From 9131b0004e7c640cc028179e1d049a4c62210d94 Mon Sep 17 00:00:00 2001 From: James O'Doherty Date: Fri, 22 May 2026 10:46:02 -0400 Subject: Security hardening: prevent shell injection and null-byte crashes, implement 8-bit clean argument fuzzing and portable E2E binary discovery --- tests/e2e/fuzz_args_test.go | 52 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 tests/e2e/fuzz_args_test.go (limited to 'tests/e2e/fuzz_args_test.go') diff --git a/tests/e2e/fuzz_args_test.go b/tests/e2e/fuzz_args_test.go new file mode 100644 index 0000000..0d4a45b --- /dev/null +++ b/tests/e2e/fuzz_args_test.go @@ -0,0 +1,52 @@ +package e2e + +import ( + "fmt" + "os/exec" + "strings" + "testing" +) + +func FuzzArgumentIntegrity(f *testing.F) { + binaryPath := GetBinaryPath() + + f.Add("; rm -rf /") + f.Add("$(whoami)") + f.Add(" spaced ") + f.Add("\"'\"'\"") + f.Add("\x00null\x00") + + f.Fuzz(func(t *testing.T, payload string) { + out, err := exec.Command(binaryPath, "test-args", payload).CombinedOutput() + + if strings.Contains(payload, "\x00") { + if err != nil || strings.Contains(string(out), "contains null byte") { + return + } + } + + if err != nil { + // If we hit a system limit (like disk quota in /tmp during heavy fuzzing), + // it's an environmental issue, not a bug in our binary. + if strings.Contains(string(out), "disk quota exceeded") || + strings.Contains(string(out), "no space left on device") { + return + } + t.Fatalf("Binary crashed for payload %q: %v\nOutput: %s", payload, err, string(out)) + } + + lines := strings.Split(strings.TrimSpace(string(out)), "\n") + if len(lines) < 3 { + t.Fatalf("Unexpected output format for payload %q\nOutput: %s", payload, string(out)) + } + + parts := strings.Split(lines[len(lines)-1], ":") + if len(parts) < 2 { + t.Fatalf("Malformed hex line for payload %q: %s", payload, lines[len(lines)-1]) + } + + if parts[1] != fmt.Sprintf("%x", payload) { + t.Errorf("8-bit mismatch!\nSent Hex: %s\nRecv Hex: %s\nPayload: %q", fmt.Sprintf("%x", payload), parts[1], payload) + } + }) +} -- cgit v1.2.3