a
This commit is contained in:
@@ -111,6 +111,42 @@ test("rules engine enforces binary allowlist, tool policy, and path boundaries",
|
||||
);
|
||||
});
|
||||
|
||||
test("rules engine dangerous_warn_only logs but does not block violating shell commands", async () => {
|
||||
const worktreeRoot = await mkdtemp(resolve(tmpdir(), "ai-ops-security-warn-worktree-"));
|
||||
const stateRoot = await mkdtemp(resolve(tmpdir(), "ai-ops-security-warn-state-"));
|
||||
const projectContextPath = resolve(stateRoot, "project-context.json");
|
||||
|
||||
const rules = new SecurityRulesEngine(
|
||||
{
|
||||
allowedBinaries: ["git"],
|
||||
worktreeRoot,
|
||||
protectedPaths: [stateRoot, projectContextPath],
|
||||
requireCwdWithinWorktree: true,
|
||||
rejectRelativePathTraversal: true,
|
||||
enforcePathBoundaryOnArguments: true,
|
||||
allowedEnvAssignments: [],
|
||||
blockedEnvAssignments: [],
|
||||
},
|
||||
undefined,
|
||||
{
|
||||
violationHandling: "dangerous_warn_only",
|
||||
},
|
||||
);
|
||||
|
||||
const validated = await rules.validateShellCommand({
|
||||
command: "unauthorized_bin --version",
|
||||
cwd: worktreeRoot,
|
||||
toolClearance: {
|
||||
allowlist: ["git"],
|
||||
banlist: [],
|
||||
},
|
||||
});
|
||||
|
||||
assert.equal(validated.cwd, worktreeRoot);
|
||||
assert.equal(validated.parsed.commandCount, 0);
|
||||
assert.deepEqual(validated.parsed.commands, []);
|
||||
});
|
||||
|
||||
test("secure executor runs with explicit env policy", async () => {
|
||||
const worktreeRoot = await mkdtemp(resolve(tmpdir(), "ai-ops-security-exec-"));
|
||||
|
||||
@@ -193,3 +229,47 @@ test("rules engine carries session context in tool audit events", () => {
|
||||
assert.equal(allowedEvent.nodeId, "node-ctx");
|
||||
assert.equal(allowedEvent.attempt, 2);
|
||||
});
|
||||
|
||||
test("rules engine applies tool clearance matching case-insensitively", () => {
|
||||
const rules = new SecurityRulesEngine({
|
||||
allowedBinaries: ["git"],
|
||||
worktreeRoot: "/tmp",
|
||||
protectedPaths: [],
|
||||
requireCwdWithinWorktree: true,
|
||||
rejectRelativePathTraversal: true,
|
||||
enforcePathBoundaryOnArguments: true,
|
||||
allowedEnvAssignments: [],
|
||||
blockedEnvAssignments: [],
|
||||
});
|
||||
|
||||
assert.doesNotThrow(() =>
|
||||
rules.assertToolInvocationAllowed({
|
||||
tool: "Bash",
|
||||
toolClearance: {
|
||||
allowlist: ["bash", "glob"],
|
||||
banlist: [],
|
||||
},
|
||||
}),
|
||||
);
|
||||
|
||||
assert.throws(
|
||||
() =>
|
||||
rules.assertToolInvocationAllowed({
|
||||
tool: "Glob",
|
||||
toolClearance: {
|
||||
allowlist: ["bash", "glob"],
|
||||
banlist: ["GLOB"],
|
||||
},
|
||||
}),
|
||||
(error: unknown) =>
|
||||
error instanceof SecurityViolationError && error.code === "TOOL_BANNED",
|
||||
);
|
||||
|
||||
assert.deepEqual(
|
||||
rules.filterAllowedTools(["Bash", "Glob", "Read"], {
|
||||
allowlist: ["bash", "glob"],
|
||||
banlist: ["gLoB"],
|
||||
}),
|
||||
["Bash"],
|
||||
);
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user