[Coverage Report] gh-aw-firewall — 2026-06-17 #5143
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir, and the smoke test agent was here. The omens are observed, the path is traced, and the run continues in balance.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-24T00:27:10.454Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage — 2026-06-17
Configured thresholds in
jest.config.js: branches ≥ 30%, functions ≥ 35%, lines/statements ≥ 38%.Security-Critical File Status
host-iptables-rules.tshost-iptables-shared.tshost-iptables-cleanup.tssquid/acl-generator.tssquid/access-rules.tssquid/domain-acl.tssquid/validation.tsdomain-patterns.tssquid/policy-manifest.tsservices/agent-volumes/etc-mounts.tsFiles Below 80% Branch Coverage
services/agent-volumes/etc-mounts.tsservices/agent-volumes/docker-host-staging.tslogs/audit-enricher.tsservices/agent-volumes/system-mounts.tscommands/validators/log-and-limits.tslogs/log-streamer.tscli.tssquid/policy-manifest.ts🔍 Notable Findings
1.
squid/policy-manifest.ts— 3 uncovered functions (70% function coverage)The
generatePolicyManifestfunction assembles the full Squid ACL policy at runtime. Three inline callbacks remain uncovered, corresponding to three distinct policy code paths:blockedDomainsbranch, lines 131–158): neitherdeny-blocked-plainnordeny-blocked-regexrules are exercised by tests. These rules implement the--block-domainsflag — a hard-deny list that should be exercised in isolation from the allow-list.both-protocol path; the(redacted) andhttps://protocol-prefix paths throughdomainsByProto.http/domainsByProto.https` are untested. These were added to prevent over-broad allowlisting (see fix: add bare API proxy targets as https:// only to prevent over-broad allowlisting #5130) and have no test coverage in the manifest generator.2.
services/agent-volumes/etc-mounts.ts— 67.9% branch coverage (19/28)This module controls which
/etcidentity files (passwd,group) are bind-mounted into the agent container. The uncovered branches are all within the DinD staging path (lines 75–123):/etc/passwdwhen the runner has noneresolveUniqueNamecounter-increment loop (thewhilebody, line 54)readFileContentreturningundefinedfor a staged filesynthesizeIdentityFilesilently returningundefinedonmkdirSyncfailureThese paths are reachable in ARC/DinD environments where the runner filesystem is minimal. An untested failure in this module could cause the agent to run with a missing or malformed
/etc/passwd, breaking UID-to-username resolution inside the container.3.
domain-patterns.ts— 2 uncovered branches after recent refactor (commit777ee828)The
wildcardToRegexfunction'sswitchstatement has 2 uncovered branches. Based on the character-class cases (lines 111–128), the un-hit cases are likely some of the less-common regex metacharacter escapes (e.g.,+,{,|,\). Domain pattern normalization is a classic ACL-bypass surface — a missed escape could allow a crafted domain name to match unintended entries in Squid'sdstdom_regexACL.4.
logs/audit-enricher.ts— 74.1% branch coverage (43/58), 83.6% statement coverageThe audit enricher joins Squid access-log entries with the policy manifest for security reporting. With ~26% of branches uncovered, log entries for certain policy rule types (e.g.,
deny-dlp,deny-blocked-regex) may not be correctly attributed in audit output. This creates a gap in post-incident forensics rather than a runtime security risk, but it means the audit trail is unverified for some denial categories.📈 Recommendations
🔴 High — Add tests for blocked-domain and protocol-specific paths in
squid/policy-manifest.tsWrite tests that call
generatePolicyManifestwith:blockedDomainsarray (exercisesdeny-blocked-plain+deny-blocked-regexrules)(redacted) andhttps://` (exercises the protocol-split allow rules)This raises function coverage from 70% to ~100% and directly validates that the
--block-domainsflag generates the correct ACL order.🟡 Medium — Cover DinD edge cases in
services/agent-volumes/etc-mounts.tsMock
stageHostFileto returnundefined(missing file on runner) and mocksynthesizeIdentityFileto returnundefined(disk-write failure). Also add a test where the stagedpasswd/groupalready contains the runner UID/GID — confirming no duplicate entry is appended. These scenarios are realistic in ARC-DinD runners and currently have zero coverage.🟢 Low — Close the 2 remaining branches in
domain-patterns.tspost-refactorAdd test cases to
wildcardToRegexfor domains containing+,{,|, and\characters. These are edge-case inputs but confirm the ReDoS-prevention logic isn't accidentally defeated by uncommon metacharacters. Given the recent refactor (#5063), a quick targeted test pass would confirm the split didn't silently drop any escape handling.Beta Was this translation helpful? Give feedback.
All reactions