test(mosaic): close fleet command parser gaps
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Jarvis
2026-07-16 12:34:53 -05:00
parent 0b106651f8
commit 587ac423c2

View File

@@ -188,12 +188,12 @@ function normalizedCommandTokens(segment: string): string[] {
if (/^(?:-S|--split-string)$/.test(token)) {
const splitTokens = shellCommandTokens(tokens[index + 1] ?? '');
tokens.splice(index, 2, ...splitTokens);
break;
continue;
}
const splitString = token.match(/^(?:-S|--split-string)=(.*)$/)?.[1];
const splitString = token.match(/^(?:-S|--split-string=)(.*)$/)?.[1];
if (splitString !== undefined) {
tokens.splice(index, 1, ...shellCommandTokens(splitString));
break;
continue;
}
if (token.startsWith('-')) {
index += 1;
@@ -262,29 +262,38 @@ function containsPrivilegedCommand(source: string): boolean {
const tokens = normalizedCommandTokens(segment);
const command = commandBasename(tokens[0] ?? '');
if (privilegedCommands.has(command)) return true;
const argument = tokens[1] ?? '';
if (
command === 'su' &&
(/^(?:root|-|--command|-c)$/.test(argument) || argument.startsWith('--command='))
) {
return true;
}
if (command !== 'su') return false;
let index = 1;
while (index < tokens.length) {
const token = tokens[index] ?? '';
if (token === '-l' || token === '--login') {
return (tokens[index + 1] ?? '') === 'root';
if (token === '--') {
index += 1;
break;
}
if (
/^(?:-c|--command|--session-command|-g|--group|-G|--supp-group|-s|--shell|-w|--whitelist-environment)$/.test(
token,
)
) {
index += 2;
continue;
}
if (
/^(?:--command=|--session-command=|--group=|--supp-group=|--shell=|--whitelist-environment=)/.test(
token,
)
) {
index += 1;
continue;
}
if (token === '--') return (tokens[index + 1] ?? '') === 'root';
if (token.startsWith('-')) {
index += 1;
continue;
}
return token === 'root';
break;
}
return false;
return (tokens[index] ?? 'root') === 'root';
});
}
@@ -354,13 +363,27 @@ const UNSAFE_EXAMPLE_FIXTURES = [
},
{ expected: 'privileged-command', source: 'env -S apt-get install example' },
{ expected: 'privileged-command', source: "env -S 'apt-get update'" },
{ expected: 'privileged-command', source: "env -S'/usr/bin/apt-get --version'" },
{
expected: 'privileged-command',
source: "env --split-string='apt-get update'",
},
{
expected: 'privileged-command',
source: "env --split-string='-i /usr/bin/apt-get update'",
},
{
expected: 'privileged-command',
source: "env --split-string='FOO=x /usr/bin/apt-get update'",
},
{
expected: 'privileged-command',
source: "env --split-string='-- /usr/bin/apt-get update'",
},
{ expected: 'privileged-command', source: 'reboot' },
{ expected: 'privileged-command', source: 'su --command=/bin/sh' },
{ expected: 'privileged-command', source: 'su -l root' },
{ expected: 'privileged-command', source: 'su -l -s /bin/sh root' },
{ expected: 'privileged-command', source: '/usr/bin/su --login root' },
{ expected: 'privileged-command', source: 'su root' },
{ expected: 'privileged-command', source: '/usr/sbin/chroot /srv/example' },
@@ -417,6 +440,18 @@ describe('documentation validation regressions', (): void => {
expect(exampleSafetyViolationKinds('command -v apt-get')).not.toContain('privileged-command');
});
it.each([
"env --split-string='-i -- /usr/bin/printf safe'",
"env --split-string='FOO=x /usr/bin/printf safe'",
'su -l -s /bin/sh operator',
'su -s /bin/sh -- operator',
'su -c /usr/bin/id operator',
'su --command=/usr/bin/id operator',
'su --session-command=/usr/bin/id operator',
])('keeps valid non-privileged env and su forms safe', (source): void => {
expect(exampleSafetyViolationKinds(source)).not.toContain('privileged-command');
});
it.each(UNSAFE_EXAMPLE_FIXTURES)(
'classifies unsafe example fixture as $expected',
({ expected, source }): void => {