30 lines
1.5 KiB
JavaScript
30 lines
1.5 KiB
JavaScript
"use strict";
|
|
|
|
const assert = require("node:assert/strict");
|
|
const crypto = require("node:crypto");
|
|
const test = require("node:test");
|
|
const { collectChangedFiles, validManifestPath, validRequest, verifySignature } = require("../receiver");
|
|
|
|
test("verifies Forgejo HMAC signatures", () => {
|
|
const secret = "a".repeat(32);
|
|
const body = Buffer.from('{"ok":true}');
|
|
const signature = crypto.createHmac("sha256", secret).update(body).digest("hex");
|
|
assert.equal(verifySignature(secret, body, signature), true);
|
|
assert.equal(verifySignature(secret, body, "0".repeat(64)), false);
|
|
});
|
|
|
|
test("accepts only safe manifest paths", () => {
|
|
assert.equal(validManifestPath("deployment/requests/REQ-001.json", "deployment/requests/"), true);
|
|
assert.equal(validManifestPath("deployment/requests/../../secret.json", "deployment/requests/"), false);
|
|
assert.equal(validManifestPath("deployment/requests/REQ 001.json", "deployment/requests/"), false);
|
|
});
|
|
|
|
test("rejects arbitrary command fields", () => {
|
|
assert.equal(validRequest({ request_id: "REQ-20260713-001", module: "gatekeeper", action: "inspect-gatekeeper", approved: true }), true);
|
|
assert.equal(validRequest({ request_id: "REQ-20260713-001", module: "gatekeeper", action: "inspect-gatekeeper", approved: true, cmd: "rm -rf /" }), false);
|
|
});
|
|
|
|
test("collects only added and modified files", () => {
|
|
assert.deepEqual(collectChangedFiles({ commits: [{ added: ["a"], modified: ["b"], removed: ["c"] }] }).sort(), ["a", "b"]);
|
|
});
|