liderra/brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
edea1ea40c187914de58a03a2d40df1dcd4bd839
brain/tools/url-whitelist-rules.test.mjs
T
Дмитрий 5a9b5b4510 fix: anchor commit-message lookahead host-terminator to close subdomain-spoof bypass 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 17:37:47 +03:00

60 lines
2.9 KiB
JavaScript
Raw Blame History

import { describe, it, expect } from 'vitest';
import {
DEFAULT_PROJECT_URL_WHITELIST, BASE_NAVIGATE_HOSTS, escapeDomain,
buildNavigateWhitelistPatterns, buildWebFetchWhitelistPatterns, buildCommitMessageUrlPattern,
} from './url-whitelist-rules.mjs';
describe('escapeDomain', () => {
it('escapes dots, leaves slash literal', () => {
expect(escapeDomain('liderra.ru')).toBe('liderra\\.ru');
expect(escapeDomain('github.com/liderra')).toBe('github\\.com/liderra');
expect(escapeDomain('127.0.0.1')).toBe('127\\.0\\.0\\.1');
});
});
describe('buildNavigateWhitelistPatterns', () => {
it('default project → byte-identical to current navigate pattern', () => {
expect(buildNavigateWhitelistPatterns(['liderra.ru'])).toEqual([
'^https?://(?:localhost|127\\.0\\.0\\.1|liderra\\.ru)(?:[:/?#]|$)']);
});
it('drops path-qualified domains; empty → base only (fail-CLOSED)', () => {
expect(buildNavigateWhitelistPatterns(['github.com/liderra'])).toEqual([
'^https?://(?:localhost|127\\.0\\.0\\.1)(?:[:/?#]|$)']);
expect(buildNavigateWhitelistPatterns([])).toEqual([
'^https?://(?:localhost|127\\.0\\.0\\.1)(?:[:/?#]|$)']);
});
});
describe('buildWebFetchWhitelistPatterns', () => {
it('appends project domains, keeps base; empty → base only', () => {
const r = buildWebFetchWhitelistPatterns(['liderra.ru', 'github.com/liderra']);
expect(r).toContain('^https?://liderra\\.ru/');
expect(r).toContain('^https?://github\\.com/liderra/');
expect(r).toContain('^https?://docs\\.anthropic\\.com/');
expect(buildWebFetchWhitelistPatterns([]).some((p) => /liderra/.test(p))).toBe(false);
});
});
describe('buildCommitMessageUrlPattern', () => {
it('default: liderra/anthropic allowed, external blocked', () => {
const re = buildCommitMessageUrlPattern(['liderra.ru', 'github.com/liderra']);
expect(re.test('see https://liderra.ru/x')).toBe(false);
expect(re.test('see https://docs.anthropic.com/x')).toBe(false);
expect(re.test('see http://evil.example.com/p')).toBe(true);
});
it('empty → liderra blocked (fail-CLOSED), anthropic ok', () => {
const re = buildCommitMessageUrlPattern([]);
expect(re.test('see https://liderra.ru/x')).toBe(true);
expect(re.test('see https://docs.anthropic.com/x')).toBe(false);
});
it('flags subdomain-suffix spoof of a whitelisted host (anchor)', () => {
const re = buildCommitMessageUrlPattern(['liderra.ru', 'github.com/liderra']);
expect(re.test('see https://liderra.ru.evil.com/x')).toBe(true);
expect(re.test('see https://github.com/liderra-evil/x')).toBe(true);
expect(re.test('see https://liderra.ru/admin')).toBe(false);
});
});
describe('defaults', () => {
it('expected values', () => {
expect(DEFAULT_PROJECT_URL_WHITELIST).toEqual(['liderra.ru', 'github.com/liderra']);
expect(BASE_NAVIGATE_HOSTS).toEqual(['localhost', '127.0.0.1']);
});
});
Reference in New Issue View Git Blame Copy Permalink