bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104


use super::*;

#[test]
fn test_SEC019_001_unquoted_variable_detected() {
    let script = "echo $user_input";
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 1);
    let diag = &result.diagnostics[0];
    assert_eq!(diag.code, "SEC019");
    assert_eq!(diag.severity, Severity::Warning);
    assert!(diag.message.contains("injection risk"));
    assert!(diag.message.contains("user_input"));
}

#[test]
fn test_SEC019_002_quoted_variable_safe() {
    let script = r#"echo "$user_input""#;
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 0, "Quoted variables are safe");
}

#[test]
fn test_SEC019_003_single_quoted_safe() {
    let script = "echo '$user_input'";
    let result = check(script);

    assert_eq!(
        result.diagnostics.len(),
        0,
        "Single quotes prevent expansion"
    );
}

#[test]
fn test_SEC019_004_brace_expansion_unquoted() {
    let script = "echo ${user_input}";
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 1);
    let diag = &result.diagnostics[0];
    assert!(diag.message.contains("user_input"));
}

#[test]
fn test_SEC019_005_brace_expansion_quoted() {
    let script = r#"echo "${user_input}""#;
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 0);
}

#[test]
fn test_SEC019_006_multiple_unquoted_variables() {
    let script = "echo $var1 $var2 $var3";
    let result = check(script);

    assert_eq!(
        result.diagnostics.len(),
        3,
        "Should detect all 3 unquoted variables"
    );
}

#[test]
fn test_SEC019_007_special_variables_ignored() {
    let script = "echo $? $# $$ $@ $*";
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 0, "Special variables are safe");
}

#[test]
fn test_SEC019_008_arithmetic_expansion_safe() {
    let script = "result=$((x + y))";
    let result = check(script);

    assert_eq!(
        result.diagnostics.len(),
        0,
        "Arithmetic expansions are safe"
    );
}

#[test]
fn test_SEC019_009_test_context_safe() {
    let script = "[[ $var == value ]]";
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 0, "Variables in [[ ]] are safe");
}

#[test]
fn test_SEC019_010_command_in_dangerous_context() {
    let script = "rm -rf $directory";
    let result = check(script);

    assert_eq!(result.diagnostics.len(), 1);
    let diag = &result.diagnostics[0];
    assert!(diag.message.contains("directory"));
    assert_eq!(diag.severity, Severity::Warning);
}