test(sandbox): address PR #250 round-4 review — SSRF accept-path tests, MCP structuredContent (#243)
Mandatory (test-coverage): - internal-file-urls.test: pin the SSRF/traversal ACCEPT path of resolveInternalFilePath (the sole guard for content-controlled `src`): an absolute/protocol-relative URL has its foreign host dropped and only an /api/files/ pathname survives (http://evil.com/api/files/x/y.png -> /files/x/y.png), while a host-dropped path that escapes /api/files/ (https://evil.com/api/auth/whoami) or a backslash-traversal (/api/files\..\auth\whoami) is rejected. Locks the behavior so a future prefix-only refactor cannot silently open a bypass. Suggestions: - index.ts: the stash_page MCP tool now returns structuredContent { uri, sha256, size, images } alongside the resource_link, so the MCP output matches the documented shape (clients get the blob's sha256/ETag and the mirror counts, not just the link). No outputSchema registered. Rebuilt build/. - new stash-page-mcp-result.test: server round-trip via InMemoryTransport asserts both the resource_link and the structuredContent mirror. - internal-file-urls.test: cover the new URL parse-failure catch branch (http://[ -> "Invalid internal file src"). - environment.service.spec: assert getPositiveIntEnv warns once per key and independently across keys (the invalidPositiveIntWarned dedup). Tests: packages/mcp 383 pass; apps/server sandbox/environment/mcp 235 pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -94,6 +94,46 @@ describe('EnvironmentService', () => {
|
||||
});
|
||||
});
|
||||
|
||||
// getPositiveIntEnv keeps a one-shot `invalidPositiveIntWarned` set so a bad
|
||||
// value is logged ONCE per key (not on every getter call, which the sandbox
|
||||
// hits per-put). These tests pin that dedup so a regression to per-call logging
|
||||
// would fail loudly.
|
||||
describe('invalid-value warn dedup', () => {
|
||||
it('warns only once per key across repeated getter calls', () => {
|
||||
const service = new EnvironmentService({
|
||||
get: (k: string, d?: string) =>
|
||||
k === 'SANDBOX_MAX_TOTAL_BYTES' ? '-5' : d,
|
||||
} as any);
|
||||
const warnSpy = jest
|
||||
.spyOn((service as any).logger, 'warn')
|
||||
.mockImplementation(() => undefined);
|
||||
|
||||
service.getSandboxMaxTotalBytes();
|
||||
service.getSandboxMaxTotalBytes();
|
||||
|
||||
expect(warnSpy).toHaveBeenCalledTimes(1);
|
||||
});
|
||||
|
||||
it('warns independently per key (dedup is per-key, not global)', () => {
|
||||
// Two DIFFERENT SANDBOX_* keys are both invalid -> each warns once, so two
|
||||
// warns total. This proves the dedup set is keyed, not a single global flag.
|
||||
const service = new EnvironmentService({
|
||||
get: (k: string, d?: string) =>
|
||||
k === 'SANDBOX_MAX_BYTES' || k === 'SANDBOX_MAX_TOTAL_BYTES'
|
||||
? '-5'
|
||||
: d,
|
||||
} as any);
|
||||
const warnSpy = jest
|
||||
.spyOn((service as any).logger, 'warn')
|
||||
.mockImplementation(() => undefined);
|
||||
|
||||
service.getSandboxMaxBytes();
|
||||
service.getSandboxMaxTotalBytes();
|
||||
|
||||
expect(warnSpy).toHaveBeenCalledTimes(2);
|
||||
});
|
||||
});
|
||||
|
||||
describe('getSandboxPublicUrl', () => {
|
||||
// Stub that resolves BOTH keys the public-url logic consults.
|
||||
const build = (vals: { sandboxUrl?: string; appUrl?: string }) =>
|
||||
|
||||
Reference in New Issue
Block a user