[test-improver] Improve tests for server session path-validation

[github-actions]

File Analyzed

• Test File: internal/server/session_util_test.go
• Package: internal/server
• Lines of Code: 49 → 89 (+40 lines)

Improvements Made

1. Increased Coverage — Direct tests for isSinglePathSegmentSessionID

isSinglePathSegmentSessionID is a security-critical function that prevents path-traversal attacks on session-ID-based filesystem paths. It was previously only exercised indirectly through HTTP handler integration tests, leaving it at 66.7% coverage.

• ✅ Added TestIsSinglePathSegmentSessionID with 15 table-driven sub-tests
• ✅ Covers the first guard: empty string, single-dot, double-dot
• ✅ Covers the second guard: absolute paths (/etc/passwd, /)
• ✅ Covers the third guard: forward-slash traversal, relative traversal (../etc), current-dir prefix (./session), backslash traversal
• ✅ Covers the happy path: simple IDs, UUID format, API key format, hex tokens, numeric strings

Coverage for isSinglePathSegmentSessionID: 66.7% → 88.9%

The remaining 11.1% is a single unreachable branch on Linux — the filepath.Base guard is defence-in-depth code that only activates on Windows-style paths, which are fully blocked by earlier checks on Linux.

2. Better Testing Patterns

• ✅ Table-driven test using t.Run sub-tests for clear per-case failure messages
• ✅ Descriptive sub-test names explain both input and expected outcome
• ✅ Grouped cases by the guard they exercise (dot-special, absolute-path, path-separator, valid)
• ✅ Consistent testify assert.Equal assertions

Test Execution

All tests pass:

=== RUN   TestIsSinglePathSegmentSessionID
--- PASS: TestIsSinglePathSegmentSessionID (0.00s)
    --- PASS: .../empty_string
    --- PASS: .../single_dot
    --- PASS: .../double_dot
    --- PASS: .../absolute_path
    --- PASS: .../root_slash
    --- PASS: .../forward_slash_traversal
    --- PASS: .../relative_traversal
    --- PASS: .../current-dir_prefix
    --- PASS: .../backslash_traversal
    --- PASS: .../simple_session_ID
    --- PASS: .../UUID_format
    --- PASS: .../API_key_format
    --- PASS: .../hex_token
    --- PASS: .../single_character
    --- PASS: .../numeric_string
ok  github.com/github/gh-aw-mcpg/internal/server  5.3s

Overall package coverage: 93.6% → 93.8%

Why These Changes?

isSinglePathSegmentSessionID guards session IDs used to construct filesystem paths under the payload directory. Without direct tests, regressions in this logic (which prevents path-traversal attacks) would only be caught by indirect HTTP handler tests that may not exercise all the security-relevant branches. Direct table-driven tests make the intent explicit and ensure each guard is independently verified.

---

Generated by Test Improver Workflow
Focuses on better patterns, increased coverage, and more stable tests

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• index.crates.io

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "index.crates.io"

See Network Configuration for more information.

Generated by Test Improver · 913.4 AIC · ⊞ 29.5K · ◷

[Copilot]

Pull request overview

Adds direct, table-driven unit coverage for isSinglePathSegmentSessionID, the session-ID path validation helper used by the server to prevent path traversal when constructing session-scoped filesystem paths.

Changes:

• Introduces TestIsSinglePathSegmentSessionID with table-driven subtests covering dot-special, absolute-path, and path-separator rejection cases plus common “valid” IDs.
• Improves security regression coverage by explicitly testing inputs like ../etc, ./session, /, and path\traversal.

Show a summary per file

File	Description
internal/server/session_util_test.go	Adds focused table-driven tests for session ID single-segment/path-traversal validation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 0