[Coverage Report] Test Coverage Report — 2026-06-16 #5142
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir; a smoke test agent passed through the GitHub mist and left this oracle-marked note. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-23T23:49:49.070Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage Statistics
Security-Critical Path Status
host-iptables.ts(façade)host-iptables-rules.tshost-iptables-shared.tshost-iptables-cleanup.tssquid-config.ts(façade)squid/access-rules.tssquid/acl-generator.tssquid/config-generator.tssquid/validation.tssquid/policy-manifest.tsdomain-patterns.tsdomain-matchers.tsdomain-validation.tsFile Coverage Table (files with branch coverage < 85%)
services/agent-volumes/etc-mounts.tsservices/agent-volumes/docker-host-staging.tslogs/audit-enricher.tscommands/validators/log-and-limits.tslogs/log-streamer.tsworkdir-setup.tsservices/agent-volumes/system-mounts.tsservices/host-path-prefix.tsconfig-writer.tshost-env.tspid-tracker.tscli.ts🔍 Notable Findings
1.
services/agent-volumes/etc-mounts.ts— Critical security gap (67.9% branches)This file controls which
/etcfiles are bind-mounted into the agent container, including/etc/passwdand/etc/group. It has 9 uncovered branch paths in DinD mode. The uncovered paths include:synthesizeIdentityFilesilently returningundefinedonmkdirSync/writeFileSyncfailure — the fallback to the real/etc/passwdis exercised but the synthesis failure path is notresolveUniqueNamecounter loop (counter > 1) when both the preferred name andpreferredName-idare already takenstagedPasswdContentisnull/undefinedafter staging but before synthesisA bug here could cause the wrong user identity files to be mounted (credential leakage or UID mismatch), which is a security-relevant failure mode.
2.
squid/policy-manifest.ts— 3 exported functions uncovered (70% functions)policy-manifest.tsgenerates the structured policy manifest used by the audit enricher to replay Squid ACL decisions. 3 of 10 functions are never called in tests. The uncovered functions appear to be internal helpers for the less common protocol-specific branch paths (patternsByProto.http,patternsByProto.https,domainsByProto.http,domainsByProto.https) and the DLP/blocked-domains branches.Because the audit enricher relies on this manifest to attribute allow/deny decisions to specific rules, missing coverage means some policy shapes are never tested end-to-end through enrichment.
3.
logs/audit-enricher.ts— 15 uncovered branches (74.1%)The enricher replays Squid ACL evaluation order to identify which rule matched each log entry. Its 15 uncovered branches include edge cases in
domainMatchesRule: regex match failure paths, thedomain === '-'guard (placeholder used when no domain is captured), andmatchedRuleIdfallback tounknownwhen no rule matches. These paths affect the accuracy of firewall audit reports.4.
workdir-setup.ts— Symlink-check error paths not tested (79.6% branches)workdir-setup.tscontains explicit symlink-rejection guards inensureDirectoryandassertRealDirectory(thelstat.isSymbolicLink()+!stat.isDirectory()checks). These security-relevant error throws are not covered — an attacker-controlled symlink in the work directory could potentially redirect config writes; the test suite does not verify that these guards fire and throw correctly.📈 Recommendations
🔴 High — Add tests for
etc-mounts.tsDinD branch pathsTarget:
services/agent-volumes/etc-mounts.ts— 9 uncovered branchesWhy: Controls identity file exposure in the container. A failure here (wrong
/etc/passwdstaged) is a security concern.Action: Add unit tests that mock
fs.mkdirSyncandfs.writeFileSyncto throw, verify fallback to host/etc/passwd; add a test where bothrunnerandrunner-<uid>names already exist in a staged passwd to exercise the counter loop inresolveUniqueName.🟡 Medium — Cover
squid/policy-manifest.tsprotocol-specific and DLP branchesTarget:
squid/policy-manifest.ts— 3 uncovered functions, 4 uncovered branchesWhy: This manifest drives all audit enrichment. Untested branches mean certain policy shapes (HTTP-only domains, HTTPS-only domains, blocked-domain patterns, DLP-enabled configs) are never validated end-to-end.
Action: Add test cases to
squid/policy-manifest.test.ts(or create it) covering:enableDlp: true, explicitblockedDomainswith regex patterns, and configs wheredomainsByProto.httpanddomainsByProto.httpsare both populated.🟢 Low — Cover symlink-rejection paths in
workdir-setup.tsTarget:
workdir-setup.ts— 11 uncovered branchesWhy: The symlink guards prevent config-file redirection attacks. While exploitation requires prior write access to the work directory, covering these paths also documents the intended invariant.
Action: Use
jest.spyOn(fs, 'lstatSync')to return{ isSymbolicLink: () => true }and verify thatensureDirectoryandassertRealDirectorythrow the expected error messages.Beta Was this translation helpful? Give feedback.
All reactions