// taint.test.mjs — Integration tests for the taint-tracer // Tests against the evil-project-health fixture — lib/telemetry.mjs has 4 planted flows: // // Flow 1: process.env → fetch (env exfiltration) // Flow 2: req.body → execSync (command injection) // Flow 3: process.argv → writeFileSync (path traversal) // Flow 4: user_input → eval (code injection) // // The taint-tracer uses heuristic analysis (~70% recall), so we require >= 3 detections. import { describe, it, beforeEach } from 'node:test'; import assert from 'node:assert/strict'; import { resolve } from 'node:path'; import { fileURLToPath } from 'node:url'; import { resetCounter } from '../../scanners/lib/output.mjs'; import { discoverFiles } from '../../scanners/lib/file-discovery.mjs'; import { scan } from '../../scanners/taint-tracer.mjs'; const __dirname = fileURLToPath(new URL('.', import.meta.url)); const FIXTURE = resolve(__dirname, '../../examples/malicious-skill-demo/evil-project-health'); describe('taint-tracer integration', () => { let discovery; beforeEach(async () => { resetCounter(); discovery = await discoverFiles(FIXTURE); }); it('returns status ok', async () => { const result = await scan(FIXTURE, discovery); assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`); }); it('scans at least one code file', async () => { const result = await scan(FIXTURE, discovery); assert.ok(result.files_scanned >= 1, `Expected files_scanned >= 1, got ${result.files_scanned}`); }); it('detects at least 3 taint flows', async () => { const result = await scan(FIXTURE, discovery); assert.ok( result.findings.length >= 3, `Expected >= 3 taint findings, got ${result.findings.length}. ` + `Findings: ${result.findings.map(f => f.title).join('; ')}` ); }); it('reports at least one CRITICAL taint finding', async () => { const result = await scan(FIXTURE, discovery); const criticals = result.findings.filter(f => f.severity === 'critical'); assert.ok( criticals.length >= 1, `Expected >= 1 CRITICAL taint finding, got ${criticals.length}. ` + `Severities: ${result.findings.map(f => f.severity).join(', ')}` ); }); it('detects command injection: req.body → execSync', async () => { const result = await scan(FIXTURE, discovery); const cmdInjection = result.findings.find( f => f.title.toLowerCase().includes('req.body') || f.evidence && f.evidence.includes('req.body') ); assert.ok( cmdInjection, `Should detect req.body taint flow. All findings: ${result.findings.map(f => f.title).join('; ')}` ); }); it('detects code injection: user_input → eval', async () => { const result = await scan(FIXTURE, discovery); const evalFlow = result.findings.find( f => f.title.toLowerCase().includes('eval') || (f.evidence && f.evidence.toLowerCase().includes('eval')) ); assert.ok( evalFlow, `Should detect user_input → eval flow. All findings: ${result.findings.map(f => f.title).join('; ')}` ); }); it('all findings have DS-TNT- prefix', async () => { const result = await scan(FIXTURE, discovery); const wrongPrefix = result.findings.filter(f => !f.id.startsWith('DS-TNT-')); assert.equal( wrongPrefix.length, 0, `All taint findings should have DS-TNT- prefix. Wrong: ${wrongPrefix.map(f => f.id).join(', ')}` ); }); it('all findings reference owasp LLM01 or LLM02', async () => { const result = await scan(FIXTURE, discovery); for (const f of result.findings) { assert.ok( f.owasp === 'LLM01' || f.owasp === 'LLM02', `Finding ${f.id} owasp should be LLM01 or LLM02, got ${f.owasp}` ); } }); it('findings reference telemetry.mjs as the source file', async () => { const result = await scan(FIXTURE, discovery); const telemetryFindings = result.findings.filter( f => f.file && f.file.includes('telemetry') ); assert.ok( telemetryFindings.length >= 1, `Expected findings referencing telemetry.mjs, got 0. ` + `Files referenced: ${[...new Set(result.findings.map(f => f.file))].join(', ')}` ); }); it('finding IDs are sequential starting from DS-TNT-001 after reset', async () => { const result = await scan(FIXTURE, discovery); if (result.findings.length === 0) return; assert.equal(result.findings[0].id, 'DS-TNT-001'); }); });