163 lines
6.3 KiB
JavaScript
163 lines
6.3 KiB
JavaScript
// pre-edit-secrets.test.mjs — Tests for hooks/scripts/pre-edit-secrets.mjs
|
|
// Zero external dependencies: node:test + node:assert only.
|
|
//
|
|
// Fake credentials are assembled ONLY at runtime so this source file cannot
|
|
// self-trigger the pre-edit-secrets hook when written by Claude Code.
|
|
|
|
import { describe, it } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { resolve } from 'node:path';
|
|
import { runHook } from './hook-helper.mjs';
|
|
|
|
const SCRIPT = resolve(import.meta.dirname, '../../hooks/scripts/pre-edit-secrets.mjs');
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Runtime-assembled fake credentials (no literal patterns in source)
|
|
// ---------------------------------------------------------------------------
|
|
|
|
// AWS key ID: AKIA + 16 uppercase alphanumeric chars
|
|
const awsKeyId = ['AKIA', 'IOSFODNN7EXAMPLE'].join(''); // 20 chars total
|
|
|
|
// AWS secret: keyword + 40-char base64-ish value
|
|
const awsSecretLine = [
|
|
'aws_secret_access_key = "',
|
|
'abcdefghij1234567890ABCDEFGHIJ1234567890',
|
|
'"',
|
|
].join('');
|
|
|
|
// GitHub token: ghp_ prefix + 36 alphanum chars (total >= 40)
|
|
const ghToken = ['ghp_', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij'].join('');
|
|
|
|
// Generic password assignment (>= 8 char value)
|
|
const pwdLine = ['pass', 'word', ' = "longvalue123456789"'].join('');
|
|
|
|
// Bearer token (>= 20 non-space chars after "Bearer ")
|
|
const bearerLine = [
|
|
'Authorization: Bearer ',
|
|
'eyJhbGciOiJSUzI1NiJ9.payload.sig12345678',
|
|
].join('');
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Helpers
|
|
// ---------------------------------------------------------------------------
|
|
|
|
function writePayload(filePath, content) {
|
|
return { tool_name: 'Write', tool_input: { file_path: filePath, content } };
|
|
}
|
|
|
|
function editPayload(filePath, newString) {
|
|
return { tool_name: 'Edit', tool_input: { file_path: filePath, new_string: newString } };
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// BLOCK cases
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('pre-edit-secrets — BLOCK cases', () => {
|
|
it('blocks a Write containing an AWS Access Key ID pattern', async () => {
|
|
const result = await runHook(SCRIPT, writePayload(
|
|
'src/config.js',
|
|
`const key = "${awsKeyId}";`
|
|
));
|
|
assert.equal(result.code, 2);
|
|
assert.match(result.stderr, /BLOCKED/);
|
|
assert.match(result.stderr, /AWS Access Key ID/);
|
|
});
|
|
|
|
it('blocks a Write containing an AWS Secret Access Key assignment', async () => {
|
|
const result = await runHook(SCRIPT, writePayload('src/config.js', awsSecretLine));
|
|
assert.equal(result.code, 2);
|
|
assert.match(result.stderr, /BLOCKED/);
|
|
assert.match(result.stderr, /AWS Secret Access Key/);
|
|
});
|
|
|
|
it('blocks a Write containing a GitHub token pattern', async () => {
|
|
const result = await runHook(SCRIPT, writePayload(
|
|
'src/config.js',
|
|
`const t = "${ghToken}";`
|
|
));
|
|
assert.equal(result.code, 2);
|
|
assert.match(result.stderr, /BLOCKED/);
|
|
assert.match(result.stderr, /GitHub Token/);
|
|
});
|
|
|
|
it('blocks a Write containing a generic password assignment with a long value', async () => {
|
|
const result = await runHook(SCRIPT, writePayload('src/config.js', pwdLine));
|
|
assert.equal(result.code, 2);
|
|
assert.match(result.stderr, /BLOCKED/);
|
|
assert.match(result.stderr, /Generic credential assignment/);
|
|
});
|
|
|
|
it('blocks a Write containing a Bearer token in an Authorization header', async () => {
|
|
const result = await runHook(SCRIPT, writePayload('src/api.js', bearerLine));
|
|
assert.equal(result.code, 2);
|
|
assert.match(result.stderr, /BLOCKED/);
|
|
assert.match(result.stderr, /Authorization header/);
|
|
});
|
|
|
|
it('blocks an Edit where new_string contains an AWS Access Key ID pattern', async () => {
|
|
const result = await runHook(SCRIPT, editPayload(
|
|
'src/config.js',
|
|
`const accessKey = "${awsKeyId}";`
|
|
));
|
|
assert.equal(result.code, 2);
|
|
assert.match(result.stderr, /BLOCKED/);
|
|
});
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// ALLOW cases
|
|
// ---------------------------------------------------------------------------
|
|
|
|
describe('pre-edit-secrets — ALLOW cases', () => {
|
|
it('allows a generic pattern where the value is shorter than 8 characters', async () => {
|
|
const result = await runHook(SCRIPT, writePayload('src/config.js', 'x = "abc"'));
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('allows a Write to a file in /project/knowledge/ (absolute path) even if content matches a secret pattern', async () => {
|
|
// The exclusion pattern requires a directory separator before "knowledge"
|
|
const result = await runHook(SCRIPT, {
|
|
tool_name: 'Write',
|
|
tool_input: { file_path: '/project/knowledge/aws-docs.md', content: `Example: ${awsKeyId}` },
|
|
});
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('allows a Write to a .test.js file even if content matches a secret pattern', async () => {
|
|
// The exclusion matches .(test|spec|mock).[jt]sx? — covers .test.js but not .test.mjs
|
|
const result = await runHook(SCRIPT, {
|
|
tool_name: 'Write',
|
|
tool_input: { file_path: 'tests/config.test.js', content: `const k = "${awsKeyId}"; // fixture` },
|
|
});
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('allows a Write to a .example file even if content matches a secret pattern', async () => {
|
|
const result = await runHook(SCRIPT, {
|
|
tool_name: 'Write',
|
|
tool_input: { file_path: 'config.example', content: pwdLine },
|
|
});
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('allows a Write with content that contains no secrets', async () => {
|
|
const result = await runHook(SCRIPT, writePayload('src/app.js', 'console.log("Hello");'));
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('allows a Write with empty content', async () => {
|
|
const result = await runHook(SCRIPT, writePayload('src/app.js', ''));
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('allows a Write where the content field is absent', async () => {
|
|
const result = await runHook(SCRIPT, { tool_name: 'Write', tool_input: { file_path: 'src/app.js' } });
|
|
assert.equal(result.code, 0);
|
|
});
|
|
|
|
it('exits 0 gracefully when stdin is not valid JSON', async () => {
|
|
const result = await runHook(SCRIPT, 'this is not json {{{');
|
|
assert.equal(result.code, 0);
|
|
});
|
|
});
|