92a8f5d894
Tests cover: - Smoke: /health, /auth/status, /distill/status (test_health.py) - Persona validation: path traversal, bad names, list_personas (test_persona.py) - Chat API: persona routing, session persistence, error handling (test_api_chat.py) - Files API: ALLOWED set enforcement, read/write, missing files (test_api_files.py) - Webhooks: NC Talk HMAC accept/reject, Google Chat JWT (test_webhooks.py) - Tools: scratch read/write/append/clear, tasks CRUD, cron parser + tools (test_tools.py) - Security: path traversal, replay attack, known gaps documented (test_security.py) All LLM calls mocked — suite runs in ~1.4s. Run: cd cortex && .venv/bin/pytest Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
127 lines
4.8 KiB
Python
127 lines
4.8 KiB
Python
"""
|
|
Security-focused tests — what should be blocked or rejected.
|
|
|
|
These document the current security posture and will catch regressions.
|
|
Tests marked 'known_gap' document real issues that are not yet fixed;
|
|
they assert the current (insecure) behaviour so we notice when it changes.
|
|
"""
|
|
import pytest
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Path traversal
|
|
# ---------------------------------------------------------------------------
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_no_path_traversal_in_filename(client):
|
|
"""File endpoint must not serve files outside the ALLOWED set."""
|
|
dangerous = [
|
|
"../config.py",
|
|
"../../etc/passwd",
|
|
"SOUL.md/../config.py",
|
|
".env",
|
|
"TASKS.json",
|
|
"CRONS.json",
|
|
]
|
|
for name in dangerous:
|
|
r = await client.get(f"/files/{name}")
|
|
assert r.status_code in (404, 422), \
|
|
f"Expected 404/422 for {name!r}, got {r.status_code}"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_persona_traversal_blocked_in_chat(client, mock_llm):
|
|
"""Path traversal in persona name must be rejected before any file access."""
|
|
for bad in ("../inara", "../../etc", "inara/../inara", "inara\x00extra"):
|
|
r = await client.post("/chat", json={"message": "hi", "persona": bad})
|
|
assert r.status_code == 200 # SSE stream, not HTTP error
|
|
import json
|
|
for line in r.text.splitlines():
|
|
if line.startswith("data: "):
|
|
event = json.loads(line[6:])
|
|
if event.get("type") == "error":
|
|
break
|
|
else:
|
|
pytest.fail(f"Expected error event for persona={bad!r}, got: {r.text[:200]}")
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_orchestrate_path_traversal(client, mock_llm):
|
|
r = await client.post("/orchestrate", json={"task": "hi", "persona": "../../etc"})
|
|
assert r.status_code == 400
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Signature verification
|
|
# ---------------------------------------------------------------------------
|
|
|
|
@pytest.mark.anyio
|
|
async def test_nct_replayed_request_rejected(client):
|
|
"""A request with correct format but wrong HMAC should always be rejected."""
|
|
import json, hashlib, hmac as hmac_lib
|
|
payload = json.dumps({"type": "Create", "actor": {}, "object": {}, "target": {}}).encode()
|
|
# Use wrong secret to generate sig
|
|
wrong_sig = hmac_lib.new(b"wrong-secret", b"abc123" + payload, hashlib.sha256).hexdigest()
|
|
from unittest.mock import patch
|
|
with patch("config.settings.nextcloud_talk_bot_secret", "correct-secret"):
|
|
r = await client.post(
|
|
"/inara-nextcloud-talk-webhook",
|
|
content=payload,
|
|
headers={
|
|
"Content-Type": "application/json",
|
|
"X-Nextcloud-Talk-Random": "abc123",
|
|
"X-Nextcloud-Talk-Signature": wrong_sig,
|
|
},
|
|
)
|
|
assert r.status_code == 401
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Known gaps — document current behaviour, alert when it changes
|
|
# ---------------------------------------------------------------------------
|
|
|
|
@pytest.mark.anyio
|
|
async def test_known_gap__distill_no_app_auth(client):
|
|
"""
|
|
KNOWN GAP: /distill/* has no app-layer auth.
|
|
Anyone reaching port 8000 directly can trigger LLM calls and overwrite memory.
|
|
Protection is currently nginx-only.
|
|
This test documents the current state — update when app-layer auth is added.
|
|
"""
|
|
r = await client.get("/distill/status")
|
|
assert r.status_code == 200 # currently open
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_known_gap__files_put_no_app_auth(client):
|
|
"""
|
|
KNOWN GAP: PUT /files/{filename} has no app-layer auth.
|
|
Overwriting SOUL.md or IDENTITY.md changes agent behavior.
|
|
Protection is currently nginx-only.
|
|
"""
|
|
r = await client.put("/files/PROTOCOLS.md", json={"content": "# Modified"})
|
|
assert r.status_code == 200 # currently open
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_known_gap__gchat_no_audience_bypass(client, mock_llm):
|
|
"""
|
|
KNOWN GAP: Google Chat JWT verification is silently skipped when
|
|
GOOGLE_CHAT_AUDIENCE is empty (the default). Anyone can POST and get
|
|
LLM responses without a valid token.
|
|
Fix: make audience required; fail loudly if not set.
|
|
"""
|
|
from unittest.mock import patch
|
|
with patch("config.settings.google_chat_audience", ""):
|
|
r = await client.post("/channels/google-chat", json={
|
|
"chat": {
|
|
"messagePayload": {
|
|
"message": {"text": "Exploit"},
|
|
"space": {"name": "spaces/x", "type": "DM"},
|
|
},
|
|
"user": {"displayName": "Attacker"},
|
|
}
|
|
})
|
|
# This currently succeeds — it should not when audience is unconfigured
|
|
assert r.status_code == 200 # documents the gap
|