takos-runtime-service 1.0.0

package/src/__tests__/shared/errors.test.ts

@@ -0,0 +1,117 @@
+import { describe, expect, it } from 'vitest';
+import {
+  SymlinkEscapeError,
+  SymlinkNotAllowedError,
+  SymlinkWriteError,
+  OwnerBindingError,
+  isBoundaryViolationError,
+} from '../../shared/errors.js';
+
+// ---------------------------------------------------------------------------
+// SymlinkEscapeError
+// ---------------------------------------------------------------------------
+
+describe('SymlinkEscapeError', () => {
+  it('sets correct name and message', () => {
+    const err = new SymlinkEscapeError('workspace');
+    expect(err.name).toBe('SymlinkEscapeError');
+    expect(err.message).toBe('Symlink escape detected in workspace path');
+  });
+
+  it('is instanceof Error', () => {
+    const err = new SymlinkEscapeError('test');
+    expect(err).toBeInstanceOf(Error);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// SymlinkNotAllowedError
+// ---------------------------------------------------------------------------
+
+describe('SymlinkNotAllowedError', () => {
+  it('sets message with label', () => {
+    const err = new SymlinkNotAllowedError('file');
+    expect(err.name).toBe('SymlinkNotAllowedError');
+    expect(err.message).toBe('Symlinks are not allowed in file path');
+  });
+
+  it('sets default message without label', () => {
+    const err = new SymlinkNotAllowedError();
+    expect(err.message).toBe('Symlinks are not allowed');
+  });
+
+  it('is instanceof Error', () => {
+    const err = new SymlinkNotAllowedError();
+    expect(err).toBeInstanceOf(Error);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// SymlinkWriteError
+// ---------------------------------------------------------------------------
+
+describe('SymlinkWriteError', () => {
+  it('sets correct name and message', () => {
+    const err = new SymlinkWriteError();
+    expect(err.name).toBe('SymlinkWriteError');
+    expect(err.message).toBe('Cannot write to symlinks');
+  });
+
+  it('is instanceof Error', () => {
+    expect(new SymlinkWriteError()).toBeInstanceOf(Error);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// OwnerBindingError
+// ---------------------------------------------------------------------------
+
+describe('OwnerBindingError', () => {
+  it('sets default message', () => {
+    const err = new OwnerBindingError();
+    expect(err.name).toBe('OwnerBindingError');
+    expect(err.message).toBe('Session does not belong to the authenticated owner');
+  });
+
+  it('accepts custom message', () => {
+    const err = new OwnerBindingError('Custom error message');
+    expect(err.message).toBe('Custom error message');
+  });
+
+  it('is instanceof Error', () => {
+    expect(new OwnerBindingError()).toBeInstanceOf(Error);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// isBoundaryViolationError
+// ---------------------------------------------------------------------------
+
+describe('isBoundaryViolationError', () => {
+  it('returns true for SymlinkEscapeError', () => {
+    expect(isBoundaryViolationError(new SymlinkEscapeError('test'))).toBe(true);
+  });
+
+  it('returns true for SymlinkNotAllowedError', () => {
+    expect(isBoundaryViolationError(new SymlinkNotAllowedError())).toBe(true);
+  });
+
+  it('returns true for SymlinkWriteError', () => {
+    expect(isBoundaryViolationError(new SymlinkWriteError())).toBe(true);
+  });
+
+  it('returns false for regular Error', () => {
+    expect(isBoundaryViolationError(new Error('plain error'))).toBe(false);
+  });
+
+  it('returns false for non-error values', () => {
+    expect(isBoundaryViolationError(null)).toBe(false);
+    expect(isBoundaryViolationError(undefined)).toBe(false);
+    expect(isBoundaryViolationError('string')).toBe(false);
+    expect(isBoundaryViolationError(42)).toBe(false);
+  });
+
+  it('returns false for OwnerBindingError', () => {
+    expect(isBoundaryViolationError(new OwnerBindingError())).toBe(false);
+  });
+});

package/src/__tests__/storage/r2.test.ts

@@ -0,0 +1,106 @@
+import * as fs from 'fs/promises';
+import * as os from 'os';
+import path from 'path';
+import { afterEach, describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../shared/config.js', () => ({
+  R2_ACCOUNT_ID: 'test-account',
+  R2_ACCESS_KEY_ID: 'test-access-key',
+  R2_SECRET_ACCESS_KEY: 'test-secret',
+  R2_BUCKET: 'test-bucket',
+  S3_ENDPOINT: 'http://127.0.0.1:9000',
+  S3_REGION: 'us-east-1',
+  S3_ACCESS_KEY_ID: 'test-access-key',
+  S3_SECRET_ACCESS_KEY: 'test-secret',
+  S3_BUCKET: 'test-bucket',
+  MAX_R2_DOWNLOAD_FILE_BYTES: 1024 * 1024,
+  MAX_R2_DOWNLOAD_TOTAL_BYTES: 1024 * 1024 * 4,
+  MAX_LOG_LINES: 100_000,
+}));
+
+import { downloadSpaceFiles, uploadSpaceFiles, s3Client } from '../../storage/r2.js';
+
+async function createTempDir(prefix: string): Promise<string> {
+  return fs.mkdtemp(path.join(os.tmpdir(), prefix));
+}
+
+describe('r2 symlink boundary hardening', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it('skips upload paths that symlink outside base directory', async () => {
+    const workspaceDir = await createTempDir('takos-r2-upload-ws-');
+    const outsideDir = await createTempDir('takos-r2-upload-outside-');
+    const outsideFile = path.join(outsideDir, 'outside.txt');
+    const symlinkPath = path.join(workspaceDir, 'escape.txt');
+
+    try {
+      await fs.writeFile(outsideFile, 'outside');
+      await fs.symlink(outsideFile, symlinkPath);
+
+      const sendSpy = vi.spyOn(s3Client, 'send');
+      const logs: string[] = [];
+
+      const uploaded = await uploadSpaceFiles('ws-upload', workspaceDir, ['escape.txt'], logs);
+
+      expect(uploaded).toBe(0);
+      expect(sendSpy).not.toHaveBeenCalled();
+      expect(logs.some((line) => line.includes('symlink escape attempt'))).toBe(true);
+    } finally {
+      await fs.rm(workspaceDir, { recursive: true, force: true });
+      await fs.rm(outsideDir, { recursive: true, force: true });
+    }
+  });
+
+  it('skips download paths that traverse through escaping symlink components', async () => {
+    const workspaceDir = await createTempDir('takos-r2-download-ws-');
+    const outsideDir = await createTempDir('takos-r2-download-outside-');
+    const escapeLink = path.join(workspaceDir, 'escape-dir');
+
+    try {
+      await fs.symlink(outsideDir, escapeLink);
+
+      vi.spyOn(s3Client, 'send').mockImplementation(async (command: object) => {
+        const commandName = (command as { constructor?: { name?: string } }).constructor?.name;
+
+        if (commandName === 'ListObjectsV2Command') {
+          return {
+            Contents: [
+              {
+                Key: 'workspaces/ws-download/files/object-1',
+                Size: 5,
+              },
+            ],
+            NextContinuationToken: undefined,
+          };
+        }
+
+        if (commandName === 'GetObjectCommand') {
+          return {
+            Body: {
+              transformToByteArray: async () => Buffer.from('hello'),
+            },
+            Metadata: {
+              'file-path': 'escape-dir/evil.txt',
+            },
+          };
+        }
+
+        throw new Error(`Unexpected command: ${commandName}`);
+      });
+
+      const logs: string[] = [];
+      const downloaded = await downloadSpaceFiles('ws-download', workspaceDir, logs);
+      const outsideFile = path.join(outsideDir, 'evil.txt');
+      const outsideFileExists = await fs.stat(outsideFile).then(() => true).catch(() => false);
+
+      expect(downloaded).toBe(0);
+      expect(outsideFileExists).toBe(false);
+      expect(logs.some((line) => line.includes('symlink escape attempt'))).toBe(true);
+    } finally {
+      await fs.rm(workspaceDir, { recursive: true, force: true });
+      await fs.rm(outsideDir, { recursive: true, force: true });
+    }
+  });
+});

package/src/__tests__/utils/audit-log.test.ts

@@ -0,0 +1,163 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+// Mock fs/promises and logger before importing the module under test.
+// Each test uses vi.resetModules() + dynamic import to get fresh module state
+// (the module caches `dirEnsured` at module scope).
+
+const mockAppendFile = vi.fn();
+const mockMkdir = vi.fn();
+const mockStat = vi.fn();
+const mockRename = vi.fn();
+const mockUnlink = vi.fn();
+
+vi.mock('fs/promises', async () => {
+  const actual = await vi.importActual<typeof import('fs/promises')>('fs/promises');
+  return {
+    ...actual,
+    appendFile: (...args: any[]) => mockAppendFile(...args),
+    mkdir: (...args: any[]) => mockMkdir(...args),
+    stat: (...args: any[]) => mockStat(...args),
+    rename: (...args: any[]) => mockRename(...args),
+    unlink: (...args: any[]) => mockUnlink(...args),
+  };
+});
+
+vi.mock('takos-common/logger', () => ({
+  createLogger: () => ({
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+    debug: vi.fn(),
+  }),
+}));
+
+async function freshWriteAuditLog() {
+  vi.resetModules();
+  const mod = await import('../../utils/audit-log.js');
+  return mod.writeAuditLog;
+}
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  mockMkdir.mockResolvedValue(undefined);
+  mockStat.mockRejectedValue(new Error('ENOENT'));
+  mockAppendFile.mockResolvedValue(undefined);
+});
+
+describe('writeAuditLog', () => {
+  it('writes audit entry as JSONL', async () => {
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      command: 'echo hello',
+      status: 'completed',
+    });
+
+    expect(mockAppendFile).toHaveBeenCalledOnce();
+    const writtenLine = mockAppendFile.mock.calls[0][1] as string;
+    expect(writtenLine.endsWith('\n')).toBe(true);
+    const parsed = JSON.parse(writtenLine.trim());
+    expect(parsed.event).toBe('exec');
+    expect(parsed.spaceId).toBe('ws1');
+    expect(parsed.command).toBe('echo hello');
+  });
+
+  it('redacts credentials in URLs', async () => {
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      command: 'git clone https://user:password@github.com/repo.git',
+      status: 'started',
+    });
+
+    const writtenLine = mockAppendFile.mock.calls[0][1] as string;
+    const parsed = JSON.parse(writtenLine.trim());
+    expect(parsed.command).not.toContain('password');
+    expect(parsed.command).toContain('***@');
+  });
+
+  it('redacts Authorization header values', async () => {
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      command: 'curl -H "Authorization: Bearer my-secret-token" https://api.com',
+      status: 'started',
+    });
+
+    const writtenLine = mockAppendFile.mock.calls[0][1] as string;
+    const parsed = JSON.parse(writtenLine.trim());
+    expect(parsed.command).not.toContain('my-secret-token');
+    expect(parsed.command).toContain('Authorization: ***');
+  });
+
+  it('redacts SECRET_KEY=value patterns', async () => {
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      command: 'SECRET_KEY=mysecret npm start',
+      status: 'started',
+    });
+
+    const writtenLine = mockAppendFile.mock.calls[0][1] as string;
+    const parsed = JSON.parse(writtenLine.trim());
+    expect(parsed.command).not.toContain('mysecret');
+    expect(parsed.command).toContain('SECRET_KEY=***');
+  });
+
+  it('redacts commands array', async () => {
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      commands: [
+        'curl -H "Authorization: Bearer token1"',
+        'echo TOKEN=secret123',
+      ],
+      status: 'started',
+    });
+
+    const writtenLine = mockAppendFile.mock.calls[0][1] as string;
+    const parsed = JSON.parse(writtenLine.trim());
+    expect(parsed.commands[0]).not.toContain('token1');
+    expect(parsed.commands[1]).toContain('TOKEN=***');
+  });
+
+  it('does not throw on write failure', async () => {
+    mockAppendFile.mockRejectedValue(new Error('write failed'));
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await expect(writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      status: 'started',
+    })).resolves.not.toThrow();
+  });
+
+  it('ensures directory is created on first call', async () => {
+    const writeAuditLog = await freshWriteAuditLog();
+
+    await writeAuditLog({
+      timestamp: '2024-01-01T00:00:00Z',
+      event: 'exec',
+      spaceId: 'ws1',
+      status: 'started',
+    });
+
+    expect(mockMkdir).toHaveBeenCalled();
+  });
+});

package/src/__tests__/utils/error-message.test.ts

@@ -0,0 +1,38 @@
+import { describe, expect, it } from 'vitest';
+import { getErrorMessage } from 'takos-common/errors';
+
+describe('getErrorMessage', () => {
+  it('returns message from Error instance', () => {
+    expect(getErrorMessage(new Error('test error'))).toBe('test error');
+  });
+
+  it('returns string representation for non-Error', () => {
+    expect(getErrorMessage('string error')).toBe('string error');
+  });
+
+  it('handles number', () => {
+    expect(getErrorMessage(42)).toBe('42');
+  });
+
+  it('handles null', () => {
+    expect(getErrorMessage(null)).toBe('null');
+  });
+
+  it('handles undefined', () => {
+    expect(getErrorMessage(undefined)).toBe('undefined');
+  });
+
+  it('handles object', () => {
+    expect(getErrorMessage({ code: 'ERR' })).toBe('[object Object]');
+  });
+
+  it('returns message from custom error class', () => {
+    class CustomError extends Error {
+      constructor() {
+        super('custom message');
+        this.name = 'CustomError';
+      }
+    }
+    expect(getErrorMessage(new CustomError())).toBe('custom message');
+  });
+});

package/src/__tests__/utils/sandbox-env.test.ts

@@ -0,0 +1,74 @@
+import { afterEach, describe, expect, it } from 'vitest';
+import { createSandboxEnv, validateRuntimeExecEnv } from '../../utils/sandbox-env.js';
+
+const originalAwsSecret = process.env.AWS_SECRET_ACCESS_KEY;
+
+afterEach(() => {
+  if (originalAwsSecret === undefined) {
+    delete process.env.AWS_SECRET_ACCESS_KEY;
+    return;
+  }
+  process.env.AWS_SECRET_ACCESS_KEY = originalAwsSecret;
+});
+
+describe('validateRuntimeExecEnv', () => {
+  it('accepts undefined env as empty object', () => {
+    expect(validateRuntimeExecEnv(undefined)).toEqual({ ok: true, env: {} });
+  });
+
+  it('accepts valid env entries', () => {
+    const result = validateRuntimeExecEnv({
+      CI: 'true',
+      MY_FEATURE_FLAG: '1',
+    });
+    expect(result).toEqual({
+      ok: true,
+      env: { CI: 'true', MY_FEATURE_FLAG: '1' },
+    });
+  });
+
+  it('rejects invalid variable names', () => {
+    const result = validateRuntimeExecEnv({
+      '1INVALID': 'value',
+    });
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toContain('Invalid environment variable name');
+    }
+  });
+
+  it('rejects sensitive variable names', () => {
+    const result = validateRuntimeExecEnv({
+      TAKOS_TOKEN: 'secret',
+    });
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toContain('Sensitive environment variable is not allowed');
+    }
+  });
+
+  it('rejects values with newlines', () => {
+    const result = validateRuntimeExecEnv({
+      SAFE_NAME: 'line1\nline2',
+    });
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toContain('contains invalid characters');
+    }
+  });
+
+  it('keeps explicit workflow env values for allowed prefixes and blocks host secrets', () => {
+    process.env.AWS_SECRET_ACCESS_KEY = 'host-secret-value';
+
+    const sandboxEnv = createSandboxEnv({
+      GITHUB_TOKEN: 'token-from-workflow',
+      INPUT_SECRET: 'secret-from-workflow',
+      RUNNER_TEMP: '/tmp/runner',
+    });
+
+    expect(sandboxEnv.GITHUB_TOKEN).toBe('token-from-workflow');
+    expect(sandboxEnv.INPUT_SECRET).toBe('secret-from-workflow');
+    expect(sandboxEnv.RUNNER_TEMP).toBe('/tmp/runner');
+    expect(sandboxEnv.AWS_SECRET_ACCESS_KEY).toBeUndefined();
+  });
+});