Initial import from garrytan/gstack@026751e (main snapshot via local relay)
Some checks failed
Workflow Lint / actionlint (push) Has been cancelled
Build CI Image / build (push) Has been cancelled
Skill Docs Freshness / check-freshness (push) Has been cancelled
Periodic Evals / build-image (push) Has been cancelled
Periodic Evals / evals (map[file:test/codex-e2e.test.ts name:e2e-codex]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/gemini-e2e.test.ts name:e2e-gemini]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-design.test.ts name:e2e-design]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-plan.test.ts name:e2e-plan]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-bugs.test.ts name:e2e-qa-bugs]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-workflow.test.ts name:e2e-qa-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-review.test.ts name:e2e-review]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-workflow.test.ts name:e2e-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-routing-e2e.test.ts name:e2e-routing]) (push) Has been cancelled
Some checks failed
Workflow Lint / actionlint (push) Has been cancelled
Build CI Image / build (push) Has been cancelled
Skill Docs Freshness / check-freshness (push) Has been cancelled
Periodic Evals / build-image (push) Has been cancelled
Periodic Evals / evals (map[file:test/codex-e2e.test.ts name:e2e-codex]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/gemini-e2e.test.ts name:e2e-gemini]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-design.test.ts name:e2e-design]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-plan.test.ts name:e2e-plan]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-bugs.test.ts name:e2e-qa-bugs]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-qa-workflow.test.ts name:e2e-qa-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-review.test.ts name:e2e-review]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-e2e-workflow.test.ts name:e2e-workflow]) (push) Has been cancelled
Periodic Evals / evals (map[file:test/skill-routing-e2e.test.ts name:e2e-routing]) (push) Has been cancelled
Source: https://github.com/garrytan/gstack/commit/026751e
This commit is contained in:
Rocky
32
browse/test/adversarial-security.test.ts
Normal file
32
browse/test/adversarial-security.test.ts
Normal file
@@ -0,0 +1,32 @@
|
||||
/**
|
||||
* Adversarial security tests — XSS and boundary-check hardening
|
||||
*
|
||||
* Test 19: Sidepanel escapes entry.command in activity feed (prevents XSS)
|
||||
* Test 20: Freeze hook uses trailing slash in boundary check (prevents prefix collision)
|
||||
*/
|
||||
|
||||
import { describe, test, expect } from 'bun:test';
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
|
||||
describe('Adversarial security', () => {
|
||||
test('sidepanel escapes entry.command in activity feed', () => {
|
||||
const source = fs.readFileSync(
|
||||
path.join(import.meta.dir, '../../extension/sidepanel.js'),
|
||||
'utf-8',
|
||||
);
|
||||
// entry.command must be wrapped in escapeHtml() to prevent XSS injection
|
||||
// via crafted command names in the activity feed
|
||||
expect(source).toContain('escapeHtml(entry.command');
|
||||
});
|
||||
|
||||
test('freeze hook uses trailing slash in boundary check', () => {
|
||||
const source = fs.readFileSync(
|
||||
path.join(import.meta.dir, '../../freeze/bin/check-freeze.sh'),
|
||||
'utf-8',
|
||||
);
|
||||
// The boundary check must use "${FREEZE_DIR}/" with a trailing slash
|
||||
// to prevent prefix collision (e.g., /app matching /application)
|
||||
expect(source).toContain('"${FREEZE_DIR}/"');
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user