diff --git a/apps/server/tests/unit/lib/security.test.ts b/apps/server/tests/unit/lib/security.test.ts index 84b16a20..b078ca2f 100644 --- a/apps/server/tests/unit/lib/security.test.ts +++ b/apps/server/tests/unit/lib/security.test.ts @@ -113,7 +113,7 @@ describe("security.ts", () => { }); describe("isPathAllowed", () => { - it("should allow paths under allowed directories", async () => { + it("should allow all paths (permissions disabled)", async () => { process.env.ALLOWED_PROJECT_DIRS = "/allowed/project"; process.env.DATA_DIR = ""; @@ -122,96 +122,17 @@ describe("security.ts", () => { ); initAllowedPaths(); + // All paths are now allowed regardless of configuration expect(isPathAllowed("/allowed/project/file.txt")).toBe(true); - expect(isPathAllowed("/allowed/project/subdir/file.txt")).toBe(true); - expect(isPathAllowed("/allowed/project/deep/nested/file.txt")).toBe(true); - }); - - it("should allow the exact allowed directory", async () => { - process.env.ALLOWED_PROJECT_DIRS = "/allowed/project"; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, isPathAllowed } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - expect(isPathAllowed("/allowed/project")).toBe(true); - }); - - it("should reject paths outside allowed directories", async () => { - process.env.ALLOWED_PROJECT_DIRS = "/allowed/project"; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, isPathAllowed } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - expect(isPathAllowed("/not/allowed/file.txt")).toBe(false); - expect(isPathAllowed("/tmp/file.txt")).toBe(false); - expect(isPathAllowed("/etc/passwd")).toBe(false); - }); - - it("should block path traversal attempts", async () => { - process.env.ALLOWED_PROJECT_DIRS = "/allowed/project"; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, isPathAllowed } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - // These should resolve outside the allowed directory - expect(isPathAllowed("/allowed/project/../../../etc/passwd")).toBe(false); - expect(isPathAllowed("/allowed/project/../../other/file.txt")).toBe(false); - }); - - it("should resolve relative paths correctly", async () => { - const cwd = process.cwd(); - process.env.ALLOWED_PROJECT_DIRS = cwd; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, isPathAllowed } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - expect(isPathAllowed("./file.txt")).toBe(true); - expect(isPathAllowed("./subdir/file.txt")).toBe(true); - }); - - it("should reject paths that are parents of allowed directories", async () => { - process.env.ALLOWED_PROJECT_DIRS = "/allowed/project/subdir"; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, isPathAllowed } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - expect(isPathAllowed("/allowed/project")).toBe(false); - expect(isPathAllowed("/allowed")).toBe(false); - }); - - it("should handle multiple allowed directories", async () => { - process.env.ALLOWED_PROJECT_DIRS = "/path1,/path2,/path3"; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, isPathAllowed } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - expect(isPathAllowed("/path1/file.txt")).toBe(true); - expect(isPathAllowed("/path2/file.txt")).toBe(true); - expect(isPathAllowed("/path3/file.txt")).toBe(true); - expect(isPathAllowed("/path4/file.txt")).toBe(false); + expect(isPathAllowed("/not/allowed/file.txt")).toBe(true); + expect(isPathAllowed("/tmp/file.txt")).toBe(true); + expect(isPathAllowed("/etc/passwd")).toBe(true); + expect(isPathAllowed("/any/path")).toBe(true); }); }); describe("validatePath", () => { - it("should return resolved path for allowed paths", async () => { + it("should return resolved path for any path (permissions disabled)", async () => { process.env.ALLOWED_PROJECT_DIRS = "/allowed"; process.env.DATA_DIR = ""; @@ -224,7 +145,7 @@ describe("security.ts", () => { expect(result).toBe(path.resolve("/allowed/file.txt")); }); - it("should throw error for disallowed paths", async () => { + it("should not throw error for any path (permissions disabled)", async () => { process.env.ALLOWED_PROJECT_DIRS = "/allowed"; process.env.DATA_DIR = ""; @@ -233,25 +154,14 @@ describe("security.ts", () => { ); initAllowedPaths(); - expect(() => validatePath("/disallowed/file.txt")).toThrow("Access denied"); - expect(() => validatePath("/disallowed/file.txt")).toThrow( - "not in an allowed directory" + // All paths are now allowed, no errors thrown + expect(() => validatePath("/disallowed/file.txt")).not.toThrow(); + expect(validatePath("/disallowed/file.txt")).toBe( + path.resolve("/disallowed/file.txt") ); }); - it("should include the file path in error message", async () => { - process.env.ALLOWED_PROJECT_DIRS = "/allowed"; - process.env.DATA_DIR = ""; - - const { initAllowedPaths, validatePath } = await import( - "@/lib/security.js" - ); - initAllowedPaths(); - - expect(() => validatePath("/bad/path.txt")).toThrow("/bad/path.txt"); - }); - - it("should resolve paths before validation", async () => { + it("should resolve relative paths", async () => { const cwd = process.cwd(); process.env.ALLOWED_PROJECT_DIRS = cwd; process.env.DATA_DIR = "";