go-agent/security_test.go

package agent

import (
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestSanitizePath_Good(t *testing.T) {
	tests := []struct {
		name     string
		input    string
		expected string
	}{
		{name: "simple name", input: "myfile.txt", expected: "myfile.txt"},
		{name: "with hyphen", input: "my-file", expected: "my-file"},
		{name: "with underscore", input: "my_file", expected: "my_file"},
		{name: "with dots", input: "file.tar.gz", expected: "file.tar.gz"},
		{name: "strips directory", input: "/path/to/file.txt", expected: "file.txt"},
		{name: "alphanumeric", input: "abc123", expected: "abc123"},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result, err := SanitizePath(tt.input)
			require.NoError(t, err)
			assert.Equal(t, tt.expected, result)
		})
	}
}

func TestSanitizePath_Good_StripsDirTraversal(t *testing.T) {
	// filepath.Base("../secret") returns "secret" which is safe.
	result, err := SanitizePath("../secret")
	require.NoError(t, err)
	assert.Equal(t, "secret", result, "directory traversal component stripped by filepath.Base")
}

func TestSanitizePath_Bad(t *testing.T) {
	tests := []struct {
		name  string
		input string
	}{
		{name: "spaces", input: "my file"},
		{name: "special chars", input: "file;rm -rf"},
		{name: "pipe", input: "file|cmd"},
		{name: "backtick", input: "file`cmd`"},
		{name: "dollar", input: "file$var"},
		{name: "single dot", input: "."},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			_, err := SanitizePath(tt.input)
			assert.Error(t, err)
		})
	}
}

func TestEscapeShellArg_Good(t *testing.T) {
	tests := []struct {
		name     string
		input    string
		expected string
	}{
		{name: "simple string", input: "hello", expected: "'hello'"},
		{name: "with spaces", input: "hello world", expected: "'hello world'"},
		{name: "empty string", input: "", expected: "''"},
		{name: "with single quote", input: "it's", expected: "'it'\\''s'"},
		{name: "multiple single quotes", input: "a'b'c", expected: "'a'\\''b'\\''c'"},
		{name: "with special chars", input: "$(rm -rf /)", expected: "'$(rm -rf /)'"},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result := EscapeShellArg(tt.input)
			assert.Equal(t, tt.expected, result)
		})
	}
}

func TestSecureSSHCommand_Good(t *testing.T) {
	cmd := SecureSSHCommand("claude@10.0.0.1", "ls -la /tmp")

	assert.Equal(t, "ssh", cmd.Path[len(cmd.Path)-3:])
	args := cmd.Args
	assert.Contains(t, args, "-o")
	assert.Contains(t, args, "StrictHostKeyChecking=yes")
	assert.Contains(t, args, "BatchMode=yes")
	assert.Contains(t, args, "ConnectTimeout=10")
	assert.Contains(t, args, "claude@10.0.0.1")
	assert.Contains(t, args, "ls -la /tmp")
}

func TestMaskToken_Good(t *testing.T) {
	tests := []struct {
		name     string
		token    string
		expected string
	}{
		{name: "normal token", token: "abcdefghijkl", expected: "abcd****ijkl"},
		{name: "exactly 8 chars", token: "12345678", expected: "1234****5678"},
		{name: "short token", token: "abc", expected: "*****"},
		{name: "empty token", token: "", expected: "*****"},
		{name: "7 chars", token: "1234567", expected: "*****"},
		{name: "long token", token: "ghp_1234567890abcdef", expected: "ghp_****cdef"},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			result := MaskToken(tt.token)
			assert.Equal(t, tt.expected, result)
		})
	}
}
feat: initial go-agent — agentci + jobrunner + plugins marketplace Consolidates three codebases into a single agent orchestration repo: - agentci (from go-scm): Clotho dual-run verification, agent config, SSH security (sanitisation, secure commands, token masking) - jobrunner (from go-scm): Poll-dispatch-report pipeline with 7 handlers (dispatch, completion, auto-merge, publish draft, dismiss reviews, send fix command, tick parent epic) - plugins marketplace (from agentic/plugins): 27 Claude/Codex/Gemini plugins with shared MCP server All 150+ tests passing across 6 packages. Co-Authored-By: Virgil <virgil@lethean.io> 2026-02-21 15:47:19 +00:00			`package agent`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestSanitizePath_Good(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`input string`
			`expected string`
			`}{`
			`{name: "simple name", input: "myfile.txt", expected: "myfile.txt"},`
			`{name: "with hyphen", input: "my-file", expected: "my-file"},`
			`{name: "with underscore", input: "my_file", expected: "my_file"},`
			`{name: "with dots", input: "file.tar.gz", expected: "file.tar.gz"},`
			`{name: "strips directory", input: "/path/to/file.txt", expected: "file.txt"},`
			`{name: "alphanumeric", input: "abc123", expected: "abc123"},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`result, err := SanitizePath(tt.input)`
			`require.NoError(t, err)`
			`assert.Equal(t, tt.expected, result)`
			`})`
			`}`
			`}`

			`func TestSanitizePath_Good_StripsDirTraversal(t *testing.T) {`
			`// filepath.Base("../secret") returns "secret" which is safe.`
			`result, err := SanitizePath("../secret")`
			`require.NoError(t, err)`
			`assert.Equal(t, "secret", result, "directory traversal component stripped by filepath.Base")`
			`}`

			`func TestSanitizePath_Bad(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`input string`
			`}{`
			`{name: "spaces", input: "my file"},`
			`{name: "special chars", input: "file;rm -rf"},`
			`{name: "pipe", input: "file\|cmd"},`
			{name: "backtick", input: "file`cmd`"},
			`{name: "dollar", input: "file$var"},`
			`{name: "single dot", input: "."},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`_, err := SanitizePath(tt.input)`
			`assert.Error(t, err)`
			`})`
			`}`
			`}`

			`func TestEscapeShellArg_Good(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`input string`
			`expected string`
			`}{`
			`{name: "simple string", input: "hello", expected: "'hello'"},`
			`{name: "with spaces", input: "hello world", expected: "'hello world'"},`
			`{name: "empty string", input: "", expected: "''"},`
			`{name: "with single quote", input: "it's", expected: "'it'\\''s'"},`
			`{name: "multiple single quotes", input: "a'b'c", expected: "'a'\\''b'\\''c'"},`
			`{name: "with special chars", input: "$(rm -rf /)", expected: "'$(rm -rf /)'"},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`result := EscapeShellArg(tt.input)`
			`assert.Equal(t, tt.expected, result)`
			`})`
			`}`
			`}`

			`func TestSecureSSHCommand_Good(t *testing.T) {`
			`cmd := SecureSSHCommand("claude@10.0.0.1", "ls -la /tmp")`

			`assert.Equal(t, "ssh", cmd.Path[len(cmd.Path)-3:])`
			`args := cmd.Args`
			`assert.Contains(t, args, "-o")`
			`assert.Contains(t, args, "StrictHostKeyChecking=yes")`
			`assert.Contains(t, args, "BatchMode=yes")`
			`assert.Contains(t, args, "ConnectTimeout=10")`
			`assert.Contains(t, args, "claude@10.0.0.1")`
			`assert.Contains(t, args, "ls -la /tmp")`
			`}`

			`func TestMaskToken_Good(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`token string`
			`expected string`
			`}{`
			`{name: "normal token", token: "abcdefghijkl", expected: "abcd****ijkl"},`
			`{name: "exactly 8 chars", token: "12345678", expected: "1234****5678"},`
			`{name: "short token", token: "abc", expected: "*****"},`
			`{name: "empty token", token: "", expected: "*****"},`
			`{name: "7 chars", token: "1234567", expected: "*****"},`
			`{name: "long token", token: "ghp_1234567890abcdef", expected: "ghp_****cdef"},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`result := MaskToken(tt.token)`
			`assert.Equal(t, tt.expected, result)`
			`})`
			`}`
			`}`