admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity

test(config): dedupe traversal include assertions

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 23:14:59 +00:00
parent c4aac407dc
commit 71c17da2ba
1 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/config/includes.test.ts
View File

@@ -388,6 +388,18 @@ describe("real-world config patterns", () => {
});
});
describe("security: path traversal protection (CWE-22)", () => {
function expectRejectedTraversalPaths(
cases: ReadonlyArray<{ includePath: string; expectEscapesMessage: boolean }>,
) {
for (const testCase of cases) {
const obj = { $include: testCase.includePath };
expect(() => resolve(obj, {}), testCase.includePath).toThrow(ConfigIncludeError);
if (testCase.expectEscapesMessage) {
expect(() => resolve(obj, {}), testCase.includePath).toThrow(/escapes config directory/);
}
}
}
describe("absolute path attacks", () => {
it("rejects absolute path attack variants", () => {
const cases = [
@@ -397,13 +409,7 @@ describe("security: path traversal protection (CWE-22)", () => {
{ includePath: "/tmp/malicious.json", expectEscapesMessage: false },
{ includePath: "/", expectEscapesMessage: false },
] as const;
for (const testCase of cases) {
const obj = { $include: testCase.includePath };
expectResolveIncludeError(() => resolve(obj, {}));
if (testCase.expectEscapesMessage) {
expectResolveIncludeError(() => resolve(obj, {}), /escapes config directory/);
}
}
expectRejectedTraversalPaths(cases);
});
});
@@ -416,13 +422,7 @@ describe("security: path traversal protection (CWE-22)", () => {
{ includePath: "../sibling-dir/secret.json", expectEscapesMessage: false },
{ includePath: "/config/../../../etc/passwd", expectEscapesMessage: false },
] as const;
for (const testCase of cases) {
const obj = { $include: testCase.includePath };
expectResolveIncludeError(() => resolve(obj, {}));
if (testCase.expectEscapesMessage) {
expectResolveIncludeError(() => resolve(obj, {}), /escapes config directory/);
}
}
expectRejectedTraversalPaths(cases);
});
});