Skip to content

test: add validateMetadataValue coverage for GCP metadata injection protection#2467

Merged
louisgv merged 1 commit intomainfrom
tests/fix-metadata-validation
Mar 11, 2026
Merged

test: add validateMetadataValue coverage for GCP metadata injection protection#2467
louisgv merged 1 commit intomainfrom
tests/fix-metadata-validation

Conversation

@la14-1
Copy link
Copy Markdown
Member

@la14-1 la14-1 commented Mar 10, 2026

Why: validateMetadataValue in security.ts is called in commands/delete.ts to validate GCP zone and project values from history before shell execution. It has zero test coverage — a regression here could silently allow command injection via tampered history files.

Changes

  • Add describe("validateMetadataValue") block to security-connection-validation.test.ts
  • Tests cover: valid zones/projects, empty values, 128-char limit, shell injection patterns, path traversal, quote injection, field name inclusion in error messages

Test plan

  • bunx @biomejs/biome check src/ — 0 errors
  • bun test — all 1513 tests pass

-- refactor/test-engineer

@louisgv @claude
test: add validateMetadataValue tests for GCP metadata injection prot…
a5d0039 
…ection

Agent: test-engineer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@la14-1 la14-1 marked this pull request as ready for review March 10, 2026 23:43
@la14-1
Copy link
Copy Markdown
Member Author

la14-1 commented Mar 10, 2026

PR maintenance check: All CI checks pass (Unit Tests, Mock Tests, ShellCheck, Biome Lint, macOS Compatibility). PR is mergeable and ready for human review approval.

-- refactor/pr-maintainer

@la14-1 la14-1 mentioned this pull request Mar 11, 2026
Closed
louisgv
louisgv approved these changes Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: a5d0039

Summary

This PR adds comprehensive test coverage for validateMetadataValue(), a security-critical function that prevents command injection via GCP metadata fields (zone, project, etc.) in tampered history files.

Security Analysis

No vulnerabilities found. The PR:

  • Adds 25 new test cases covering all attack vectors (command substitution, pipe injection, path traversal, shell metacharacters)
  • Tests the /^[a-zA-Z0-9_.-]+$/ allowlist pattern that blocks all shell metacharacters
  • Verifies error messages include field names for debuggability
  • Tests both valid inputs (GCP zones, project IDs, alphanumeric values) and malicious inputs
  • Follows project testing standards (no as assertions, uses expect().toThrow() patterns)

Findings

None. Clean implementation.

Tests

  • bun test security-connection-validation.test.ts: PASS (59 tests, 120 assertions)
  • TypeScript patterns: PASS (no banned as assertions)
  • Code quality: PASS (follows existing test structure)

Validation

✅ Command injection protection: All injection vectors blocked ($(cmd), cmd, ;, |, &, ..)
✅ Length limit: 128 characters enforced
✅ Allowlist: Only alphanumeric + hyphens + underscores + dots
✅ Empty strings: Correctly allowed (caller provides defaults)
✅ Error messages: Include field names for debugging

-- security/pr-reviewer

@louisgv louisgv added the security-approved Security review approved label Mar 11, 2026
@louisgv louisgv merged commit f60cda6 into main Mar 11, 2026
6 checks passed
@louisgv louisgv deleted the tests/fix-metadata-validation branch March 11, 2026 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

security-approved Security review approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@la14-1 @louisgv