47 lines
1.6 KiB
Python
47 lines
1.6 KiB
Python
import sys
|
|
import tempfile
|
|
import unittest
|
|
from pathlib import Path
|
|
|
|
|
|
TOOLS_SCRIPTS_DIR = Path(__file__).resolve().parents[1]
|
|
if str(TOOLS_SCRIPTS_DIR) not in sys.path:
|
|
sys.path.insert(0, str(TOOLS_SCRIPTS_DIR))
|
|
|
|
import sync_microsoft_skills as sms
|
|
|
|
|
|
class SyncMicrosoftSkillsSecurityTests(unittest.TestCase):
|
|
def test_sanitize_flat_name_rejects_path_traversal(self):
|
|
sanitized = sms.sanitize_flat_name("../../.ssh", "fallback-name")
|
|
self.assertEqual(sanitized, "fallback-name")
|
|
|
|
def test_find_skills_ignores_symlinks_outside_clone(self):
|
|
with tempfile.TemporaryDirectory() as temp_dir:
|
|
root = Path(temp_dir)
|
|
skills_dir = root / "skills"
|
|
skills_dir.mkdir()
|
|
|
|
safe_skill = root / ".github" / "skills" / "safe-skill"
|
|
safe_skill.mkdir(parents=True)
|
|
(safe_skill / "SKILL.md").write_text("---\nname: safe-skill\n---\n", encoding="utf-8")
|
|
(skills_dir / "safe-skill").symlink_to(safe_skill, target_is_directory=True)
|
|
|
|
outside = Path(tempfile.mkdtemp())
|
|
try:
|
|
(outside / "SKILL.md").write_text("---\nname: leaked\n---\n", encoding="utf-8")
|
|
(skills_dir / "escape").symlink_to(outside, target_is_directory=True)
|
|
|
|
entries = sms.find_skills_in_directory(root)
|
|
relative_paths = {str(entry["relative_path"]) for entry in entries}
|
|
|
|
self.assertEqual(relative_paths, {"safe-skill"})
|
|
finally:
|
|
for child in outside.iterdir():
|
|
child.unlink()
|
|
outside.rmdir()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|