fix(security): Harden skill activation and loading flows
Harden batch activation, dev refresh gating, Microsoft sync path handling, and Jetski skill loading against command injection, symlink traversal, and client-side star tampering. Add regression coverage for the security-sensitive paths and update the internal triage addendum for the Jetski loader fix.
This commit is contained in:
sickn33
20
tools/scripts/tests/activate_skills_batch_security.test.js
Normal file
20
tools/scripts/tests/activate_skills_batch_security.test.js
Normal file
@@ -0,0 +1,20 @@
|
||||
const assert = require("assert");
|
||||
const fs = require("fs");
|
||||
const path = require("path");
|
||||
|
||||
const repoRoot = path.resolve(__dirname, "../..", "..");
|
||||
const batchScript = fs.readFileSync(
|
||||
path.join(repoRoot, "scripts", "activate-skills.bat"),
|
||||
"utf8",
|
||||
);
|
||||
|
||||
assert.doesNotMatch(
|
||||
batchScript,
|
||||
/for %%s in \(!ESSENTIALS!\) do \(/,
|
||||
"activate-skills.bat must not iterate untrusted skills with tokenized FOR syntax",
|
||||
);
|
||||
assert.match(
|
||||
batchScript,
|
||||
/for \/f .*%%s in \("%SKILLS_LIST_FILE%"\) do \(/i,
|
||||
"activate-skills.bat should read one validated skill id per line from the temp file",
|
||||
);
|
||||
Reference in New Issue
Block a user