import fs from "node:fs"; import path from "node:path"; import { describe, expect, it } from "vitest"; import { evaluateShellAllowlist, normalizeSafeBins } from "./exec-approvals-allowlist.js"; import { analyzeArgvCommand, analyzeShellCommand, buildEnforcedShellCommand, buildSafeBinsShellCommand, resolvePlannedSegmentArgv, windowsEscapeArg, } from "./exec-approvals-analysis.js"; import { makePathEnv, makeTempDir } from "./exec-approvals-test-helpers.js"; import type { ExecAllowlistEntry } from "./exec-approvals.js"; import { matchAllowlist } from "./exec-command-resolution.js"; function expectAnalyzedShellCommand( command: string, platform?: NodeJS.Platform, ): ReturnType { const res = analyzeShellCommand({ command, platform }); expect(res.ok).toBe(true); return res; } describe("exec approvals shell analysis", () => { describe("safe shell command builder", () => { it("quotes only safeBins segments (leaves other segments untouched)", () => { if (process.platform === "win32") { return; } const analysis = expectAnalyzedShellCommand("rg foo src/*.ts | head -n 5 && echo ok"); const res = buildSafeBinsShellCommand({ command: "rg foo src/*.ts | head -n 5 && echo ok", segments: analysis.segments, segmentSatisfiedBy: [null, "safeBins", null], platform: process.platform, }); expect(res.ok).toBe(true); expect(res.command).toContain("rg foo src/*.ts"); expect(res.command).toMatch(/'[^']*\/head' '-n' '5'/); }); it("fails closed on segment metadata mismatch", () => { const analysis = expectAnalyzedShellCommand("echo ok"); expect( buildSafeBinsShellCommand({ command: "echo ok", segments: analysis.segments, segmentSatisfiedBy: [], }), ).toEqual({ ok: false, reason: "segment metadata mismatch" }); }); it("enforces canonical planned argv for every approved segment", () => { if (process.platform === "win32") { return; } const analysis = expectAnalyzedShellCommand("env rg -n needle"); const res = buildEnforcedShellCommand({ command: "env rg -n needle", segments: analysis.segments, platform: process.platform, }); expect(res.ok).toBe(true); expect(res.command).toMatch(/'(?:[^']*\/)?rg' '-n' 'needle'/); expect(res.command).not.toContain("'env'"); }); it("keeps shell multiplexer rebuilds as coherent execution argv", () => { if (process.platform === "win32") { return; } const dir = makeTempDir(); const busybox = path.join(dir, "busybox"); fs.writeFileSync(busybox, ""); fs.chmodSync(busybox, 0o755); const analysis = analyzeArgvCommand({ argv: [busybox, "sh", "-lc", "echo hi"], cwd: dir, env: { PATH: `/bin:/usr/bin${path.delimiter}${process.env.PATH ?? ""}` }, }); expect(analysis.ok).toBe(true); const segment = analysis.segments[0]; if (!segment) { throw new Error("expected first segment"); } const planned = resolvePlannedSegmentArgv(segment); expect(planned).toEqual([ segment.resolution?.execution.resolvedRealPath ?? segment.resolution?.execution.resolvedPath, "-lc", "echo hi", ]); expect(planned?.[0]).not.toBe(busybox); }); }); describe("shell parsing", () => { it("parses pipelines and chained commands", () => { type ShellParseCase = | { name: string; command: string; expectedSegments: string[] } | { name: string; command: string; expectedChainHeads: string[] }; const cases: ShellParseCase[] = [ { name: "pipeline", command: "echo ok | jq .foo", expectedSegments: ["echo", "jq"], }, { name: "chain", command: "ls && rm -rf /", expectedChainHeads: ["ls", "rm"], }, ]; for (const testCase of cases) { const res = expectAnalyzedShellCommand(testCase.command); if ("expectedSegments" in testCase) { expect( res.segments.map((seg) => seg.argv[0]), testCase.name, ).toEqual(testCase.expectedSegments); continue; } expect( res.chains?.map((chain) => chain[0]?.argv[0]), testCase.name, ).toEqual(testCase.expectedChainHeads); } }); it("parses argv commands", () => { const res = analyzeArgvCommand({ argv: ["/bin/echo", "ok"] }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["/bin/echo", "ok"]); }); it("rejects empty argv commands", () => { expect(analyzeArgvCommand({ argv: ["", " "] })).toEqual({ ok: false, reason: "empty argv", segments: [], }); }); it.each([ { command: 'echo "output: $(whoami)"', reason: "unsupported shell token: $()" }, { command: 'echo "output: `id`"', reason: "unsupported shell token: `" }, { command: "echo $(whoami)", reason: "unsupported shell token: $()" }, { command: "cat < input.txt", reason: "unsupported shell token: <" }, { command: "echo ok > output.txt", reason: "unsupported shell token: >" }, { command: "/usr/bin/echo first line\n/usr/bin/echo second line", reason: "unsupported shell token: \n", }, { command: 'echo "ok $\\\n(id -u)"', reason: "unsupported shell token: newline", }, { command: 'echo "ok $\\\r\n(id -u)"', reason: "unsupported shell token: newline", }, { command: "ping 127.0.0.1 -n 1 & whoami", reason: "unsupported windows shell token: &", platform: "win32" as const, }, ])("rejects unsupported shell construct %j", ({ command, reason, platform }) => { const res = analyzeShellCommand({ command, platform }); expect(res.ok).toBe(false); expect(res.reason).toBe(reason); }); it("accepts shell metacharacters inside double-quoted arguments on Windows", () => { const cases = [ // parentheses in a date/title argument 'node add_lifelog.js "2026-03-28" "2026-03-28 (土) - LifeLog" --markdown', // pipe, redirection, ampersand inside quotes 'node tool.js "--filter=a|b" "--label=x>y" "--name=foo & bar"', // caret inside quotes 'node tool.js "--pattern=a^b"', // exclamation inside quotes 'node tool.js "--msg=Hello!"', ]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv[0]).toBe("node"); } }); it("still rejects unquoted metacharacters on Windows", () => { const cases = [ "ping 127.0.0.1 -n 1 & whoami", "echo hello | clip", "node tool.js > output.txt", "for /f %i in (file.txt) do echo %i", ]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(false); } }); it("still rejects % inside double quotes on Windows", () => { const res = analyzeShellCommand({ command: 'node tool.js "--user=%USERNAME%"', platform: "win32", }); expect(res.ok).toBe(false); }); it("rejects PowerShell $ expansions in Windows commands", () => { // $ followed by identifier-start, { or ( is always unsafe — PowerShell // expands these even inside double-quoted strings, matching windowsEscapeArg. const cases = [ 'node app.js "$env:USERPROFILE"', "node app.js ${var}", "node app.js $(whoami)", ]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(false); } }); it("rejects $? and $$ (PowerShell automatic variables) in Windows commands", () => { // $? (last exit status) and $$ (PID) are expanded by PowerShell inside // double-quoted strings and must be blocked to prevent unexpected expansion. const cases = ['node app.js "$?"', 'node app.js "$$"', "node app.js $?", "node app.js $$"]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(false); } }); it("allows bare $ not followed by identifier on Windows (e.g. UNC paths)", () => { const res = analyzeShellCommand({ command: 'net use "\\\\host\\C$"', platform: "win32", }); expect(res.ok).toBe(true); }); it("rejects metacharacters inside single-quoted arguments on Windows", () => { // Single quotes are NOT quoting characters in cmd.exe (the Windows execution // shell). Shell metacharacters inside single quotes remain active and unsafe. const cases = [ "node tool.js '--name=foo & bar'", "node tool.js '--filter=a|b'", "node tool.js '--msg=Hello!'", "node tool.js '--pattern=(x)'", ]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(false); } }); it("rejects % in single-quoted arguments on Windows", () => { // Single quotes are literal in cmd.exe, so % is treated as unquoted and // can be used for variable-expansion injection. const res = analyzeShellCommand({ command: "node tool.js '--label=%USERNAME%'", platform: "win32", }); expect(res.ok).toBe(false); }); it("tokenizer strips single quotes and treats content as one token on Windows", () => { // tokenizeWindowsSegment recognises PowerShell single-quote quoting so that // 'hello world' is correctly parsed as a single argument during enforcement. const res = analyzeShellCommand({ command: "node tool.js 'hello world'", platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["node", "tool.js", "hello world"]); }); it("parses '' as escaped apostrophe in Windows single-quoted args", () => { const res = analyzeShellCommand({ command: "node tool.js 'O''Brien'", platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["node", "tool.js", "O'Brien"]); }); it("preserves empty double-quoted args on Windows", () => { // tokenizeWindowsSegment must not drop "" — empty quoted args are intentional // (e.g. node tool.js "" passes an explicit empty string to the child process). const res = analyzeShellCommand({ command: 'node tool.js ""', platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["node", "tool.js", ""]); }); it("preserves empty single-quoted args on Windows", () => { const res = analyzeShellCommand({ command: "node tool.js ''", platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["node", "tool.js", ""]); }); it.each(['echo "output: \\$(whoami)"', "echo 'output: $(whoami)'"])( "accepts inert substitution-like syntax for %s", (command) => { const res = expectAnalyzedShellCommand(command); expect(res.segments[0]?.argv[0]).toBe("echo"); }, ); it.each([ { command: "/usr/bin/tee /tmp/file << 'EOF'\nEOF", expectedArgv: ["/usr/bin/tee"] }, { command: "/usr/bin/tee /tmp/file < { const res = expectAnalyzedShellCommand(command); expect(res.segments.map((segment) => segment.argv[0])).toEqual(expectedArgv); }); it.each([ { command: "/usr/bin/cat < { const res = analyzeShellCommand({ command }); expect(res.ok).toBe(false); expect(res.reason).toBe(reason); }); it("parses windows quoted executables", () => { const res = analyzeShellCommand({ command: '"C:\\Program Files\\Tool\\tool.exe" --version', platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["C:\\Program Files\\Tool\\tool.exe", "--version"]); }); it('unescapes "" inside powershell -Command double-quoted payload', () => { // powershell -Command "node a.js ""hello world""" uses "" to encode a // literal " inside the outer double-quoted shell argument. After stripping // the wrapper the payload must be unescaped so the tokenizer sees the // correct double-quote boundaries. const res = analyzeShellCommand({ command: 'powershell -Command "node a.js ""hello world"""', platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["node", "a.js", "hello world"]); }); it("unescapes '' inside powershell -Command single-quoted payload", () => { // In a PowerShell single-quoted string '' encodes a literal apostrophe. // 'node a.js ''hello world''' has outer ' delimiters and '' acts as // the escape for the space-containing argument — after unescaping the // payload becomes "node a.js 'hello world'" which the tokenizer parses // as a single argv token. const res = analyzeShellCommand({ command: "powershell -Command 'node a.js ''hello world'''", platform: "win32", }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv).toEqual(["node", "a.js", "hello world"]); }); it("unwraps powershell -Command with value-taking flags", () => { const cases = [ 'powershell -NoProfile -ExecutionPolicy Bypass -Command "node a.js"', 'powershell -NonInteractive -ExecutionPolicy RemoteSigned -Command "node a.js"', 'pwsh -NoLogo -WindowStyle Hidden -Command "node a.js"', // single-quoted payload "powershell -NoProfile -Command 'node a.js'", "pwsh -ExecutionPolicy Bypass -Command 'node a.js'", ]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv[0]).toBe("node"); } }); it("unwraps powershell -Command when a flag value contains spaces (quoted)", () => { // psFlags previously used \S+ for flag values, which cannot match // quoted values containing spaces such as "C:\Users\Jane Doe\proj". // The wrapper was therefore not stripped, leaving powershell as the // executable and breaking allow-always matching for the inner command. const cases = [ 'powershell -WorkingDirectory "C:\\Users\\Jane Doe\\proj" -Command "node a.js"', "powershell -WorkingDirectory 'C:\\Users\\Jane Doe\\proj' -Command \"node a.js\"", 'pwsh -ExecutionPolicy Bypass -WorkingDirectory "C:\\My Projects\\app" -Command "node a.js"', ]; for (const command of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv[0]).toBe("node"); } }); it("unwraps powershell -c alias and --command alias", () => { // stripWindowsShellWrapperOnce previously only matched -Command, so // `pwsh -c "inner"` was left as-is. The allow-always path persists the // inner executable via extractShellWrapperInlineCommand (which treats -c // as a command flag), but later evaluations would see `pwsh` as the // executable, causing repeated approval prompts for the same command. const cases = [ ['pwsh -c "node a.js"', "node"], ['pwsh -NoLogo -c "node a.js"', "node"], ['powershell -c "node a.js"', "node"], ['pwsh --command "node a.js"', "node"], ["pwsh -c 'node a.js'", "node"], ["pwsh -c node a.js", "node"], ]; for (const [command, expected] of cases) { const res = analyzeShellCommand({ command, platform: "win32" }); expect(res.ok).toBe(true); expect(res.segments[0]?.argv[0]).toBe(expected); } }); }); describe("shell allowlist (chained commands)", () => { it.each([ { allowlist: [{ pattern: "/usr/bin/obsidian-cli" }, { pattern: "/usr/bin/head" }], command: "/usr/bin/obsidian-cli print-default && /usr/bin/obsidian-cli search foo | /usr/bin/head", expectedAnalysisOk: true, expectedAllowlistSatisfied: true, }, { allowlist: [{ pattern: "/usr/bin/obsidian-cli" }], command: "/usr/bin/obsidian-cli print-default && /usr/bin/rm -rf /", expectedAnalysisOk: true, expectedAllowlistSatisfied: false, }, { allowlist: [{ pattern: "/usr/bin/echo" }], command: "/usr/bin/echo ok &&", expectedAnalysisOk: false, expectedAllowlistSatisfied: false, }, { allowlist: [{ pattern: "/usr/bin/ping" }], command: "ping 127.0.0.1 -n 1 & whoami", expectedAnalysisOk: false, expectedAllowlistSatisfied: false, platform: "win32" as const, }, ] satisfies ReadonlyArray<{ allowlist: ExecAllowlistEntry[]; command: string; expectedAnalysisOk: boolean; expectedAllowlistSatisfied: boolean; platform?: NodeJS.Platform; }>)("evaluates chained command allowlist scenario %j", (testCase) => { const result = evaluateShellAllowlist({ command: testCase.command, allowlist: testCase.allowlist, safeBins: new Set(), cwd: "/tmp", platform: testCase.platform, }); expect(result.analysisOk).toBe(testCase.expectedAnalysisOk); expect(result.allowlistSatisfied).toBe(testCase.expectedAllowlistSatisfied); }); it("allows the skill display prelude when a later skill wrapper is allowlisted", () => { if (process.platform === "win32") { return; } const skillRoot = makeTempDir(); const skillDir = path.join(skillRoot, "skills", "gog"); const skillPath = path.join(skillDir, "SKILL.md"); const wrapperPath = path.join(skillRoot, "bin", "gog-wrapper"); fs.mkdirSync(path.dirname(skillPath), { recursive: true }); fs.mkdirSync(path.dirname(wrapperPath), { recursive: true }); fs.writeFileSync(skillPath, "# gog\n"); fs.writeFileSync(wrapperPath, "#!/bin/sh\n", { mode: 0o755 }); const result = evaluateShellAllowlist({ command: `cat ${skillPath} && printf '\\n---CMD---\\n' && ${wrapperPath} calendar events primary --today --json`, allowlist: [{ pattern: wrapperPath }], safeBins: new Set(), cwd: skillRoot, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(true); expect(result.segmentSatisfiedBy).toEqual(["skillPrelude", "skillPrelude", "allowlist"]); }); it("does not treat arbitrary allowlisted binaries as trusted skill wrappers", () => { if (process.platform === "win32") { return; } const skillRoot = makeTempDir(); const skillDir = path.join(skillRoot, "skills", "gog"); const skillPath = path.join(skillDir, "SKILL.md"); fs.mkdirSync(skillDir, { recursive: true }); fs.writeFileSync(skillPath, "# gog\n"); const result = evaluateShellAllowlist({ command: `cat ${skillPath} && printf '\\n---CMD---\\n' && /bin/echo calendar events primary --today --json`, allowlist: [{ pattern: "/bin/echo" }], safeBins: new Set(), cwd: skillRoot, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(false); expect(result.segmentSatisfiedBy).toEqual([null]); }); it("still rejects the skill display prelude when no trusted skill command follows", () => { if (process.platform === "win32") { return; } const skillRoot = makeTempDir(); const skillDir = path.join(skillRoot, "skills", "gog"); const skillPath = path.join(skillDir, "SKILL.md"); fs.mkdirSync(skillDir, { recursive: true }); fs.writeFileSync(skillPath, "# gog\n"); const result = evaluateShellAllowlist({ command: `cat ${skillPath} && printf '\\n---CMD---\\n'`, allowlist: [], safeBins: new Set(), cwd: skillRoot, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(false); expect(result.segmentSatisfiedBy).toEqual([null]); }); it("rejects the skill display prelude when a trusted wrapper is not reachable", () => { if (process.platform === "win32") { return; } const skillRoot = makeTempDir(); const skillDir = path.join(skillRoot, "skills", "gog"); const skillPath = path.join(skillDir, "SKILL.md"); const wrapperPath = path.join(skillRoot, "bin", "gog-wrapper"); fs.mkdirSync(path.dirname(skillPath), { recursive: true }); fs.mkdirSync(path.dirname(wrapperPath), { recursive: true }); fs.writeFileSync(skillPath, "# gog\n"); fs.writeFileSync(wrapperPath, "#!/bin/sh\n", { mode: 0o755 }); const result = evaluateShellAllowlist({ command: `cat ${skillPath} && printf '\\n---CMD---\\n' && false && ${wrapperPath} calendar events primary --today --json`, allowlist: [{ pattern: wrapperPath }], safeBins: new Set(), cwd: skillRoot, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(false); expect(result.segmentSatisfiedBy).toEqual([null]); }); it.each(['/usr/bin/echo "foo && bar"', '/usr/bin/echo "foo\\" && bar"'])( "respects quoted chain separator for %s", (command) => { const result = evaluateShellAllowlist({ command, allowlist: [{ pattern: "/usr/bin/echo" }], safeBins: new Set(), cwd: "/tmp", }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(true); }, ); it("fails allowlist analysis for shell line continuations", () => { const result = evaluateShellAllowlist({ command: 'echo "ok $\\\n(id -u)"', allowlist: [{ pattern: "/usr/bin/echo" }], safeBins: new Set(), cwd: "/tmp", }); expect(result.analysisOk).toBe(false); expect(result.allowlistSatisfied).toBe(false); }); it("satisfies allowlist when bare * wildcard is present", () => { const dir = makeTempDir(); const binPath = path.join(dir, "mybin"); fs.writeFileSync(binPath, "#!/bin/sh\n", { mode: 0o755 }); const env = makePathEnv(dir); try { const result = evaluateShellAllowlist({ command: "mybin --flag", allowlist: [{ pattern: "*" }], safeBins: new Set(), cwd: dir, env, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(true); } finally { fs.rmSync(dir, { recursive: true, force: true }); } }); it("normalizes safe bin names", () => { expect([...normalizeSafeBins([" jq ", "", "JQ", " sort "])]).toEqual(["jq", "sort"]); }); describe("shell wrapper inline compound allowlist", () => { const commonShells = ["sh", "bash", "zsh", "dash", "ksh", "fish", "ash"] as const; type ShellFixture = { dir: string; env: NodeJS.ProcessEnv; binPath: (name: string) => string; }; function writeExecutable(filePath: string) { fs.writeFileSync(filePath, "#!/bin/sh\n", { mode: 0o755 }); } function withShellFixture( binaries: readonly string[], run: (fixture: ShellFixture) => void, ): void { const dir = makeTempDir(); const binPath = (name: string): string => path.join(dir, name); for (const binary of binaries) { writeExecutable(binPath(binary)); } const env = makePathEnv(dir); try { run({ dir, env, binPath }); } finally { fs.rmSync(dir, { recursive: true, force: true }); } } it.each(commonShells)("evaluates inner chain commands for %s -c wrappers", (shellBinary) => { if (process.platform === "win32") { return; } withShellFixture([shellBinary, "cat", "printf", "gog-wrapper"], ({ binPath, dir, env }) => { const shellPath = binPath(shellBinary); const catPath = binPath("cat"); const printfPath = binPath("printf"); const gogPath = binPath("gog-wrapper"); const result = evaluateShellAllowlist({ command: `${shellPath} -c "cat SKILL.md && printf '---CMD---' && gog-wrapper calendar events"`, allowlist: [{ pattern: catPath }, { pattern: printfPath }, { pattern: gogPath }], safeBins: new Set(), cwd: dir, env, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(true); expect(result.allowlistMatches.length).toBe(3); expect(result.segmentSatisfiedBy).toEqual(["allowlist"]); expect(result.segmentAllowlistEntries).toEqual([null]); expect(result.segmentSatisfiedBy.length).toBe(result.segments.length); expect(result.segmentAllowlistEntries.length).toBe(result.segments.length); }); }); it("rejects wrapper chain when any inner command misses the allowlist", () => { if (process.platform === "win32") { return; } withShellFixture(["sh", "cat", "rm", "gog-wrapper"], ({ binPath, dir, env }) => { const shellPath = binPath("sh"); const catPath = binPath("cat"); const gogPath = binPath("gog-wrapper"); const result = evaluateShellAllowlist({ command: `${shellPath} -c "cat SKILL.md && rm -rf / && gog-wrapper calendar events"`, allowlist: [{ pattern: catPath }, { pattern: gogPath }], safeBins: new Set(), cwd: dir, env, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(false); }); }); it("keeps single-command wrappers unchanged (no recursive allowlist lookup)", () => { if (process.platform === "win32") { return; } withShellFixture(["sh", "gog-wrapper"], ({ binPath, dir, env }) => { const shellPath = binPath("sh"); const gogPath = binPath("gog-wrapper"); const result = evaluateShellAllowlist({ command: `${shellPath} -c "gog-wrapper calendar events"`, allowlist: [{ pattern: gogPath }], safeBins: new Set(), cwd: dir, env, }); expect(result.analysisOk).toBe(true); expect(result.allowlistSatisfied).toBe(false); }); }); }); }); }); describe("windowsEscapeArg", () => { it("returns empty string quoted", () => { expect(windowsEscapeArg("")).toEqual({ ok: true, escaped: '""' }); }); it("returns safe values as-is", () => { expect(windowsEscapeArg("foo.exe")).toEqual({ ok: true, escaped: "foo.exe" }); expect(windowsEscapeArg("C:/Program/bin")).toEqual({ ok: true, escaped: "C:/Program/bin" }); }); it("double-quotes values with spaces", () => { expect(windowsEscapeArg("hello world")).toEqual({ ok: true, escaped: '"hello world"' }); }); it("escapes embedded double quotes", () => { expect(windowsEscapeArg('say "hi"')).toEqual({ ok: true, escaped: '"say ""hi"""' }); }); it("rejects tokens with % meta character", () => { expect(windowsEscapeArg("%PATH%")).toEqual({ ok: false }); }); it("allows ! in double-quoted args (PowerShell does not treat ! as special)", () => { expect(windowsEscapeArg("hello!")).toEqual({ ok: true, escaped: '"hello!"' }); }); it("rejects $ followed by identifier (PowerShell variable expansion)", () => { expect(windowsEscapeArg("$env:SECRET")).toEqual({ ok: false }); expect(windowsEscapeArg("$var")).toEqual({ ok: false }); expect(windowsEscapeArg("${var}")).toEqual({ ok: false }); }); it("rejects $( subexpressions (PowerShell subexpression operator)", () => { // PowerShell evaluates $(expression) inside double-quoted strings, so // a token like "$(whoami)" would execute whoami even when double-quoted. expect(windowsEscapeArg("$(whoami)")).toEqual({ ok: false }); expect(windowsEscapeArg("$(Get-Date)")).toEqual({ ok: false }); }); it("rejects $? and $$ (PowerShell automatic variables)", () => { expect(windowsEscapeArg("$?")).toEqual({ ok: false }); expect(windowsEscapeArg("$$")).toEqual({ ok: false }); }); it("allows $ not followed by identifier (e.g. UNC admin share C$)", () => { expect(windowsEscapeArg("\\\\host\\C$")).toEqual({ ok: true, escaped: '"\\\\host\\C$"' }); expect(windowsEscapeArg("trailing$")).toEqual({ ok: true, escaped: '"trailing$"' }); }); }); describe("matchAllowlist with argPattern", () => { // argPattern matching is Windows-only; skip this suite on other platforms. if (process.platform !== "win32") { it.skip("argPattern tests are Windows-only", () => {}); return; } const resolution = { rawExecutable: "python3", resolvedPath: "/usr/bin/python3", executableName: "python3", }; it("matches path-only entry regardless of argv", () => { const entries: ExecAllowlistEntry[] = [{ pattern: "/usr/bin/python3" }]; expect(matchAllowlist(entries, resolution, ["python3", "a.py"])).toBeTruthy(); expect(matchAllowlist(entries, resolution, ["python3", "b.py"])).toBeTruthy(); expect(matchAllowlist(entries, resolution, ["python3"])).toBeTruthy(); }); it("matches argPattern with regex", () => { const entries: ExecAllowlistEntry[] = [{ pattern: "/usr/bin/python3", argPattern: "^a\\.py$" }]; expect(matchAllowlist(entries, resolution, ["python3", "a.py"])).toBeTruthy(); expect(matchAllowlist(entries, resolution, ["python3", "b.py"])).toBeNull(); expect(matchAllowlist(entries, resolution, ["python3", "a.py", "--verbose"])).toBeNull(); }); it("prefers argPattern match over path-only match", () => { const entries: ExecAllowlistEntry[] = [ { pattern: "/usr/bin/python3" }, { pattern: "/usr/bin/python3", argPattern: "^a\\.py$" }, ]; const match = matchAllowlist(entries, resolution, ["python3", "a.py"]); expect(match).toBeTruthy(); expect(match!.argPattern).toBe("^a\\.py$"); }); it("falls back to path-only match when argPattern doesn't match", () => { const entries: ExecAllowlistEntry[] = [ { pattern: "/usr/bin/python3" }, { pattern: "/usr/bin/python3", argPattern: "^a\\.py$" }, ]; const match = matchAllowlist(entries, resolution, ["python3", "b.py"]); expect(match).toBeTruthy(); expect(match!.argPattern).toBeUndefined(); }); it("handles invalid regex gracefully", () => { const entries: ExecAllowlistEntry[] = [{ pattern: "/usr/bin/python3", argPattern: "[invalid" }]; expect(matchAllowlist(entries, resolution, ["python3", "a.py"])).toBeNull(); }); it("rejects split-arg bypass against single-arg auto-generated argPattern", () => { // buildArgPatternFromArgv always appends a trailing \x00 sentinel so that // matchArgPattern can detect \x00-join style via .includes("\x00") even for // single-arg patterns. "^hello world\x00$" is the auto-generated form for // argv ["python3", "hello world"]. const entries: ExecAllowlistEntry[] = [ { pattern: "/usr/bin/python3", argPattern: "^hello world\x00$" }, ]; // Original approved single-arg must still match (argsString = "hello world\x00"). expect(matchAllowlist(entries, resolution, ["python3", "hello world"])).toBeTruthy(); // Split-arg bypass must be rejected (argsString = "hello\x00world\x00"). expect(matchAllowlist(entries, resolution, ["python3", "hello", "world"])).toBeNull(); }); it("supports regex alternation in argPattern", () => { const entries: ExecAllowlistEntry[] = [ { pattern: "/usr/bin/python3", argPattern: "^(a|b)\\.py$" }, ]; expect(matchAllowlist(entries, resolution, ["python3", "a.py"])).toBeTruthy(); expect(matchAllowlist(entries, resolution, ["python3", "b.py"])).toBeTruthy(); expect(matchAllowlist(entries, resolution, ["python3", "c.py"])).toBeNull(); }); it("distinguishes zero-arg pattern from one-empty-string-arg pattern", () => { // buildArgPatternFromArgv encodes [] as "^\x00\x00$" (double sentinel) and // [""] as "^\x00$" (single sentinel) so the two cannot cross-match. const zeroArgEntries: ExecAllowlistEntry[] = [ { pattern: "/usr/bin/python3", argPattern: "^\x00\x00$" }, ]; const emptyArgEntries: ExecAllowlistEntry[] = [ { pattern: "/usr/bin/python3", argPattern: "^\x00$" }, ]; // Zero-arg command must match zero-arg pattern but not empty-string-arg pattern. expect(matchAllowlist(zeroArgEntries, resolution, ["python3"])).toBeTruthy(); expect(matchAllowlist(emptyArgEntries, resolution, ["python3"])).toBeNull(); // One-empty-string-arg command must match empty-string-arg pattern but not zero-arg pattern. expect(matchAllowlist(emptyArgEntries, resolution, ["python3", ""])).toBeTruthy(); expect(matchAllowlist(zeroArgEntries, resolution, ["python3", ""])).toBeNull(); }); }); describe("Windows rebuildShellCommandFromSource", () => { it("builds enforced command for simple Windows command", () => { const analysis = analyzeShellCommand({ command: "python3 a.py", platform: "win32", }); expect(analysis.ok).toBe(true); const result = buildEnforcedShellCommand({ command: "python3 a.py", segments: analysis.segments, platform: "win32", }); expect(result.ok).toBe(true); expect(result.command).toBeDefined(); }); it("rejects Windows commands with unsafe tokens", () => { const result = buildEnforcedShellCommand({ command: "echo ok & del file", segments: [], platform: "win32", }); expect(result.ok).toBe(false); }); });