2026-02-14 19:50:33 +01:00
|
|
|
import { describe, expect, it } from "vitest";
|
2026-02-21 13:22:16 +00:00
|
|
|
import { withEnv } from "../test-utils/env.js";
|
2026-02-14 19:50:33 +01:00
|
|
|
import { sanitizeEnv } from "./invoke.js";
|
2026-02-16 00:43:59 +00:00
|
|
|
import { buildNodeInvokeResultParams } from "./runner.js";
|
2026-02-14 19:50:33 +01:00
|
|
|
|
|
|
|
|
describe("node-host sanitizeEnv", () => {
|
|
|
|
|
it("ignores PATH overrides", () => {
|
2026-02-21 13:22:16 +00:00
|
|
|
withEnv({ PATH: "/usr/bin" }, () => {
|
2026-02-21 11:43:53 +01:00
|
|
|
const env = sanitizeEnv({ PATH: "/tmp/evil:/usr/bin" });
|
2026-02-14 19:50:33 +01:00
|
|
|
expect(env.PATH).toBe("/usr/bin");
|
2026-02-21 13:22:16 +00:00
|
|
|
});
|
2026-02-14 19:50:33 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("blocks dangerous env keys/prefixes", () => {
|
2026-02-21 13:22:16 +00:00
|
|
|
withEnv({ PYTHONPATH: undefined, LD_PRELOAD: undefined, BASH_ENV: undefined }, () => {
|
2026-02-21 11:43:53 +01:00
|
|
|
const env = sanitizeEnv({
|
|
|
|
|
PYTHONPATH: "/tmp/pwn",
|
|
|
|
|
LD_PRELOAD: "/tmp/pwn.so",
|
|
|
|
|
BASH_ENV: "/tmp/pwn.sh",
|
|
|
|
|
FOO: "bar",
|
|
|
|
|
});
|
2026-02-14 19:50:33 +01:00
|
|
|
expect(env.FOO).toBe("bar");
|
|
|
|
|
expect(env.PYTHONPATH).toBeUndefined();
|
|
|
|
|
expect(env.LD_PRELOAD).toBeUndefined();
|
2026-02-21 11:43:53 +01:00
|
|
|
expect(env.BASH_ENV).toBeUndefined();
|
2026-02-21 13:22:16 +00:00
|
|
|
});
|
2026-02-21 11:43:53 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("drops dangerous inherited env keys even without overrides", () => {
|
2026-02-21 13:22:16 +00:00
|
|
|
withEnv({ PATH: "/usr/bin:/bin", BASH_ENV: "/tmp/pwn.sh" }, () => {
|
2026-02-21 11:43:53 +01:00
|
|
|
const env = sanitizeEnv(undefined);
|
|
|
|
|
expect(env.PATH).toBe("/usr/bin:/bin");
|
|
|
|
|
expect(env.BASH_ENV).toBeUndefined();
|
2026-02-21 13:22:16 +00:00
|
|
|
});
|
2026-02-14 19:50:33 +01:00
|
|
|
});
|
|
|
|
|
});
|
2026-02-16 00:43:59 +00:00
|
|
|
|
|
|
|
|
describe("buildNodeInvokeResultParams", () => {
|
|
|
|
|
it("omits optional fields when null/undefined", () => {
|
|
|
|
|
const params = buildNodeInvokeResultParams(
|
|
|
|
|
{ id: "invoke-1", nodeId: "node-1", command: "system.run" },
|
|
|
|
|
{ ok: true, payloadJSON: null, error: null },
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
expect(params).toEqual({ id: "invoke-1", nodeId: "node-1", ok: true });
|
|
|
|
|
expect("payloadJSON" in params).toBe(false);
|
|
|
|
|
expect("error" in params).toBe(false);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("includes payloadJSON when provided", () => {
|
|
|
|
|
const params = buildNodeInvokeResultParams(
|
|
|
|
|
{ id: "invoke-2", nodeId: "node-2", command: "system.run" },
|
|
|
|
|
{ ok: true, payloadJSON: '{"ok":true}' },
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
expect(params.payloadJSON).toBe('{"ok":true}');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("includes payload when provided", () => {
|
|
|
|
|
const params = buildNodeInvokeResultParams(
|
|
|
|
|
{ id: "invoke-3", nodeId: "node-3", command: "system.run" },
|
|
|
|
|
{ ok: false, payload: { reason: "bad" } },
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
expect(params.payload).toEqual({ reason: "bad" });
|
|
|
|
|
});
|
|
|
|
|
});
|
