
|
36
|
-
it("rejects %2e%2e/ (encoded ../) ", () => {
|
|
37
|
-
expect(() => safePath("/base", "%2e%2e/etc/passwd")).toThrow(PathTraversalError);
|
|
38
|
-
});
|
|
39
|
-
});
|
|
40
|
-
describe("prefix attacks (should throw)", () => {
|
|
41
|
-
it("rejects ../uploads-evil/file when base is /uploads", () => {
|
|
42
|
-
expect(() => safePath("/uploads", "../uploads-evil/file")).toThrow(PathTraversalError);
|
|
43
|
-
});
|
|
44
|
-
});
|
|
45
|
-
describe("symlink attacks (integration test)", () => {
|
|
46
|
-
let tmpDir;
|
|
47
|
-
afterEach(() => {
|
|
48
|
-
if (tmpDir) {
|
|
49
|
-
fs.rmSync(tmpDir, { recursive: true, force: true });
|
|
50
|
-
}
|
|
51
|
-
});
|
|
52
|
-
it("rejects symlinks pointing outside base", () => {
|
|
53
|
-
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "safepath-test-"));
|
|
54
|
-
const baseDir = path.join(tmpDir, "base");
|
|
55
|
-
const outsideDir = path.join(tmpDir, "outside");
|
|
56
|
-
fs.mkdirSync(baseDir);
|
|
57
|
-
fs.mkdirSync(outsideDir);
|
|
58
|
-
fs.writeFileSync(path.join(outsideDir, "secret.txt"), "secret");
|
|
59
|
-
// Create symlink inside base pointing to outside
|
|
60
|
-
const symlinkPath = path.join(baseDir, "evil-link");
|
|
61
|
-
fs.symlinkSync(outsideDir, symlinkPath);
|
|
62
|
-
expect(() => safePath(baseDir, "evil-link", "secret.txt")).toThrow(PathTraversalError);
|
|
63
|
-
});
|
|
64
|
-
});
|
|
65
|
-
describe("null byte attacks (should throw)", () => {
|
|
66
|
-
it("rejects paths containing null bytes", () => {
|
|
67
|
-
expect(() => safePath("/base", "file\0.txt")).toThrow(PathTraversalError);
|
|
68
|
-
});
|
|
69
|
-
});
|
|
70
|
-
describe("PathTraversalError properties", () => {
|
|
71
|
-
it("has name 'PathTraversalError'", () => {
|
|
72
|
-
try {
|
|
73
|
-
safePath("/base", "../../etc/passwd");
|
|
74
|
-
expect.fail("should have thrown");
|
|
75
|
-
}
|
|
76
|
-
catch (error) {
|
|
77
|
-
expect(error).toBeInstanceOf(PathTraversalError);
|
|
78
|
-
expect(error.name).toBe("PathTraversalError");
|
|
79
|
-
}
|
|
80
|
-
});
|
|
81
|
-
it("includes base and attempted properties", () => {
|
|
82
|
-
try {
|
|
83
|
-
safePath("/base", "../../etc/passwd");
|
|
84
|
-
expect.fail("should have thrown");
|
|
85
|
-
}
|
|
86
|
-
catch (error) {
|
|
87
|
-
expect(error).toBeInstanceOf(PathTraversalError);
|
|
88
|
-
const pte = error;
|
|
89
|
-
expect(pte.base).toBe("/base");
|
|
90
|
-
expect(pte.attempted).toBeDefined();
|
|
91
|
-
expect(typeof pte.attempted).toBe("string");
|
|
92
|
-
}
|
|
93
|
-
});
|
|
94
|
-
});
|
|
95
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|