test: harden profile artifact path boundaries

2026-05-08 10:48:41 +08:00
parent 8c7aca145e
commit 173de01bdb
4 changed files with 114 additions and 4 deletions
--- a/plugins/reporting-governance/test/profile-artifact.test.mjs
+++ b/plugins/reporting-governance/test/profile-artifact.test.mjs
@@ -8,6 +8,7 @@ import {
  loadDeploymentProfileArtifact,
  createDeploymentBindingContract,
  validateDeploymentProfileArtifact,
+  assertUseTimePathWithinRepoRoot,
 } from '../src/storage/profile-artifact.mjs';
 import { createRuntimeBinding } from '../src/adapters/index.mjs';

@@ -259,3 +260,66 @@ test('deployment profile artifact validation rejects artifact_roots symlink esca
    /spec\.bindings\.artifact_roots\.queueItems must stay within repo root: symlink resolution escapes realpath boundary/
  );
 });
+
+
+test('deployment profile artifact validation rejects entrypoint and scripts symlink escapes after realpath resolution', async (t) => {
+  const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-profile-artifact-scripts-'));
+  t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
+
+  const fakeRepoRoot = path.join(sandbox, 'repo');
+  const outsideRoot = path.join(sandbox, 'outside');
+  fs.mkdirSync(fakeRepoRoot, { recursive: true });
+  fs.mkdirSync(outsideRoot, { recursive: true });
+  fs.symlinkSync(outsideRoot, path.join(fakeRepoRoot, 'scripts-link'), 'dir');
+  fs.writeFileSync(path.join(fakeRepoRoot, 'safe-watchdog.mjs'), `export default true;\n`);
+  fs.writeFileSync(path.join(outsideRoot, 'entry.mjs'), `export default true;\n`);
+  fs.writeFileSync(path.join(fakeRepoRoot, 'entry.mjs'), `export default true;\n`);
+  fs.writeFileSync(path.join(outsideRoot, 'watchdog.mjs'), `export default true;\n`);
+
+  assert.throws(
+    () => validateDeploymentProfileArtifact(createArtifact({
+      spec: {
+        package: { pluginVersion: '0.1.0-mainline' },
+        bindings: {
+          entrypoint: 'scripts-link/entry.mjs',
+          scripts: { watchdog: 'safe-watchdog.mjs' },
+          artifact_roots: { queueItems: 'state/operator-notify-queue' },
+        },
+      },
+    }), { repoRootOverride: fakeRepoRoot }),
+    /spec\.bindings\.entrypoint must stay within repo root: symlink resolution escapes realpath boundary/
+  );
+
+  assert.throws(
+    () => validateDeploymentProfileArtifact(createArtifact({
+      spec: {
+        package: { pluginVersion: '0.1.0-mainline' },
+        bindings: {
+          entrypoint: 'entry.mjs',
+          scripts: { watchdog: 'scripts-link/watchdog.mjs' },
+          artifact_roots: { queueItems: 'state/operator-notify-queue' },
+        },
+      },
+    }), { repoRootOverride: fakeRepoRoot }),
+    /spec\.bindings\.scripts\.watchdog must stay within repo root: symlink resolution escapes realpath boundary/
+  );
+});
+
+test('use-time repo-root boundary check rejects symlink escapes for missing artifact leaf', async (t) => {
+  const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-use-time-boundary-'));
+  t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
+
+  const fakeRepoRoot = path.join(sandbox, 'repo');
+  const outsideRoot = path.join(sandbox, 'outside');
+  fs.mkdirSync(fakeRepoRoot, { recursive: true });
+  fs.mkdirSync(outsideRoot, { recursive: true });
+  fs.symlinkSync(outsideRoot, path.join(fakeRepoRoot, 'queue-link'), 'dir');
+
+  assert.throws(
+    () => assertUseTimePathWithinRepoRoot(path.join(fakeRepoRoot, 'queue-link', 'pending'), 'orchestrator adapter queueDir', {
+      repoRootOverride: fakeRepoRoot,
+      allowMissingLeaf: true,
+    }),
+    /orchestrator adapter queueDir must stay within repo root: symlink resolution escapes realpath boundary/
+  );
+});
--- a/plugins/reporting-governance/test/watchdog-chain.integration.test.mjs
+++ b/plugins/reporting-governance/test/watchdog-chain.integration.test.mjs
@@ -149,3 +149,30 @@ test('orchestrator adapter can bootstrap from profile artifact loader path', ()
    fs.rmSync(root, { recursive: true, force: true });
  }
 });
+
+
+test('orchestrator adapter can use artifact_roots.queueItems as the default queueDir at execution time', () => {
+  const root = createFixtureRoot();
+  try {
+    mkdirs(root, ['evidence', 'events', 'spool', 'receipts']);
+    const statePath = writeState(root);
+
+    const result = runOrchestratorAdapter({
+      profileId: 'strict-manager-mode',
+      repoRootOverride: path.resolve(packageRoot, '..', '..'),
+      state: statePath,
+      evidenceDir: path.join(root, 'evidence'),
+      eventDir: path.join(root, 'events'),
+      spoolDir: path.join(root, 'spool'),
+      receiptDir: path.join(root, 'receipts'),
+      writeState: true,
+      dryRun: true,
+      now: '2026-05-07T08:20:00.000Z',
+    });
+
+    assert.equal(result.ok, true);
+    assert.equal(result.result.dispatcher.dispatchedCount >= 0, true);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});