From 587ac423c25f35850414e8c5fd82a81f17212e9f Mon Sep 17 00:00:00 2001 From: Jarvis Date: Thu, 16 Jul 2026 12:34:53 -0500 Subject: [PATCH] test(mosaic): close fleet command parser gaps Co-Authored-By: Claude Opus 4.8 --- .../src/fleet/fleet-documentation.spec.ts | 65 ++++++++++++++----- 1 file changed, 50 insertions(+), 15 deletions(-) diff --git a/packages/mosaic/src/fleet/fleet-documentation.spec.ts b/packages/mosaic/src/fleet/fleet-documentation.spec.ts index fdddc26..bab73f2 100644 --- a/packages/mosaic/src/fleet/fleet-documentation.spec.ts +++ b/packages/mosaic/src/fleet/fleet-documentation.spec.ts @@ -188,12 +188,12 @@ function normalizedCommandTokens(segment: string): string[] { if (/^(?:-S|--split-string)$/.test(token)) { const splitTokens = shellCommandTokens(tokens[index + 1] ?? ''); tokens.splice(index, 2, ...splitTokens); - break; + continue; } - const splitString = token.match(/^(?:-S|--split-string)=(.*)$/)?.[1]; + const splitString = token.match(/^(?:-S|--split-string=)(.*)$/)?.[1]; if (splitString !== undefined) { tokens.splice(index, 1, ...shellCommandTokens(splitString)); - break; + continue; } if (token.startsWith('-')) { index += 1; @@ -262,29 +262,38 @@ function containsPrivilegedCommand(source: string): boolean { const tokens = normalizedCommandTokens(segment); const command = commandBasename(tokens[0] ?? ''); if (privilegedCommands.has(command)) return true; - const argument = tokens[1] ?? ''; - if ( - command === 'su' && - (/^(?:root|-|--command|-c)$/.test(argument) || argument.startsWith('--command=')) - ) { - return true; - } if (command !== 'su') return false; let index = 1; while (index < tokens.length) { const token = tokens[index] ?? ''; - if (token === '-l' || token === '--login') { - return (tokens[index + 1] ?? '') === 'root'; + if (token === '--') { + index += 1; + break; + } + if ( + /^(?:-c|--command|--session-command|-g|--group|-G|--supp-group|-s|--shell|-w|--whitelist-environment)$/.test( + token, + ) + ) { + index += 2; + continue; + } + if ( + /^(?:--command=|--session-command=|--group=|--supp-group=|--shell=|--whitelist-environment=)/.test( + token, + ) + ) { + index += 1; + continue; } - if (token === '--') return (tokens[index + 1] ?? '') === 'root'; if (token.startsWith('-')) { index += 1; continue; } - return token === 'root'; + break; } - return false; + return (tokens[index] ?? 'root') === 'root'; }); } @@ -354,13 +363,27 @@ const UNSAFE_EXAMPLE_FIXTURES = [ }, { expected: 'privileged-command', source: 'env -S apt-get install example' }, { expected: 'privileged-command', source: "env -S 'apt-get update'" }, + { expected: 'privileged-command', source: "env -S'/usr/bin/apt-get --version'" }, { expected: 'privileged-command', source: "env --split-string='apt-get update'", }, + { + expected: 'privileged-command', + source: "env --split-string='-i /usr/bin/apt-get update'", + }, + { + expected: 'privileged-command', + source: "env --split-string='FOO=x /usr/bin/apt-get update'", + }, + { + expected: 'privileged-command', + source: "env --split-string='-- /usr/bin/apt-get update'", + }, { expected: 'privileged-command', source: 'reboot' }, { expected: 'privileged-command', source: 'su --command=/bin/sh' }, { expected: 'privileged-command', source: 'su -l root' }, + { expected: 'privileged-command', source: 'su -l -s /bin/sh root' }, { expected: 'privileged-command', source: '/usr/bin/su --login root' }, { expected: 'privileged-command', source: 'su root' }, { expected: 'privileged-command', source: '/usr/sbin/chroot /srv/example' }, @@ -417,6 +440,18 @@ describe('documentation validation regressions', (): void => { expect(exampleSafetyViolationKinds('command -v apt-get')).not.toContain('privileged-command'); }); + it.each([ + "env --split-string='-i -- /usr/bin/printf safe'", + "env --split-string='FOO=x /usr/bin/printf safe'", + 'su -l -s /bin/sh operator', + 'su -s /bin/sh -- operator', + 'su -c /usr/bin/id operator', + 'su --command=/usr/bin/id operator', + 'su --session-command=/usr/bin/id operator', + ])('keeps valid non-privileged env and su forms safe', (source): void => { + expect(exampleSafetyViolationKinds(source)).not.toContain('privileged-command'); + }); + it.each(UNSAFE_EXAMPLE_FIXTURES)( 'classifies unsafe example fixture as $expected', ({ expected, source }): void => {