test: Update tests for security hardening changes

crivetimihai · crivetimihai · commit e1bb7dffcbc2 · 2025-10-10T21:01:40.000+01:00
Update tests to validate the security improvements:
- config_test.go: Expect only /var/log in allowed paths (not /tmp or ./logs)
- main_test.go: Convert to security validation tests that verify /tmp access is denied
- log_monitor.go: Fix MinSize filter to only apply to files, not directories

These changes ensure tests validate the security hardening rather than
expecting the insecure behavior.
diff --git a/mcp-servers/go/system-monitor-server/cmd/server/main_test.go b/mcp-servers/go/system-monitor-server/cmd/server/main_test.go
@@ -294,10 +294,11 @@ func TestHandleTailLogs(t *testing.T) {
         t.Error("Expected error for missing file_path")
     }
 
-    // Test with valid file path (use a temp file in /tmp)
+    // SECURITY TEST: Verify that /tmp is not allowed (security hardening)
+    // Create a temp file in /tmp to test that access is properly denied
     tmpFile, err := os.CreateTemp("/tmp", "test-log-*.txt")
     if err != nil {
-        t.Fatalf("Failed to create temp file: %v", err)
+        t.Skip("Cannot create temp file for security test")
     }
     defer os.Remove(tmpFile.Name())
     defer tmpFile.Close()
@@ -319,23 +320,26 @@ func TestHandleTailLogs(t *testing.T) {
         t.Fatalf("handleTailLogs failed: %v", err)
     }
 
-    if result.IsError {
-        if len(result.Content) > 0 {
-            if textContent, ok := mcp.AsTextContent(result.Content[0]); ok {
-                t.Errorf("Expected success, got error: %s", textContent.Text)
-            } else {
-                t.Error("Expected success, got error")
+    // SECURITY: Expect error because /tmp is not in allowed paths
+    if !result.IsError {
+        t.Error("Expected error for /tmp access (security hardening), but got success")
+    }
+
+    // Verify the error message mentions path validation
+    if len(result.Content) > 0 {
+        if textContent, ok := mcp.AsTextContent(result.Content[0]); ok {
+            if !strings.Contains(textContent.Text, "file path validation failed") &&
+                !strings.Contains(textContent.Text, "not in allowed directories") {
+                t.Errorf("Expected path validation error, got: %s", textContent.Text)
             }
-        } else {
-            t.Error("Expected success, got error")
         }
     }
 }
 
 func TestHandleGetDiskUsage(t *testing.T) {
     ctx := context.Background()
 
-    // Test with /tmp directory (allowed path)
+    // SECURITY TEST: Verify that /tmp is not allowed (security hardening)
     req := mcp.CallToolRequest{
         Params: mcp.CallToolParams{
             Arguments: map[string]interface{}{
@@ -350,30 +354,19 @@ func TestHandleGetDiskUsage(t *testing.T) {
         t.Fatalf("handleGetDiskUsage failed: %v", err)
     }
 
-    if result.IsError {
-        if len(result.Content) > 0 {
-            if textContent, ok := mcp.AsTextContent(result.Content[0]); ok {
-                t.Errorf("Expected success, got error: %s", textContent.Text)
-            } else {
-                t.Error("Expected success, got error")
-            }
-        } else {
-            t.Error("Expected success, got error")
-        }
+    // SECURITY: Expect error because /tmp is not in allowed paths
+    if !result.IsError {
+        t.Error("Expected error for /tmp access (security hardening), but got success")
     }
 
-    // Test that result contains valid JSON
+    // Verify the error message mentions path validation
     if len(result.Content) > 0 {
         if textContent, ok := mcp.AsTextContent(result.Content[0]); ok {
-            var diskUsage map[string]interface{}
-            if err := json.Unmarshal([]byte(textContent.Text), &diskUsage); err != nil {
-                t.Errorf("Result should be valid JSON: %v", err)
+            if !strings.Contains(textContent.Text, "failed to get disk usage") &&
+                !strings.Contains(textContent.Text, "not in allowed directories") {
+                t.Errorf("Expected path validation error, got: %s", textContent.Text)
             }
-        } else {
-            t.Error("Expected text content in result")
         }
-    } else {
-        t.Error("Expected content in result")
     }
 }
 
diff --git a/mcp-servers/go/system-monitor-server/internal/config/config_test.go b/mcp-servers/go/system-monitor-server/internal/config/config_test.go
@@ -70,27 +70,24 @@ func TestDefaultConfig(t *testing.T) {
     if config.LogMonitoring.MaxTailLines != 1000 {
         t.Errorf("Expected MaxTailLines 1000, got %d", config.LogMonitoring.MaxTailLines)
     }
-    if len(config.LogMonitoring.AllowedPaths) != 3 {
-        t.Errorf("Expected 3 allowed paths, got %d", len(config.LogMonitoring.AllowedPaths))
+    // SECURITY: Only /var/log should be allowed by default (removed /tmp and ./logs)
+    if len(config.LogMonitoring.AllowedPaths) != 1 {
+        t.Errorf("Expected 1 allowed path, got %d", len(config.LogMonitoring.AllowedPaths))
     }
-    expectedPaths := []string{"/var/log", "/tmp", "./logs"}
-    for i, expectedPath := range expectedPaths {
-        if config.LogMonitoring.AllowedPaths[i] != expectedPath {
-            t.Errorf("Expected allowed path %s, got %s", expectedPath, config.LogMonitoring.AllowedPaths[i])
-        }
+    if config.LogMonitoring.AllowedPaths[0] != "/var/log" {
+        t.Errorf("Expected allowed path /var/log, got %s", config.LogMonitoring.AllowedPaths[0])
     }
     if config.LogMonitoring.FollowTimeout != 30*time.Second {
         t.Errorf("Expected FollowTimeout 30s, got %v", config.LogMonitoring.FollowTimeout)
     }
 
     // Test Security config
-    if len(config.Security.AllowedPaths) != 3 {
-        t.Errorf("Expected 3 security allowed paths, got %d", len(config.Security.AllowedPaths))
+    // SECURITY: Only /var/log should be allowed by default (removed /tmp and ./logs)
+    if len(config.Security.AllowedPaths) != 1 {
+        t.Errorf("Expected 1 security allowed path, got %d", len(config.Security.AllowedPaths))
     }
-    for i, expectedPath := range expectedPaths {
-        if config.Security.AllowedPaths[i] != expectedPath {
-            t.Errorf("Expected security allowed path %s, got %s", expectedPath, config.Security.AllowedPaths[i])
-        }
+    if config.Security.AllowedPaths[0] != "/var/log" {
+        t.Errorf("Expected security allowed path /var/log, got %s", config.Security.AllowedPaths[0])
     }
     if config.Security.MaxFileSize != 100*1024*1024 {
         t.Errorf("Expected MaxFileSize 100MB, got %d", config.Security.MaxFileSize)
diff --git a/mcp-servers/go/system-monitor-server/internal/monitor/log_monitor.go b/mcp-servers/go/system-monitor-server/internal/monitor/log_monitor.go
@@ -402,13 +402,12 @@ func (lm *LogMonitor) GetDiskUsage(ctx context.Context, req *types.DiskUsageRequ
             return nil
         }
 
-        // Check minimum size
-        if req.MinSize > 0 && info.Size() < req.MinSize {
-            return nil
-        }
-
-        // Check file type filter
+        // Check file type filter (only for files) - must check before size filter
         if len(req.FileTypes) > 0 {
+            if info.IsDir() {
+                // Skip directories when filtering by file type
+                return nil
+            }
             ext := strings.ToLower(filepath.Ext(path))
             found := false
             for _, fileType := range req.FileTypes {
@@ -422,6 +421,17 @@ func (lm *LogMonitor) GetDiskUsage(ctx context.Context, req *types.DiskUsageRequ
             }
         }
 
+        // Check minimum size (only for files, not directories)
+        if req.MinSize > 0 {
+            if info.IsDir() {
+                // Skip directories when filtering by size
+                return nil
+            }
+            if info.Size() < req.MinSize {
+                return nil
+            }
+        }
+
         item := types.DiskUsageItem{
             Path:     path,
             Size:     info.Size(),
