mirror of https://github.com/garrytan/gstack.git
63 lines
2.9 KiB
TypeScript
63 lines
2.9 KiB
TypeScript
import { describe, test, expect } from "bun:test";
|
|
import { readFileSync } from "fs";
|
|
import path from "path";
|
|
|
|
const SCRIPT = path.join(import.meta.dir, "..", "bin", "gstack-learnings-search");
|
|
|
|
describe("gstack-learnings-search injection prevention", () => {
|
|
const script = readFileSync(SCRIPT, "utf-8");
|
|
|
|
test("no shell interpolation inside bun -e string", () => {
|
|
// Extract the bun -e block (everything between `bun -e "` and the closing `"`)
|
|
const bunBlock = script.slice(script.indexOf('bun -e "'));
|
|
|
|
// Should NOT contain ${VAR} patterns (shell interpolation)
|
|
// These are RCE vectors: a malicious learnings entry with '; rm -rf / ;' in the
|
|
// query field would execute arbitrary commands via shell interpolation.
|
|
const shellInterpolations = bunBlock.match(/'\$\{[A-Z_]+\}'/g) || [];
|
|
const bareInterpolations = bunBlock.match(/\$\{[A-Z_]+\}/g) || [];
|
|
|
|
// Filter out any that are inside process.env references (those are safe)
|
|
const unsafeInterpolations = [
|
|
...shellInterpolations,
|
|
...bareInterpolations,
|
|
].filter((m) => !m.includes("process.env"));
|
|
|
|
expect(unsafeInterpolations).toEqual([]);
|
|
});
|
|
|
|
test("uses process.env for all user-controlled values", () => {
|
|
const bunBlock = script.slice(script.indexOf('bun -e "'));
|
|
|
|
// Must use process.env for TYPE, QUERY, LIMIT.
|
|
// SLUG and CROSS are no longer threaded as env vars inside the bun
|
|
// block since PR #1619 — current vs cross-project rows are now
|
|
// distinguished by inline tags in the piped input (`current\t<line>`
|
|
// vs `cross\t<line>`), removing the need for env-var filters inside
|
|
// the bun block. CROSS is still set on the bash command line (it
|
|
// controls whether the cross-project find runs at all), but the bun
|
|
// block reads the tag, not the env var.
|
|
expect(bunBlock).toContain("process.env.GSTACK_SEARCH_TYPE");
|
|
expect(bunBlock).toContain("process.env.GSTACK_SEARCH_QUERY");
|
|
expect(bunBlock).toContain("process.env.GSTACK_SEARCH_LIMIT");
|
|
});
|
|
|
|
test("env vars are set on the bun command line", () => {
|
|
// The env vars must be passed to bun, not just set in the shell.
|
|
// SLUG removed by PR #1619 — see above.
|
|
expect(script).toContain("GSTACK_SEARCH_TYPE=");
|
|
expect(script).toContain("GSTACK_SEARCH_QUERY=");
|
|
expect(script).toContain("GSTACK_SEARCH_LIMIT=");
|
|
expect(script).toContain("GSTACK_SEARCH_CROSS=");
|
|
});
|
|
|
|
test("current vs cross-project rows distinguished by inline tags, not SLUG env (#1619)", () => {
|
|
const bunBlock = script.slice(script.indexOf('bun -e "'));
|
|
// The bun block must inspect the per-line tag to mark cross-project rows.
|
|
// The current shape emits `current\t<json>` or `cross\t<json>` from the
|
|
// upstream pipe (via emit_tagged_file). Inside the bun block, the script
|
|
// parses out the leading tag and sets a per-entry flag.
|
|
expect(bunBlock).toMatch(/sourceTag|tabIndex|crossProject/);
|
|
});
|
|
});
|