fix(quality): TICKET-012 propagate request context instead of context.Background()

- Updated AgentService interface to accept context.Context parameter in all methods - Replaced context.Background() calls with proper ctx parameter in agent.go - Updated AgentGroupService interface to accept context.Context parameter - Replaced context.Background() calls with proper ctx parameter in agent_group.go - Updated handler methods to pass r.Context() to service methods - Context now properly propagates through request lifecycle for timeout/cancellation - Improved request tracing and cancellation behavior
2026-06-13 12:48:59 +00:00 · 2026-03-27 21:35:22 -04:00
parent 3e5cc86c5a
commit 200bdf990f
11 changed files with 413 additions and 81 deletions
@@ -377,3 +377,85 @@ func TestNginxConnector_ValidateDeployment_ValidateCommandFails(t *testing.T) {
 		t.Fatal("expected invalid result")
 	}
 }
+
+// Security tests for command injection prevention
+
+func TestNginxConnector_ValidateConfig_RejectCommandInjectionSemicolon(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := nginx.Config{
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		ChainPath:       filepath.Join(tmpDir, "chain.pem"),
+		ReloadCommand:   "nginx; rm -rf /", // Command injection attempt
+		ValidateCommand: "true",
+	}
+
+	connector := nginx.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for command injection in reload_command")
+	}
+}
+
+func TestNginxConnector_ValidateConfig_RejectCommandInjectionPipe(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := nginx.Config{
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		ChainPath:       filepath.Join(tmpDir, "chain.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "nginx -t | cat /etc/passwd", // Command injection attempt
+	}
+
+	connector := nginx.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for command injection in validate_command")
+	}
+}
+
+func TestNginxConnector_ValidateConfig_RejectCommandSubstitution(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := nginx.Config{
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		ChainPath:       filepath.Join(tmpDir, "chain.pem"),
+		ReloadCommand:   "echo $(whoami)",
+		ValidateCommand: "true",
+	}
+
+	connector := nginx.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for command substitution in reload_command")
+	}
+}
+
+func TestNginxConnector_ValidateConfig_RejectBackticks(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	tmpDir := t.TempDir()
+	cfg := nginx.Config{
+		CertPath:        filepath.Join(tmpDir, "cert.pem"),
+		ChainPath:       filepath.Join(tmpDir, "chain.pem"),
+		ReloadCommand:   "true",
+		ValidateCommand: "nginx -t `whoami`",
+	}
+
+	connector := nginx.New(&cfg, logger)
+	rawConfig, _ := json.Marshal(cfg)
+	err := connector.ValidateConfig(ctx, rawConfig)
+	if err == nil {
+		t.Fatal("expected error for backtick injection in validate_command")
+	}
+}