From e373037a2a1891eb45df9e11c638817888fad65c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 20 Apr 2026 12:07:42 +0200
Subject: [PATCH] test: remove GHSA advisory IDs from test descriptions and
 comments

Strip advisory identifiers (GHSA-*) from describe blocks, test
docblocks, and inline comments. Replace with plain descriptive
labels. Also clean up FQCNs to use imported class names and minor
style fixes (string concatenation spacing).
---
 .../Feature/CommandInjectionSecurityTest.php  |  2 +-
 .../CrossTeamIdorServerProjectTest.php        | 34 +++++++++++--------
 tests/Feature/HetznerApiTest.php              |  2 +-
 tests/Unit/FileStorageSecurityTest.php        |  2 +-
 tests/Unit/GitRefValidationTest.php           |  2 +-
 tests/Unit/InsecurePrngArchTest.php           |  2 --
 tests/Unit/LogDrainCommandInjectionTest.php   |  2 +-
 tests/Unit/PersistentVolumeSecurityTest.php   |  1 -
 .../Unit/S3StorageEndpointValidationTest.php  |  8 ++---
 9 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index bbd69ecfe..d48e03332 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -676,7 +676,7 @@
     });
 });
 
-describe('install/build/start command validation (GHSA-9pp4-wcmj-rq73)', function () {
+describe('install/build/start command validation', function () {
     test('rejects semicolon injection in install_command', function () {
         $rules = sharedDataApplications();
 
diff --git a/tests/Feature/CrossTeamIdorServerProjectTest.php b/tests/Feature/CrossTeamIdorServerProjectTest.php
index 671397a1e..90e54f053 100644
--- a/tests/Feature/CrossTeamIdorServerProjectTest.php
+++ b/tests/Feature/CrossTeamIdorServerProjectTest.php
@@ -1,15 +1,19 @@
 <?php
 
+use App\Enums\ApplicationDeploymentStatus;
 use App\Livewire\Boarding\Index as BoardingIndex;
 use App\Livewire\GlobalSearch;
 use App\Livewire\Project\CloneMe;
 use App\Livewire\Project\DeleteProject;
+use App\Models\Application;
+use App\Models\ApplicationDeploymentQueue;
 use App\Models\Environment;
 use App\Models\Project;
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use App\Models\Team;
 use App\Models\User;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Livewire\Livewire;
 
@@ -39,7 +43,7 @@
     session(['currentTeam' => $this->teamA]);
 });
 
-describe('Boarding Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('Boarding Server IDOR', function () {
     test('boarding mount cannot load server from another team via selectedExistingServer', function () {
         $component = Livewire::test(BoardingIndex::class, [
             'selectedServerType' => 'remote',
@@ -62,7 +66,7 @@
     });
 });
 
-describe('Boarding Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('Boarding Project IDOR', function () {
     test('boarding mount cannot load project from another team via selectedProject', function () {
         $component = Livewire::test(BoardingIndex::class, [
             'selectedProject' => $this->projectB->id,
@@ -91,7 +95,7 @@
     });
 });
 
-describe('GlobalSearch Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('GlobalSearch Server IDOR', function () {
     test('loadDestinations cannot access server from another team', function () {
         $component = Livewire::test(GlobalSearch::class)
             ->set('selectedServerId', $this->serverB->id)
@@ -102,7 +106,7 @@
     });
 });
 
-describe('GlobalSearch Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('GlobalSearch Project IDOR', function () {
     test('loadEnvironments cannot access project from another team', function () {
         $component = Livewire::test(GlobalSearch::class)
             ->set('selectedProjectUuid', $this->projectB->uuid)
@@ -113,11 +117,11 @@
     });
 });
 
-describe('DeleteProject IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('DeleteProject IDOR', function () {
     test('cannot mount DeleteProject with project from another team', function () {
         // Should throw ModelNotFoundException (404) because team-scoped query won't find it
         Livewire::test(DeleteProject::class, ['project_id' => $this->projectB->id]);
-    })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+    })->throws(ModelNotFoundException::class);
 
     test('can mount DeleteProject with own team project', function () {
         $component = Livewire::test(DeleteProject::class, ['project_id' => $this->projectA->id]);
@@ -126,14 +130,14 @@
     });
 });
 
-describe('CloneMe Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('CloneMe Project IDOR', function () {
     test('cannot mount CloneMe with project UUID from another team', function () {
         // Should throw ModelNotFoundException because team-scoped query won't find it
         Livewire::test(CloneMe::class, [
             'project_uuid' => $this->projectB->uuid,
             'environment_uuid' => $this->environmentB->uuid,
         ]);
-    })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+    })->throws(ModelNotFoundException::class);
 
     test('can mount CloneMe with own team project UUID', function () {
         $component = Livewire::test(CloneMe::class, [
@@ -145,27 +149,27 @@
     });
 });
 
-describe('DeployController API Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+describe('DeployController API Server IDOR', function () {
     test('deploy cancel API cannot access build server from another team', function () {
         // Create a deployment queue entry that references Team B's server as build_server
-        $application = \App\Models\Application::factory()->create([
+        $application = Application::factory()->create([
             'environment_id' => $this->environmentA->id,
             'destination_id' => StandaloneDocker::factory()->create(['server_id' => $this->serverA->id])->id,
             'destination_type' => StandaloneDocker::class,
         ]);
 
-        $deployment = \App\Models\ApplicationDeploymentQueue::create([
+        $deployment = ApplicationDeploymentQueue::create([
             'application_id' => $application->id,
-            'deployment_uuid' => 'test-deploy-' . fake()->uuid(),
+            'deployment_uuid' => 'test-deploy-'.fake()->uuid(),
             'server_id' => $this->serverA->id,
             'build_server_id' => $this->serverB->id, // Cross-team build server
-            'status' => \App\Enums\ApplicationDeploymentStatus::IN_PROGRESS->value,
+            'status' => ApplicationDeploymentStatus::IN_PROGRESS->value,
         ]);
 
         $token = $this->userA->createToken('test-token', ['*']);
 
         $response = $this->withHeaders([
-            'Authorization' => 'Bearer ' . $token->plainTextToken,
+            'Authorization' => 'Bearer '.$token->plainTextToken,
         ])->deleteJson("/api/v1/deployments/{$deployment->deployment_uuid}");
 
         // The cancellation should proceed but the build_server should NOT be found
@@ -176,7 +180,7 @@
         // Verify the deployment was cancelled
         $deployment->refresh();
         expect($deployment->status)->toBe(
-            \App\Enums\ApplicationDeploymentStatus::CANCELLED_BY_USER->value
+            ApplicationDeploymentStatus::CANCELLED_BY_USER->value
         );
     });
 });
diff --git a/tests/Feature/HetznerApiTest.php b/tests/Feature/HetznerApiTest.php
index 3e8555b11..b5950f9fc 100644
--- a/tests/Feature/HetznerApiTest.php
+++ b/tests/Feature/HetznerApiTest.php
@@ -447,7 +447,7 @@
     });
 });
 
-describe('GHSA-m8wx-q63q-3w6c — error responses do not leak exception details', function () {
+describe('error responses do not leak exception details', function () {
     test('locations endpoint returns generic 500 message on upstream failure', function () {
         Http::fake([
             'https://api.hetzner.cloud/v1/locations*' => Http::response([
diff --git a/tests/Unit/FileStorageSecurityTest.php b/tests/Unit/FileStorageSecurityTest.php
index 192ea8c8f..1e08ebbe7 100644
--- a/tests/Unit/FileStorageSecurityTest.php
+++ b/tests/Unit/FileStorageSecurityTest.php
@@ -92,7 +92,7 @@
         ->not->toThrow(Exception::class);
 });
 
-// --- Regression tests for GHSA-46hp-7m8g-7622 ---
+// --- Regression tests for file mount path validation ---
 // These verify that file mount paths (not just directory mounts) are validated,
 // and that saveStorageOnServer() validates fs_path before any shell interpolation.
 
diff --git a/tests/Unit/GitRefValidationTest.php b/tests/Unit/GitRefValidationTest.php
index f82dcb863..f5245d819 100644
--- a/tests/Unit/GitRefValidationTest.php
+++ b/tests/Unit/GitRefValidationTest.php
@@ -4,7 +4,7 @@
 use App\Models\ApplicationSetting;
 
 /**
- * Security tests for git ref validation (GHSA-mw5w-2vvh-mgf4).
+ * Tests for git ref validation.
  *
  * Ensures that git_commit_sha and related inputs are validated
  * to prevent OS command injection via shell metacharacters.
diff --git a/tests/Unit/InsecurePrngArchTest.php b/tests/Unit/InsecurePrngArchTest.php
index 3209ba0a0..1d5ce94bf 100644
--- a/tests/Unit/InsecurePrngArchTest.php
+++ b/tests/Unit/InsecurePrngArchTest.php
@@ -5,8 +5,6 @@
  *
  * mt_rand() and rand() are not cryptographically secure. Use random_int()
  * or random_bytes() instead for any security-sensitive context.
- *
- * @see GHSA-33rh-4c9r-74pf
  */
 arch('app code must not use mt_rand')
     ->expect('App')
diff --git a/tests/Unit/LogDrainCommandInjectionTest.php b/tests/Unit/LogDrainCommandInjectionTest.php
index 5beef1a4b..9610f3351 100644
--- a/tests/Unit/LogDrainCommandInjectionTest.php
+++ b/tests/Unit/LogDrainCommandInjectionTest.php
@@ -5,7 +5,7 @@
 use App\Models\ServerSetting;
 
 // -------------------------------------------------------------------------
-// GHSA-3xm2-hqg8-4m2p: Verify log drain env values are base64-encoded
+// Verify log drain env values are base64-encoded
 // and never appear raw in shell commands
 // -------------------------------------------------------------------------
 
diff --git a/tests/Unit/PersistentVolumeSecurityTest.php b/tests/Unit/PersistentVolumeSecurityTest.php
index 287045534..ed1d16bbf 100644
--- a/tests/Unit/PersistentVolumeSecurityTest.php
+++ b/tests/Unit/PersistentVolumeSecurityTest.php
@@ -6,7 +6,6 @@
  * Tests to ensure persistent volume names are validated against command injection
  * and that shell commands properly escape volume names.
  *
- * Related Advisory: GHSA-mh8x-fppq-cp77
  * Related Files:
  *  - app/Models/LocalPersistentVolume.php
  *  - app/Support/ValidationPatterns.php
diff --git a/tests/Unit/S3StorageEndpointValidationTest.php b/tests/Unit/S3StorageEndpointValidationTest.php
index 9ffba6a30..054606a25 100644
--- a/tests/Unit/S3StorageEndpointValidationTest.php
+++ b/tests/Unit/S3StorageEndpointValidationTest.php
@@ -8,14 +8,14 @@
 uses(TestCase::class);
 
 /**
- * Regression tests for GHSA-pwm4-w33c-wjf3 — SSRF via S3 Storage endpoint.
+ * Regression tests for SSRF via S3 Storage endpoint.
  *
  * The Livewire forms (Create.php, Form.php) and the model-level defense in
  * S3Storage::testConnection() share the same SafeWebhookUrl rule. These tests
- * assert the rule rejects the concrete payloads from the advisory PoC and
- * that the model refuses to build an S3 client for an unsafe endpoint.
+ * assert the rule rejects the concrete payloads and that the model refuses to
+ * build an S3 client for an unsafe endpoint.
  */
-it('rejects SSRF payloads from the GHSA-pwm4-w33c-wjf3 advisory', function (string $endpoint) {
+it('rejects SSRF payloads on the S3 endpoint', function (string $endpoint) {
     $validator = Validator::make(
         ['endpoint' => $endpoint],
         ['endpoint' => ['required', 'max:255', new SafeWebhookUrl]],