Jon Chery
4a58aa1657
- Type renames: CIConfig → CIAgentConfig, DEFAULT_CI_CONFIG → DEFAULT_CIAGENT_CONFIG - Type renames: CiMetadata → CIAgentMetadata, ParsedCiCommit → ParsedCIAgentCommit - Function renames: initCI → initCIAgent, isCIInitialized → isCIAgentInitialized - Function renames: extractCiBlock → extractCIAgentBlock, parseCiBlock → parseCIAgentBlock - Class renames: CiFiles → CIAgentFiles - Import paths: ci-files.js → ciagent-files.js - Directory paths: .ci/ → .ciagent/ across all source and test files - Check names: ".ci directory exists" → ".ciagent directory exists" - Check names: "CI config valid" → "CIAgent config valid" - Temp dir names: ci-*-test- → ciagent-*-test- - CLI examples: "ci init" → "ciagent init" - Fix deepMerge infinite recursion bug in config.ts - ---ci---/---/ci--- block markers preserved unchanged - All 31 test suites, 370 tests passing ---ci--- phase: 1 milestone: v0.5 plan: 07 task: 07-01-01 status: execute ---/ci---
91 lines
3.5 KiB
TypeScript
91 lines
3.5 KiB
TypeScript
import * as fs from "node:fs";
|
|
import * as path from "node:path";
|
|
import * as os from "node:os";
|
|
import { SecurityVerification } from "../verification/security.js";
|
|
|
|
describe("SecurityVerification", () => {
|
|
let tempDir: string;
|
|
|
|
beforeEach(() => {
|
|
tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "ciagent-security-test-"));
|
|
});
|
|
|
|
afterEach(() => {
|
|
fs.rmSync(tempDir, { recursive: true, force: true });
|
|
});
|
|
|
|
it("passes when no security threats detected", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "app.ts"), "export function main() { return 1; }");
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
expect(result.layer).toBe(3);
|
|
expect(result.name).toBe("Security");
|
|
const highThreatsCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highThreatsCheck?.status).toBe("pass");
|
|
});
|
|
|
|
it("detects hardcoded passwords as high severity", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "config.ts"), 'const password = "supersecret123";');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.status).toBe("fail");
|
|
});
|
|
|
|
it("detects hardcoded API keys", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "api.ts"), 'const api_key = "abc123def456";');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.status).toBe("fail");
|
|
});
|
|
|
|
it("detects eval() usage", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "eval.ts"), 'function run(code: string) { eval(code); }');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.status).toBe("fail");
|
|
});
|
|
|
|
it("warns about missing .gitignore patterns", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "app.ts"), "export function main() { return 1; }");
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const gitignoreCheck = result.checks.find((c) => c.name.includes(".gitignore"));
|
|
expect(gitignoreCheck?.status).toBe("warning");
|
|
});
|
|
|
|
it("skips checks when no src/ directory", async () => {
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const lowCheck = result.checks.find((c) => c.name.includes("Low severity"));
|
|
expect(lowCheck?.status).toBe("pass");
|
|
});
|
|
}); |