[Repo Assist] test: expand HttpUrlRiskEvaluator and BrowserProxy coverage#271
Merged
shanselman merged 1 commit intomasterfrom May 5, 2026
Conversation
- Add direct IsPublicAddress tests for all IPv4 private ranges (0/8, 10/8, CGNAT 100.64/10, loopback 127/8, link-local 169.254/16, 172.16-31/12, 192.168/16, multicast ≥224) — previously only IPv6 ranges had explicit IsPublicAddress tests. - Add IsPublicAddress tests for public IPv4 (8.8.8.8, 1.1.1.1, etc.) and boundary values just outside the private ranges. - Add IsPublicAddress tests for IPv4-mapped IPv6 public addresses (::ffff:8.8.8.8, ::ffff:1.1.1.1). - Add Evaluate tests: localhost host, IPv6 literal, HostKey lowercasing with non-default port, CanonicalOrigin with non-standard port. - Add BrowserProxy tests: empty path, path without leading slash (auto-prepend), double-slash protocol-relative path rejection, gateway port overflow (>65533), query+profile forwarded to URI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
14 tasks
shanselman
deleted the
repo-assist/test-improve-risk-and-browserproxy-2026-05-05-4b0ecf755628e2cd
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 This is an automated PR from Repo Assist.
Summary
Expands unit test coverage for
HttpUrlRiskEvaluatorandBrowserProxyCapability— two security-critical components. All 12 new tests pass; no existing tests were changed.HttpUrlRiskEvaluatorTests(+24 tests)IPv4
IsPublicAddressgaps — the existing suite had explicitIsPublicAddresstests only for IPv6 ranges. This adds direct IPv4 coverage:0.1.2.3,10.x,100.64.x(CGNAT),127.x,169.254.x,172.16-31.x,192.168.x,224+multicast,255.255.255.2558.8.8.8,1.1.1.1, boundary values just outside each private range::ffff:8.8.8.8,::ffff:1.1.1.1Evaluateextraslocalhosthost, IPv6 literal,HostKeylowercasing with non-default port,CanonicalOriginwith non-standard portWhy this matters:
IsPublicAddressfeeds the risk-zone classifier used before browser navigation and media hand-off. A bug that mis-classified a private IPv4 address as public could suppress the confirmation prompt, silently routing the agent to an internal host.BrowserProxyCapabilityTests(+5 tests)Covers path-normalization and input-validation branches in
BrowserProxyCapability.ExecuteAsyncthat had no direct tests:EmptyPath_ReturnsErrorTryNormalizePathempty-string rejectionSlashlessPrependedPath_NormalizesWithLeadingSlash/DoubleSlashPath_ReturnsError//protocol-relative URL rejectionGatewayPortAbove65533_ReturnsErrorTryResolveControlEndpointport overflowQueryAndProfileAppendedToUriBuildUriwith bothqueryandprofileparamsTest Status
OpenClaw.Shared.TestsOpenClaw.Tray.Tests* Pre-existing Linux-only canvas JSONL failures (tracked in PR #264).