milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Simplify tests

Browse source
This commit is contained in:
Hans Ott 2025-10-10 14:57:28 +02:00
parent 459f3a5b14
commit 2fa14b82f3
1 changed files with 41 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

97
packages/safe-chain/src/utils/safeSpawn.spec.js
View file

@ -11,14 +11,6 @@ describe("safeSpawn", () => {
// Mock child_process module to capture what command string gets built // Mock child_process module to capture what command string gets built
mock.module("child_process", { mock.module("child_process", {
namedExports: { namedExports: {
spawnSync: (command, options) => {
spawnCalls.push({ command, options });
return {
status: 0,
stdout: Buffer.from(""),
stderr: Buffer.from(""),
};
},
spawn: (command, options) => { spawn: (command, options) => {
spawnCalls.push({ command, options }); spawnCalls.push({ command, options });
return { return {
@ -42,63 +34,56 @@ describe("safeSpawn", () => {
mock.reset(); mock.reset();
}); });
// Helper to run either sync or async variant it("should pass basic command and arguments correctly", async () => {
async function runSafeSpawn(variant, command, args, options) { await safeSpawn("echo", ["hello"]);
return await safeSpawn(command, args, options);
}
for (let variant of ["async"]) { assert.strictEqual(spawnCalls.length, 1);
it(`should pass basic command and arguments correctly (${variant})`, async () => { assert.strictEqual(spawnCalls[0].command, "echo hello");
await runSafeSpawn(variant, "echo", ["hello"]); assert.strictEqual(spawnCalls[0].options.shell, true);
});
assert.strictEqual(spawnCalls.length, 1); it("should escape arguments containing spaces", async () => {
assert.strictEqual(spawnCalls[0].command, "echo hello"); await safeSpawn("echo", ["hello world"]);
assert.strictEqual(spawnCalls[0].options.shell, true);
});
it(`should escape arguments containing spaces (${variant})`, async () => { assert.strictEqual(spawnCalls.length, 1);
await runSafeSpawn(variant, "echo", ["hello world"]); // Argument should be escaped to prevent shell interpretation
assert.strictEqual(spawnCalls[0].command, 'echo "hello world"');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
assert.strictEqual(spawnCalls.length, 1); it("should prevent shell injection attacks", async () => {
// Argument should be escaped to prevent shell interpretation await safeSpawn("ls", ["; rm test123.txt"]);
assert.strictEqual(spawnCalls[0].command, 'echo "hello world"');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
it(`should prevent shell injection attacks (${variant})`, async () => { assert.strictEqual(spawnCalls.length, 1);
await runSafeSpawn(variant, "ls", ["; rm test123.txt"]); // Malicious command should be escaped to prevent execution
assert.strictEqual(spawnCalls[0].command, 'ls "; rm test123.txt"');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
assert.strictEqual(spawnCalls.length, 1); it("should escape single quotes in arguments", async () => {
// Malicious command should be escaped to prevent execution await safeSpawn("echo", ["don't break"]);
assert.strictEqual(spawnCalls[0].command, 'ls "; rm test123.txt"');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
it(`should escape single quotes in arguments (${variant})`, async () => { assert.strictEqual(spawnCalls.length, 1);
await runSafeSpawn(variant, "echo", ["don't break"]); // Single quote should be properly escaped with double quotes
assert.strictEqual(spawnCalls[0].command, 'echo "don\'t break"');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
assert.strictEqual(spawnCalls.length, 1); it("should handle double quotes with simpler escaping", async () => {
// Single quote should be properly escaped with double quotes await safeSpawn("echo", ['say "hello"']);
assert.strictEqual(spawnCalls[0].command, 'echo "don\'t break"');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
it(`should handle double quotes with simpler escaping (${variant})`, async () => { assert.strictEqual(spawnCalls.length, 1);
await runSafeSpawn(variant, "echo", ['say "hello"']); // If we switch to double quotes, this should be: "say \"hello\""
assert.strictEqual(spawnCalls[0].command, 'echo "say \\"hello\\""');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
assert.strictEqual(spawnCalls.length, 1); it("should not escape arguments with only safe characters", async () => {
// If we switch to double quotes, this should be: "say \"hello\"" await safeSpawn("npm", ["install", "axios", "--save"]);
assert.strictEqual(spawnCalls[0].command, 'echo "say \\"hello\\""');
assert.strictEqual(spawnCalls[0].options.shell, true);
});
it(`should not escape arguments with only safe characters (${variant})`, async () => { assert.strictEqual(spawnCalls.length, 1);
await runSafeSpawn(variant, "npm", ["install", "axios", "--save"]); // Safe arguments (alphanumeric, dash, underscore, dot, slash) shouldn't be quoted
assert.strictEqual(spawnCalls[0].command, "npm install axios --save");
assert.strictEqual(spawnCalls.length, 1); assert.strictEqual(spawnCalls[0].options.shell, true);
// Safe arguments (alphanumeric, dash, underscore, dot, slash) shouldn't be quoted });
assert.strictEqual(spawnCalls[0].command, "npm install axios --save");
assert.strictEqual(spawnCalls[0].options.shell, true);
});
}
}); });