~cytrogen/gstack

ref: 7450b5160b69d54eff1feb78e3e99a97e16fb4d5 gstack/browse/test/adversarial-security.test.ts -rw-r--r-- 1.2 KiB
7450b516 — Garry Tan fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0) (#595) 12 days ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

/**
 * Adversarial security tests — XSS and boundary-check hardening
 *
 * Test 19: Sidepanel escapes entry.command in activity feed (prevents XSS)
 * Test 20: Freeze hook uses trailing slash in boundary check (prevents prefix collision)
 */

import { describe, test, expect } from 'bun:test';
import * as fs from 'fs';
import * as path from 'path';

describe('Adversarial security', () => {
  test('sidepanel escapes entry.command in activity feed', () => {
    const source = fs.readFileSync(
      path.join(import.meta.dir, '../../extension/sidepanel.js'),
      'utf-8',
    );
    // entry.command must be wrapped in escapeHtml() to prevent XSS injection
    // via crafted command names in the activity feed
    expect(source).toContain('escapeHtml(entry.command');
  });

  test('freeze hook uses trailing slash in boundary check', () => {
    const source = fs.readFileSync(
      path.join(import.meta.dir, '../../freeze/bin/check-freeze.sh'),
      'utf-8',
    );
    // The boundary check must use "${FREEZE_DIR}/" with a trailing slash
    // to prevent prefix collision (e.g., /app matching /application)
    expect(source).toContain('"${FREEZE_DIR}/"');
  });
});