MCPcopy
hub / github.com/microsoft/retina / TestScriptGeneratorNoUserStringInterpolation

Function TestScriptGeneratorNoUserStringInterpolation

shell/tracescript_test.go:269–308  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

267}
268
269func TestScriptGeneratorNoUserStringInterpolation(t *testing.T) {
270 // SECURITY TEST: Verify that user-provided values are never
271 // directly interpolated as strings into the script
272
273 // Try various concerning inputs - all should be rejected by validation
274 // but even if they made it here, they should be safe
275
276 // Create a generator with an IP that could be injection attempt
277 // Note: This IP is valid but we verify it's converted to hex
278 ip := net.ParseIP("127.0.0.1")
279 config := TraceConfig{
280 FilterIPs: []net.IP{ip},
281 OutputJSON: false,
282 }
283
284 gen := NewScriptGenerator(config)
285 filter := gen.buildSkbIPFilterCondition()
286
287 // The node name should NOT appear in the filter
288 if strings.Contains(filter, "evil-node") {
289 t.Error("node name should not appear in filter condition")
290 }
291
292 // The filter should only contain safe characters
293 // Allow: hex digits, whitespace, operators, struct names, etc.
294 // Disallow: semicolons, backticks, $() syntax
295 dangerousPatterns := []string{
296 "`;",
297 "$()",
298 "`",
299 "system(",
300 "exec(",
301 }
302
303 for _, pattern := range dangerousPatterns {
304 if strings.Contains(filter, pattern) {
305 t.Errorf("filter contains dangerous pattern: %s", pattern)
306 }
307 }
308}
309
310func TestBuildIPFilter(t *testing.T) {
311 tests := []struct {

Callers

nothing calls this directly

Calls 4

NewScriptGeneratorFunction · 0.85
ContainsMethod · 0.80
ErrorMethod · 0.45

Tested by

no test coverage detected