From b4a3e5324bf7c878210b75fda799c1fbae591caf Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 19:06:22 +0000 Subject: [PATCH] test: expand exec wrapper helper coverage --- src/infra/exec-wrapper-resolution.test.ts | 160 ++++++++++++++++++++++ 1 file changed, 160 insertions(+) diff --git a/src/infra/exec-wrapper-resolution.test.ts b/src/infra/exec-wrapper-resolution.test.ts index 58f1e696c22..001d0ca2514 100644 --- a/src/infra/exec-wrapper-resolution.test.ts +++ b/src/infra/exec-wrapper-resolution.test.ts @@ -1,9 +1,15 @@ import { describe, expect, test } from "vitest"; import { basenameLower, + extractShellWrapperCommand, + extractShellWrapperInlineCommand, + hasEnvManipulationBeforeShellWrapper, isDispatchWrapperExecutable, isShellWrapperExecutable, normalizeExecutableToken, + resolveDispatchWrapperExecutionPlan, + unwrapEnvInvocation, + unwrapKnownDispatchWrapperInvocation, unwrapKnownShellMultiplexerInvocation, } from "./exec-wrapper-resolution.js"; @@ -66,3 +72,157 @@ describe("unwrapKnownShellMultiplexerInvocation", () => { expect(unwrapKnownShellMultiplexerInvocation(argv)).toEqual(expected); }); }); + +describe("unwrapEnvInvocation", () => { + test.each([ + { + argv: ["env", "FOO=bar", "bash", "-lc", "echo hi"], + expected: ["bash", "-lc", "echo hi"], + }, + { + argv: ["env", "-i", "--unset", "PATH", "--", "sh", "-lc", "echo hi"], + expected: ["sh", "-lc", "echo hi"], + }, + { + argv: ["env", "--chdir=/tmp", "pwsh", "-Command", "Get-Date"], + expected: ["pwsh", "-Command", "Get-Date"], + }, + { + argv: ["env", "-", "bash", "-lc", "echo hi"], + expected: ["bash", "-lc", "echo hi"], + }, + { + argv: ["env", "--bogus", "bash", "-lc", "echo hi"], + expected: null, + }, + { + argv: ["env", "--unset"], + expected: null, + }, + ])("unwraps env invocations for %j", ({ argv, expected }) => { + expect(unwrapEnvInvocation(argv)).toEqual(expected); + }); +}); + +describe("unwrapKnownDispatchWrapperInvocation", () => { + test.each([ + { + argv: ["nice", "-n", "5", "bash", "-lc", "echo hi"], + expected: { kind: "unwrapped", wrapper: "nice", argv: ["bash", "-lc", "echo hi"] }, + }, + { + argv: ["nohup", "--", "bash", "-lc", "echo hi"], + expected: { kind: "unwrapped", wrapper: "nohup", argv: ["bash", "-lc", "echo hi"] }, + }, + { + argv: ["stdbuf", "-o", "L", "bash", "-lc", "echo hi"], + expected: { kind: "unwrapped", wrapper: "stdbuf", argv: ["bash", "-lc", "echo hi"] }, + }, + { + argv: ["timeout", "--signal=TERM", "5s", "bash", "-lc", "echo hi"], + expected: { kind: "unwrapped", wrapper: "timeout", argv: ["bash", "-lc", "echo hi"] }, + }, + { + argv: ["sudo", "bash", "-lc", "echo hi"], + expected: { kind: "blocked", wrapper: "sudo" }, + }, + { + argv: ["timeout", "--bogus", "5s", "bash", "-lc", "echo hi"], + expected: { kind: "blocked", wrapper: "timeout" }, + }, + ])("unwraps known dispatch wrappers for %j", ({ argv, expected }) => { + expect(unwrapKnownDispatchWrapperInvocation(argv)).toEqual(expected); + }); +}); + +describe("resolveDispatchWrapperExecutionPlan", () => { + test("unwraps transparent wrapper chains", () => { + expect( + resolveDispatchWrapperExecutionPlan(["nohup", "nice", "-n", "5", "bash", "-lc", "echo hi"]), + ).toEqual({ + argv: ["bash", "-lc", "echo hi"], + wrappers: ["nohup", "nice"], + policyBlocked: false, + }); + }); + + test("blocks semantic env usage even when it reaches a shell wrapper", () => { + expect( + resolveDispatchWrapperExecutionPlan(["env", "FOO=bar", "bash", "-lc", "echo hi"]), + ).toEqual({ + argv: ["env", "FOO=bar", "bash", "-lc", "echo hi"], + wrappers: ["env"], + policyBlocked: true, + blockedWrapper: "env", + }); + }); + + test("blocks wrapper overflow beyond the configured depth", () => { + expect( + resolveDispatchWrapperExecutionPlan(["nohup", "timeout", "5s", "bash", "-lc", "echo hi"], 1), + ).toEqual({ + argv: ["timeout", "5s", "bash", "-lc", "echo hi"], + wrappers: ["nohup"], + policyBlocked: true, + blockedWrapper: "timeout", + }); + }); +}); + +describe("hasEnvManipulationBeforeShellWrapper", () => { + test.each([ + { + argv: ["env", "FOO=bar", "bash", "-lc", "echo hi"], + expected: true, + }, + { + argv: ["timeout", "5s", "env", "--", "bash", "-lc", "echo hi"], + expected: false, + }, + { + argv: ["timeout", "5s", "env", "FOO=bar", "bash", "-lc", "echo hi"], + expected: true, + }, + { + argv: ["sudo", "bash", "-lc", "echo hi"], + expected: false, + }, + ])("detects env manipulation before shell wrappers for %j", ({ argv, expected }) => { + expect(hasEnvManipulationBeforeShellWrapper(argv)).toBe(expected); + }); +}); + +describe("extractShellWrapperCommand", () => { + test.each([ + { + argv: ["bash", "-lc", "echo hi"], + expectedInline: "echo hi", + expectedCommand: { isWrapper: true, command: "echo hi" }, + }, + { + argv: ["busybox", "sh", "-lc", "echo hi"], + expectedInline: "echo hi", + expectedCommand: { isWrapper: true, command: "echo hi" }, + }, + { + argv: ["env", "--", "pwsh", "-Command", "Get-Date"], + expectedInline: "Get-Date", + expectedCommand: { isWrapper: true, command: "Get-Date" }, + }, + { + argv: ["bash", "script.sh"], + expectedInline: null, + expectedCommand: { isWrapper: false, command: null }, + }, + ])("extracts inline commands for %j", ({ argv, expectedInline, expectedCommand }) => { + expect(extractShellWrapperInlineCommand(argv)).toBe(expectedInline); + expect(extractShellWrapperCommand(argv)).toEqual(expectedCommand); + }); + + test("prefers an explicit raw command override when provided", () => { + expect(extractShellWrapperCommand(["bash", "-lc", "echo hi"], " run this instead ")).toEqual({ + isWrapper: true, + command: "run this instead", + }); + }); +});