From 699ac5ab12bd35ee850466a7e2d41f7e7df55bda Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 23:54:12 +0000 Subject: [PATCH] test: tighten safe bin policy coverage --- src/infra/exec-safe-bin-policy.test.ts | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/infra/exec-safe-bin-policy.test.ts b/src/infra/exec-safe-bin-policy.test.ts index 285b1465e53..b723d2301f3 100644 --- a/src/infra/exec-safe-bin-policy.test.ts +++ b/src/infra/exec-safe-bin-policy.test.ts @@ -53,6 +53,12 @@ describe("exec safe bin policy sort", () => { expect(validateSafeBinArgv(["--ke=1,1"], sortProfile)).toBe(true); }); + it("rejects missing or path-like values for allowed flags", () => { + expect(validateSafeBinArgv(["--key"], sortProfile)).toBe(false); + expect(validateSafeBinArgv(["--key", "./fields.txt"], sortProfile)).toBe(false); + expect(validateSafeBinArgv(["-S", "C:\\temp\\buffer"], sortProfile)).toBe(false); + }); + it("blocks sort --compress-program in safe-bin mode", () => { expect(validateSafeBinArgv(["--compress-program=sh"], sortProfile)).toBe(false); expect(validateSafeBinArgv(["--compress-program", "sh"], sortProfile)).toBe(false); @@ -78,6 +84,19 @@ describe("exec safe bin policy wc", () => { }); }); +describe("exec safe bin policy token hygiene", () => { + it("rejects path-like and glob positional tokens after the terminator", () => { + const grepProfile = SAFE_BIN_PROFILES.grep; + expect(validateSafeBinArgv(["-e", "needle", "--", "../secret.txt"], grepProfile)).toBe(false); + expect(validateSafeBinArgv(["-e", "needle", "--", "*.txt"], grepProfile)).toBe(false); + }); + + it("keeps stdin marker after the terminator non-positional", () => { + const grepProfile = SAFE_BIN_PROFILES.grep; + expect(validateSafeBinArgv(["-e", "needle", "--", "-"], grepProfile)).toBe(true); + }); +}); + describe("exec safe bin policy long-option metadata", () => { it("precomputes long-option prefix mappings for compiled profiles", () => { const sortProfile = SAFE_BIN_PROFILES.sort;