[Coverage Report] Test Coverage Report — 2026-06-17 #5148
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-24T06:17:59.845Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Security-Critical Path Status
host-iptables-rules.tshost-iptables-shared.tshost-iptables-cleanup.tssquid/access-rules.tssquid/acl-generator.tssquid/validation.tsdomain-validation.tsdomain-patterns.tsdomain-matchers.tssquid/config-sections.tssquid/policy-manifest.tsFile-by-File Coverage Gaps (branches < 80%)
services/agent-volumes/etc-mounts.tslogs/audit-enricher.tsservices/agent-volumes/docker-host-staging.tscommands/validators/log-and-limits.tslogs/log-streamer.tsworkdir-setup.ts🔍 Notable Findings
1.
etc-mounts.ts— Credential File Staging Has Uncovered Error Paths (67.9% branches)This file synthesizes
/etc/passwdand/etc/groupfor DinD/ARC runners. The uncovered branches include:stageHostFilereturnsnulland a minimal synthesized identity file is written (lines 82–88 and 104–110). IfsynthesizeIdentityFilealso fails (catch block on line 19),passwdPathsilently remainsundefined, falling back to the real/etc/passwdinside the agent — a credential isolation regression.resolveUniqueNameconflict-resolution loop (counterincrement at line 55) is not exercised, meaning the case of two colliding username variants is untested.These paths gate whether the agent container sees the correct (isolated) user identity in DinD mode.
2.
squid/policy-manifest.ts— Blocked-Domain Rule Branches Uncovered (70% functions)Three arrow functions inside the
if (blockedDomains && blockedDomains.length > 0)block (lines 131–158) are never called in tests. This means thedeny-blocked-plainanddeny-blocked-regexpolicy rules are not exercised in the manifest generator, so the audit log enricher (audit-enricher.ts) can never attribute a denial to an explicitly blocked domain in a unit-test scenario. Any regression in blocked-domain manifest generation would go undetected.3.
docker-host-staging.ts— Path Traversal Prevention Branches Uncovered (72.4% branches)stageHostFile(line 49) has a multi-condition path-traversal guard:The coverage data shows 21 of 29 branches covered, leaving at least two of these three conditions untested in isolation. Without these tests, a future refactor could silently weaken the traversal check. The rejection-logging branch (line 50) is also uncovered.
4.
audit-enricher.ts— Regex Error Path and Early-Return Uncovered (74.1% branches)domainMatchesRulehas atry/catcharoundnew RegExp(entry, 'i')(lines 52–57) that silently skips invalid patterns. Thecatchbranch is not tested — an invalid regex in an ACL rule would be silently ignored during audit enrichment, producing anunknownattribution without any warning. Additionally, thedomain === '-'early-return guard (line 40) is not covered, meaning the function's behavior on Squid's internal synthetic-domain entry is untested.📈 Recommendations
🔴 High — Add DinD identity-staging edge-case tests for
etc-mounts.tsWhat to do: Add unit tests that simulate (a) a staging root that can't be written to (triggering
synthesizeIdentityFilefailure), and (b) a staged passwd file whose content is missing the runner UID, with a pre-existingrunnerentry that forces the counter loop inresolveUniqueName. These tests should assert the final mount path, not just that no exception is thrown.Why it matters: Silent fallback to
/etc/passwdinside the agent would expose the real host user list, violating the credential isolation guarantees of DinD mode.🔴 High — Test
squid/policy-manifest.tswithblockedDomainsconfiguredWhat to do: Add a test for
generatePolicyManifestthat passes a non-emptyblockedDomainsarray (including both plain domains and regex patterns). Assert that the resulting manifest containsdeny-blocked-plainanddeny-blocked-regexrules with the correctdomainsvalues. Also testenableDlp: trueandenableHostAccess: truepaths to bring function coverage to 100%.Why it matters: The policy manifest drives the audit enricher. Untested blocked-domain rules mean the audit trail cannot correctly attribute denials to explicit block-list entries — a gap in security observability.
🟡 Medium — Cover
docker-host-staging.tspath traversal guard branchesWhat to do: Add tests for
stageHostFilethat supply: (a) an emptyrelativeTargetPath, (b) a path that resolves to..outside the stage root (e.g.,../../etc/shadow), and (c) an absolute path string. Assert that each returnsundefinedand logs the rejection message.Why it matters: This function copies files from the runner filesystem into a staging directory that is then bind-mounted into Docker. The path traversal guard is the only thing preventing a crafted
relativeTargetPathfrom staging arbitrary runner files into the container.Beta Was this translation helpful? Give feedback.
All reactions