unbound-cli 1.6.4 → 1.6.5

package/test/download-pipe-hole.test.js

@@ -0,0 +1,221 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const { Command } = require('commander');
+
+// The old `curl -fsSL ... | bash -s --` / `| python3 -` pipe reported the
+// SHELL's exit code, not curl's, and dash has no pipefail — so a failed download
+// (GitHub down/404/empty) silently ran an empty script and exited 0 = fake
+// success. The fix is download-then-run with a non-200/empty-body check.
+//
+// These tests prove the hole is closed: a failed download now causes a NON-zero
+// exit / a rejection, never a silent success. No real network is used — the
+// download is stubbed to fail.
+
+// Stub utils.downloadToFile BEFORE requiring discover so the destructured
+// binding inside discover.js captures the stub, not the real https downloader.
+function freshDiscover(downloadStub) {
+  for (const m of ['../src/commands/discover', '../src/utils', '../src/config', '../src/output', '../src/telemetry']) {
+    delete require.cache[require.resolve(m)];
+  }
+  const utils = require('../src/utils');
+  if (downloadStub) utils.downloadToFile = downloadStub;
+  const config = require('../src/config');
+  const output = require('../src/output');
+  const discover = require('../src/commands/discover');
+  return { utils, config, output, discover };
+}
+
+test('discover: a failed script download makes runDiscoveryScan REJECT (no silent success)', async () => {
+  // Simulate GitHub returning a 404 / partial — downloadToFile rejects before
+  // bash ever runs, so the scan can't fake-succeed.
+  const { discover } = freshDiscover(async () => { throw new Error('Failed to download install.sh: HTTP 404'); });
+
+  await assert.rejects(
+    () => discover.runDiscoveryScan({ apiKey: 'disc-key', domain: 'https://b.acme' }),
+    /Failed to download/,
+  );
+});
+
+test('discover: an empty-body 200 download also rejects (empty script is not success)', async () => {
+  const { discover } = freshDiscover(async () => { throw new Error('Failed to download install.sh: empty response body'); });
+
+  await assert.rejects(
+    () => discover.runDiscoveryScan({ apiKey: 'disc-key' }),
+    /empty response body/,
+  );
+});
+
+test('discover command: a failed download sets process.exitCode = 1 (not a silent 0)', async () => {
+  const { output, discover } = freshDiscover(async () => { throw new Error('Failed to download install.sh: HTTP 500'); });
+  for (const k of ['info', 'success', 'error', 'warn']) output[k] = () => {};
+
+  const savedExit = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const program = new Command();
+    program.exitOverride();
+    discover.register(program);
+    // Non-root user scope; the scan download fails → exitCode must become 1.
+    await program.parseAsync(['node', 'unbound', 'discover', '--api-key', 'disc-key']);
+    assert.equal(process.exitCode, 1, 'failed download must surface a non-zero exit code');
+  } finally {
+    process.exitCode = savedExit;
+  }
+});
+
+// The tests below exercise the SHIPPED utils.downloadToFile (no inline re-impl).
+// The production function defaults to https.get but accepts an injectable
+// `{ transport }` so we can drive it against a local http server without TLS —
+// this guarantees the real byte-count guard AND the security hardening are what's
+// under test.
+const http = require('http');
+const os = require('os');
+const path = require('path');
+const fs = require('fs');
+
+// One shared local server. Routes:
+//   /empty   200 with a zero-byte body   (pipe-hole: must reject)
+//   /ok      200 with a normal body      (must succeed, file mode 0600)
+//   /404     404                         (non-200: must reject)
+function startServer() {
+  const server = http.createServer((req, res) => {
+    if (req.url === '/empty') { res.writeHead(200); res.end(); }
+    else if (req.url === '/404') { res.writeHead(404); res.end('nope'); }
+    else { res.writeHead(200); res.end('echo hi\n'); }
+  });
+  return new Promise((resolve) => {
+    server.listen(0, '127.0.0.1', () => resolve({ server, port: server.address().port }));
+  });
+}
+
+// Fresh utils each time so a prior test's mutation can't leak in.
+function freshUtils() {
+  delete require.cache[require.resolve('../src/utils')];
+  return require('../src/utils');
+}
+
+// A unique path inside a private dir so each test starts from a clean slate.
+function freshTmp(suffix) {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'dl-test-'));
+  return { dir, file: path.join(dir, `script${suffix}`) };
+}
+
+test('downloadToFile (shipped): rejects a 200 with an empty body (pipe hole stays closed)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/empty`, file, { transport: http }),
+      /empty response body/,
+    );
+    // The partial/empty file must not be left behind.
+    assert.equal(fs.existsSync(file), false, 'empty download must not leave a file');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): rejects a non-200 (404)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/404`, file, { transport: http }),
+      /HTTP 404/,
+    );
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): writes the file with owner-only mode 0600', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http });
+    assert.equal(fs.readFileSync(file, 'utf8'), 'echo hi\n');
+    const mode = fs.statSync(file).mode & 0o777;
+    assert.equal(mode, 0o600, `expected 0600, got 0${mode.toString(8)}`);
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): a pre-existing file at the target FAILS (EEXIST, no overwrite)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    // Attacker pre-creates the predictable path with their own payload.
+    fs.writeFileSync(file, 'malicious-preexisting\n');
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http }),
+      (err) => err.code === 'EEXIST',
+      'an existing target must yield EEXIST, never be overwritten',
+    );
+    // The attacker's content must be untouched (we did not follow/overwrite it).
+    assert.equal(fs.readFileSync(file, 'utf8'), 'malicious-preexisting\n');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): a symlink at the target FAILS (ELOOP/EEXIST, not followed)', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  // The symlink points at a victim file the attacker wants us to clobber.
+  const victim = path.join(dir, 'victim.txt');
+  fs.writeFileSync(victim, 'do-not-touch\n');
+  fs.symlinkSync(victim, file);
+  try {
+    await assert.rejects(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http }),
+      (err) => err.code === 'ELOOP' || err.code === 'EEXIST',
+      'a symlink at the target must not be followed',
+    );
+    // The victim behind the symlink must be untouched.
+    assert.equal(fs.readFileSync(victim, 'utf8'), 'do-not-touch\n');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('downloadToFile (shipped): a normal download succeeds and stores the body', async () => {
+  const utils = freshUtils();
+  const { server, port } = await startServer();
+  const { dir, file } = freshTmp('.sh');
+  try {
+    await assert.doesNotReject(
+      () => utils.downloadToFile(`http://127.0.0.1:${port}/ok`, file, { transport: http }),
+    );
+    assert.equal(fs.readFileSync(file, 'utf8'), 'echo hi\n');
+  } finally {
+    fs.rmSync(dir, { recursive: true, force: true });
+    server.close();
+  }
+});
+
+test('withSecureTempFile (shipped): creates a 0700 private dir and removes it after', async () => {
+  const utils = freshUtils();
+  let seenPath = null;
+  let seenDirMode = null;
+  await utils.withSecureTempFile('.py', async (p) => {
+    seenPath = p;
+    seenDirMode = fs.statSync(path.dirname(p)).mode & 0o777;
+    fs.writeFileSync(p, 'x'); // simulate a download into it
+  });
+  assert.equal(seenDirMode, 0o700, `expected dir mode 0700, got 0${(seenDirMode || 0).toString(8)}`);
+  assert.ok(seenPath.endsWith('.py'));
+  // The whole private dir (and the file inside it) must be gone afterward.
+  assert.equal(fs.existsSync(seenPath), false, 'temp file must be cleaned up');
+  assert.equal(fs.existsSync(path.dirname(seenPath)), false, 'temp dir must be cleaned up');
+});

package/test/onboard-failure-exit.test.js

@@ -0,0 +1,125 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const { Command } = require('commander');
+
+// Onboarding-failure observability, client side:
+//  - a failed setup must set process.exitCode = 1 (no fake success), and
+//  - the best-effort failure report must never change that exit code or mask the
+//    real error, even when the report POST itself fails (offline/429).
+//
+// All downstream deps are stubbed; no network, no setup scripts, no Sentry.
+
+function loadOnboard({ isRoot, setupOk, reportThrows }) {
+  for (const m of [
+    '../src/commands/onboard', '../src/commands/setup', '../src/commands/discover',
+    '../src/auth', '../src/config', '../src/output', '../src/scheduled',
+    '../src/setup-report', '../src/telemetry',
+  ]) {
+    delete require.cache[require.resolve(m)];
+  }
+
+  const calls = { setup: 0, discovery: 0, report: 0 };
+  const setup = require('../src/commands/setup');
+  const discover = require('../src/commands/discover');
+  const auth = require('../src/auth');
+  const config = require('../src/config');
+  const output = require('../src/output');
+  const setupReport = require('../src/setup-report');
+
+  setup.hasRootPrivileges = () => isRoot;
+  // Mirror runBatch's real behavior: on failure it sets exitCode and (best-effort)
+  // reports, then returns { ok: false }. We model both the report call and the
+  // exitCode side effect so the test exercises onboard's own handling.
+  const bundle = async () => {
+    calls.setup++;
+    if (!setupOk) {
+      process.exitCode = 1;
+      calls.report++;
+      await setupReport.reportSetupFailure({ step: 'cursor', exitCode: 2 });
+      return { ok: false, skipped: [] };
+    }
+    return { ok: true, skipped: [] };
+  };
+  setup.runSetupAllBundle = bundle;
+  setup.runMdmSetupAllBundle = bundle;
+  discover.runDiscoveryScan = async () => { calls.discovery++; };
+  auth.ensureLoggedIn = async () => {};
+  config.setUrls = () => ({});
+  config.getApiKey = () => 'resolved-key';
+  config.getBaseUrl = () => 'https://b.acme';
+  config.getFrontendUrl = () => 'https://f.acme';
+  config.getGatewayUrl = () => 'https://g.acme';
+  config.isLoggedIn = () => true;
+  for (const k of ['info', 'success', 'error', 'warn']) output[k] = () => {};
+
+  // The failure-report POST fails (offline/429) — must be swallowed.
+  const api = require('../src/api');
+  api.post = async () => {
+    if (reportThrows) throw new Error('offline / ECONNREFUSED');
+    return {};
+  };
+
+  return { calls };
+}
+
+async function runOnboard(env) {
+  const { calls } = env;
+  const { register } = require('../src/commands/onboard');
+  const program = new Command();
+  program.exitOverride();
+  register(program);
+  await program.parseAsync(['node', 'unbound', 'onboard', '--api-key', 'k', '--discovery-key', 'd']);
+  return calls;
+}
+
+test('onboard: a failed setup sets process.exitCode = 1 and does NOT run discovery', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: false, setupOk: false, reportThrows: false });
+    const calls = await runOnboard(env);
+    assert.equal(process.exitCode, 1, 'failed setup must exit non-zero');
+    assert.equal(calls.setup, 1, 'setup bundle ran');
+    assert.equal(calls.discovery, 0, 'discovery must not run after a failed setup');
+  } finally {
+    process.exitCode = saved;
+  }
+});
+
+test('onboard (sudo/MDM): a failed MDM setup also sets process.exitCode = 1', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: true, setupOk: false, reportThrows: false });
+    await runOnboard(env);
+    assert.equal(process.exitCode, 1, 'failed MDM setup must exit non-zero');
+  } finally {
+    process.exitCode = saved;
+  }
+});
+
+test('onboard: a failing failure-report POST is swallowed — exit code stays 1, not masked', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: false, setupOk: false, reportThrows: true });
+    const calls = await runOnboard(env);
+    assert.equal(calls.report, 1, 'a failure report was attempted');
+    assert.equal(process.exitCode, 1, 'a failing telemetry POST must not change the exit code');
+  } finally {
+    process.exitCode = saved;
+  }
+});
+
+test('onboard: a successful setup proceeds to discovery and exits 0', async () => {
+  const saved = process.exitCode;
+  process.exitCode = 0;
+  try {
+    const env = loadOnboard({ isRoot: false, setupOk: true, reportThrows: false });
+    const calls = await runOnboard(env);
+    assert.equal(calls.discovery, 1, 'discovery runs after a successful setup');
+    assert.equal(process.exitCode, 0, 'a clean onboard keeps exit code 0');
+  } finally {
+    process.exitCode = saved;
+  }
+});

package/test/setup-report.test.js

@@ -0,0 +1,102 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+
+// reportSetupFailure must be BEST-EFFORT: it posts {serial_number, step,
+// exit_code} to /api/v1/setup/failed/, but a POST failure (offline/429/4xx)
+// must never reject — so a caller can `await` it inline in an error path without
+// masking the real error or changing the exit code.
+
+function freshReport() {
+  for (const m of ['../src/setup-report', '../src/api', '../src/config']) {
+    delete require.cache[require.resolve(m)];
+  }
+  const api = require('../src/api');
+  const config = require('../src/config');
+  const report = require('../src/setup-report');
+  return { api, config, report };
+}
+
+test('reportSetupFailure: posts the contract payload to /api/v1/setup/failed/', async () => {
+  const { api, config, report } = freshReport();
+  let captured = null;
+  api.post = async (path, opts) => { captured = { path, opts }; return { ok: true }; };
+  config.getApiKey = () => 'stored-key';
+
+  const ok = await report.reportSetupFailure({ step: 'cursor', exitCode: 2, backendUrl: 'https://b.acme' });
+
+  assert.equal(ok, true);
+  assert.equal(captured.path, '/api/v1/setup/failed/');
+  assert.equal(captured.opts.apiKey, 'stored-key');
+  assert.equal(captured.opts.baseUrl, 'https://b.acme');
+  const body = captured.opts.body;
+  assert.equal(typeof body.serial_number, 'string');
+  assert.ok(body.serial_number.length > 0 && body.serial_number.length <= 255);
+  assert.equal(body.step, 'cursor');
+  assert.equal(body.exit_code, 2);
+  // install_mode/managed are forced server-side — the CLI must NOT send them.
+  assert.equal('install_mode' in body, false);
+  assert.equal('managed' in body, false);
+});
+
+test('reportSetupFailure: bounds the POST with a 3s timeout (never blocks on default 30s)', async () => {
+  const { api, config, report } = freshReport();
+  let captured = null;
+  api.post = async (path, opts) => { captured = opts; return { ok: true }; };
+  config.getApiKey = () => 'k';
+
+  await report.reportSetupFailure({ step: 'cursor', exitCode: 1 });
+  assert.equal(captured.timeoutMs, 3000, 'failure report must pass a tight 3s timeout');
+});
+
+test('reportSetupFailure: swallows a POST rejection and returns false (best-effort)', async () => {
+  const { api, config, report } = freshReport();
+  api.post = async () => { throw new Error('ECONNREFUSED / offline'); };
+  config.getApiKey = () => 'k';
+
+  let result;
+  await assert.doesNotReject(async () => { result = await report.reportSetupFailure({ step: 'codex', exitCode: 1 }); });
+  assert.equal(result, false);
+});
+
+test('reportSetupFailure: a 429 (rate-limited) is swallowed too', async () => {
+  const { api, config, report } = freshReport();
+  api.post = async () => { const e = new Error('Too many requests'); e.statusCode = 429; throw e; };
+  config.getApiKey = () => 'k';
+
+  const result = await report.reportSetupFailure({ step: 'cursor', exitCode: 1 });
+  assert.equal(result, false);
+});
+
+test('reportSetupFailure: no API key → skips quietly (false), no POST attempted', async () => {
+  const { api, config, report } = freshReport();
+  let called = false;
+  api.post = async () => { called = true; return {}; };
+  config.getApiKey = () => null;
+
+  const result = await report.reportSetupFailure({ step: 'cursor', exitCode: 1 });
+  assert.equal(result, false);
+  assert.equal(called, false, 'no POST without a key');
+});
+
+test('normalizeStep: clamps to 64 chars and defaults empties to "unknown"', () => {
+  const { report } = freshReport();
+  assert.equal(report._normalizeStep(''), 'unknown');
+  assert.equal(report._normalizeStep(null), 'unknown');
+  assert.equal(report._normalizeStep('cursor'), 'cursor');
+  assert.equal(report._normalizeStep('x'.repeat(100)).length, 64);
+});
+
+test('normalizeExitCode: integers pass through, non-integers fall back to 1', () => {
+  const { report } = freshReport();
+  assert.equal(report._normalizeExitCode(2), 2);
+  assert.equal(report._normalizeExitCode(-1), -1);
+  assert.equal(report._normalizeExitCode('nope'), 1);
+  assert.equal(report._normalizeExitCode(undefined), 1);
+});
+
+test('deviceIdentifier: returns a non-empty string within the 255-char limit', () => {
+  const { report } = freshReport();
+  const id = report.deviceIdentifier();
+  assert.equal(typeof id, 'string');
+  assert.ok(id.length > 0 && id.length <= 255);
+});

package/test/telemetry.test.js

@@ -0,0 +1,114 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+
+// Sentry observability is opt-out and DSN-gated. These tests prove it stays
+// fully disabled (no init, no network, no throw) when there's no DSN or when
+// the user opts out, and that beforeSend scrubs secrets before anything leaves
+// the machine. All without any real network or a real Sentry client.
+
+function freshTelemetry() {
+  delete require.cache[require.resolve('../src/telemetry')];
+  return require('../src/telemetry');
+}
+
+function withEnv(vars, fn) {
+  const saved = {};
+  for (const k of Object.keys(vars)) {
+    saved[k] = process.env[k];
+    if (vars[k] === undefined) delete process.env[k];
+    else process.env[k] = vars[k];
+  }
+  try {
+    return fn();
+  } finally {
+    for (const k of Object.keys(vars)) {
+      if (saved[k] === undefined) delete process.env[k];
+      else process.env[k] = saved[k];
+    }
+  }
+}
+
+test('telemetry: disabled (no init, no throw) when UNBOUND_CLI_SENTRY_DSN is unset', () => {
+  withEnv({ UNBOUND_CLI_SENTRY_DSN: undefined, UNBOUND_TELEMETRY: undefined }, () => {
+    const t = freshTelemetry();
+    assert.equal(t.isEnabled(), false);
+    // init/captureError/flush must be no-ops that never throw or hit the network.
+    assert.doesNotThrow(() => t.init({ flow: 'onboard', runId: 'r1' }));
+    assert.doesNotThrow(() => t.captureError(new Error('boom')));
+    return t.flush(); // resolves, no-op
+  });
+});
+
+test('telemetry: opt-out via UNBOUND_TELEMETRY disables even with a DSN present', () => {
+  for (const optOut of ['0', 'false', 'no', 'FALSE', 'No']) {
+    withEnv({ UNBOUND_CLI_SENTRY_DSN: 'https://abc@example.invalid/1', UNBOUND_TELEMETRY: optOut }, () => {
+      const t = freshTelemetry();
+      assert.equal(t.isEnabled(), false, `opt-out value "${optOut}" should disable`);
+      assert.doesNotThrow(() => t.init());
+      assert.doesNotThrow(() => t.captureError(new Error('x')));
+    });
+  }
+});
+
+test('telemetry: enabled only when DSN set and not opted out', () => {
+  withEnv({ UNBOUND_CLI_SENTRY_DSN: 'https://abc@example.invalid/1', UNBOUND_TELEMETRY: undefined }, () => {
+    const t = freshTelemetry();
+    assert.equal(t.isEnabled(), true);
+  });
+  withEnv({ UNBOUND_CLI_SENTRY_DSN: 'https://abc@example.invalid/1', UNBOUND_TELEMETRY: '1' }, () => {
+    const t = freshTelemetry();
+    assert.equal(t.isEnabled(), true, 'UNBOUND_TELEMETRY=1 is not an opt-out');
+  });
+});
+
+test('telemetry: wrapAction returns the action result and never inits when disabled', async () => {
+  await withEnv({ UNBOUND_CLI_SENTRY_DSN: undefined }, async () => {
+    const t = freshTelemetry();
+    const wrapped = t.wrapAction('setup', async (a, b) => a + b);
+    const result = await wrapped(2, 3);
+    assert.equal(result, 5);
+  });
+});
+
+test('telemetry: wrapAction captures then rethrows the original error', async () => {
+  await withEnv({ UNBOUND_CLI_SENTRY_DSN: undefined }, async () => {
+    const t = freshTelemetry();
+    const original = new Error('real failure');
+    const wrapped = t.wrapAction('onboard', async () => { throw original; });
+    await assert.rejects(() => wrapped(), (err) => err === original);
+  });
+});
+
+test('beforeSend: scrubs known secret values, home paths, and username', () => {
+  const t = freshTelemetry();
+  t.rememberSecret('sk-supersecretkey123');
+  const home = require('os').homedir();
+  const username = require('os').userInfo().username;
+
+  const event = {
+    server_name: 'my-laptop',
+    user: { username, id: '1' },
+    message: `failed with key sk-supersecretkey123 at ${home}/.unbound/config.json`,
+    exception: { values: [{ value: `token ub_abcdefgh12345 leaked for user ${username}` }] },
+  };
+  const out = t._beforeSend(event);
+
+  assert.ok(out, 'event is not dropped');
+  assert.equal(out.server_name, undefined, 'server_name removed');
+  assert.equal(out.user.username, undefined, 'username field removed');
+  assert.ok(!out.message.includes('sk-supersecretkey123'), out.message);
+  assert.ok(!out.message.includes(home), out.message);
+  assert.ok(out.message.includes('~/.unbound'), out.message);
+  assert.ok(!out.exception.values[0].value.includes('ub_abcdefgh12345'), out.exception.values[0].value);
+});
+
+test('beforeSend: never throws — returns null instead of crashing the flow', () => {
+  const t = freshTelemetry();
+  // A frozen object can't be mutated; beforeSend must catch and drop, not throw.
+  const frozen = Object.freeze({ message: 'x', user: Object.freeze({ username: 'a' }) });
+  assert.doesNotThrow(() => {
+    const r = t._beforeSend(frozen);
+    // Either scrubbed or dropped (null) — both acceptable; the point is no throw.
+    assert.ok(r === null || typeof r === 'object');
+  });
+});