Skip to content

test: add comprehensive tests for mount-security module#721

Closed
cmraible-bot wants to merge 1 commit intoqwibitai:mainfrom
cmraible-bot:upstream/test-mount-security
Closed

test: add comprehensive tests for mount-security module#721
cmraible-bot wants to merge 1 commit intoqwibitai:mainfrom
cmraible-bot:upstream/test-mount-security

Conversation

@cmraible-bot
Copy link
Copy Markdown

@cmraible-bot cmraible-bot commented Mar 5, 2026

Summary

The mount-security.ts module is security-critical — it handles mount validation, path traversal prevention, blocked pattern matching, symlink resolution, and read-only enforcement for container mounts. Despite this, it had zero test coverage.

This PR adds 35 tests covering all public functions and security-relevant edge cases:

  • Allowlist loading (8 tests): Missing file, invalid JSON, malformed structure, default pattern merging, caching and error caching
  • Mount validation (21 tests): Blocked patterns (default + custom + substring matching), allowed root validation, container path traversal prevention (../, absolute, empty, whitespace), non-existent paths, read-only enforcement (nonMainReadOnly, per-root allowReadWrite, defaults), symlink resolution (allowed, escape to outside root, escape to blocked path), containerPath derivation
  • validateAdditionalMounts (4 tests): Filtering, /workspace/extra/ prefixing, all-rejected, empty input
  • generateAllowlistTemplate (2 tests): Valid JSON, required fields

Also adds _resetMountCacheForTests() to clear the module-level cache between tests (same pattern used by task-scheduler.ts).

Changes

  • src/mount-security.ts: Add _resetMountCacheForTests() export (5 lines)
  • src/mount-security.test.ts: New file with 35 tests

Test plan

  • All 35 new tests pass
  • TypeScript compilation clean
  • Prettier formatting clean

Co-Authored-By: Claude Opus 4.6 [email protected]

@claude
test: add comprehensive tests for mount-security module
2e26529 
The mount-security module handles security-critical mount validation
(path traversal prevention, blocked pattern matching, symlink
resolution, read-only enforcement) but had zero test coverage.

Adds 35 tests covering:
- Allowlist loading: missing file, invalid JSON, malformed structure,
  default pattern merging, caching behavior
- Mount validation: blocked patterns, allowed roots, container path
  traversal prevention, non-existent paths
- Read-only enforcement: nonMainReadOnly policy, per-root allowReadWrite
- Symlink security: resolving symlinks before validation, blocking
  symlinks that escape allowed roots or target blocked paths
- validateAdditionalMounts: filtering, container path prefixing
- generateAllowlistTemplate: valid JSON structure

Also adds _resetMountCacheForTests() to clear the module-level cache
between tests (same pattern as task-scheduler.ts).

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@TomGranot
Copy link
Copy Markdown
Collaborator

TomGranot commented Mar 5, 2026

More tests for mount-security is always welcome. Will review alongside the other test PRs.

@Andy-NanoClaw-AI Andy-NanoClaw-AI added PR: Chore Maintenance tasks, dependencies, tooling Status: Needs Review Ready for maintainer review labels Mar 5, 2026
@github-actions github-actions bot mentioned this pull request Apr 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gavrielc gavrielc Awaiting requested review from gavrielc gavrielc is a code owner

@gabi-simons gabi-simons Awaiting requested review from gabi-simons gabi-simons is a code owner

Assignees

No one assigned

Labels

PR: Chore Maintenance tasks, dependencies, tooling Status: Needs Review Ready for maintainer review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cmraible-bot @TomGranot @Andy-NanoClaw-AI