(t *testing.T)
| 267 | } |
| 268 | |
| 269 | func TestScriptGeneratorNoUserStringInterpolation(t *testing.T) { |
| 270 | // SECURITY TEST: Verify that user-provided values are never |
| 271 | // directly interpolated as strings into the script |
| 272 | |
| 273 | // Try various concerning inputs - all should be rejected by validation |
| 274 | // but even if they made it here, they should be safe |
| 275 | |
| 276 | // Create a generator with an IP that could be injection attempt |
| 277 | // Note: This IP is valid but we verify it's converted to hex |
| 278 | ip := net.ParseIP("127.0.0.1") |
| 279 | config := TraceConfig{ |
| 280 | FilterIPs: []net.IP{ip}, |
| 281 | OutputJSON: false, |
| 282 | } |
| 283 | |
| 284 | gen := NewScriptGenerator(config) |
| 285 | filter := gen.buildSkbIPFilterCondition() |
| 286 | |
| 287 | // The node name should NOT appear in the filter |
| 288 | if strings.Contains(filter, "evil-node") { |
| 289 | t.Error("node name should not appear in filter condition") |
| 290 | } |
| 291 | |
| 292 | // The filter should only contain safe characters |
| 293 | // Allow: hex digits, whitespace, operators, struct names, etc. |
| 294 | // Disallow: semicolons, backticks, $() syntax |
| 295 | dangerousPatterns := []string{ |
| 296 | "`;", |
| 297 | "$()", |
| 298 | "`", |
| 299 | "system(", |
| 300 | "exec(", |
| 301 | } |
| 302 | |
| 303 | for _, pattern := range dangerousPatterns { |
| 304 | if strings.Contains(filter, pattern) { |
| 305 | t.Errorf("filter contains dangerous pattern: %s", pattern) |
| 306 | } |
| 307 | } |
| 308 | } |
| 309 | |
| 310 | func TestBuildIPFilter(t *testing.T) { |
| 311 | tests := []struct { |
nothing calls this directly
no test coverage detected