Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
d9a7ec0338e28f6a93e0328091aea4401a766ae3
CapaKraken/packages/api/src/__tests__/assistant-tools-project-cover-generate.test.ts
T
Hartmut c4b01c1bfc security: workbook path allowlist + stronger image polyglot validation (#54) 
- dispo workbook imports are pinned to DISPO_IMPORT_DIR (default ./imports):
  tRPC input rejects absolute paths and .. segments, runtime reader
  re-validates containment via path.relative. Closes a path-traversal
  class that reached ExcelJS CVEs through admin/compromised tokens.
- image validator now checks the full 8-byte PNG magic, enforces PNG IEND
  and JPEG EOI trailers, scans the decoded buffer for markup polyglot
  markers (<script, <svg, <iframe, javascript:, onerror=, ...), and
  explicitly rejects SVG. Provider-generated covers (DALL-E, Gemini) run
  through the same validator before persistence — an untrusted upstream
  cannot smuggle a stored-XSS payload past us.
- added image-validation.test.ts and tightened documentation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 15:26:29 +02:00

142 lines
4.5 KiB
TypeScript
Raw Blame History

import { beforeEach, describe, expect, it, vi } from "vitest";
import { PermissionKey, SystemRole } from "@capakraken/shared";
vi.mock("@capakraken/application", async (importOriginal) => {
const actual = await importOriginal<typeof import("@capakraken/application")>();
return {
...actual,
approveEstimateVersion: vi.fn(),
cloneEstimate: vi.fn(),
commitDispoImportBatch: vi.fn(),
countPlanningEntries: vi.fn().mockResolvedValue({ countsByRoleId: new Map() }),
createEstimateExport: vi.fn(),
createEstimatePlanningHandoff: vi.fn(),
createEstimateRevision: vi.fn(),
assessDispoImportReadiness: vi.fn(),
loadResourceDailyAvailabilityContexts: vi.fn().mockResolvedValue(new Map()),
getDashboardDemand: vi.fn().mockResolvedValue([]),
getDashboardBudgetForecast: vi.fn().mockResolvedValue([]),
getDashboardOverview: vi.fn(),
getDashboardSkillGapSummary: vi.fn().mockResolvedValue({
roleGaps: [],
totalOpenPositions: 0,
skillSupplyTop10: [],
resourcesByRole: [],
}),
getDashboardProjectHealth: vi.fn().mockResolvedValue([]),
getDashboardPeakTimes: vi.fn().mockResolvedValue([]),
getDashboardTopValueResources: vi.fn().mockResolvedValue([]),
getEstimateById: vi.fn(),
listAssignmentBookings: vi.fn().mockResolvedValue([]),
stageDispoImportBatch: vi.fn(),
submitEstimateVersion: vi.fn(),
updateEstimateDraft: vi.fn(),
};
});
vi.mock("../ai-client.js", async (importOriginal) => {
const actual = await importOriginal<typeof import("../ai-client.js")>();
return {
...actual,
createDalleClient: vi.fn(() => ({
images: {
generate: vi.fn().mockResolvedValue({
data: [{ b64_json: "iVBORw0KGgoAAAAASUVORK5CYII=" }],
}),
},
})),
loggedAiCall: vi.fn(async (_provider, _model, _promptLength, fn) => fn()),
};
});
import { createToolContext, executeTool } from "./assistant-tools-project-media-test-helpers.js";
describe("assistant project cover generation tools", () => {
beforeEach(() => {
vi.clearAllMocks();
});
it("routes project cover generation through the real project router path", async () => {
const projectFindUnique = vi
.fn()
.mockResolvedValueOnce({
id: "project_1",
name: "Project One",
shortCode: "PROJ-1",
status: "ACTIVE",
orderType: "CHARGEABLE",
allocationType: "INT",
budgetCents: 0,
winProbability: 100,
startDate: new Date("2026-05-01T00:00:00.000Z"),
endDate: new Date("2026-06-30T00:00:00.000Z"),
responsiblePerson: "Peter Parker",
client: null,
utilizationCategory: null,
_count: { assignments: 0, estimates: 0 },
})
.mockResolvedValueOnce({
id: "project_1",
name: "Project One",
client: { name: "Wayne Enterprises" },
});
const projectUpdate = vi.fn().mockResolvedValue({
id: "project_1",
coverImageUrl: "data:image/png;base64,iVBORw0KGgoAAAAASUVORK5CYII=",
});
const ctx = createToolContext(
{
project: {
findUnique: projectFindUnique,
update: projectUpdate,
},
assignment: {
findMany: vi.fn().mockResolvedValue([]),
},
systemSettings: {
findUnique: vi.fn().mockResolvedValue({
id: "singleton",
imageProvider: "dalle",
aiProvider: "openai",
azureOpenAiApiKey: "sk-test",
azureOpenAiDeployment: "gpt-4o-mini",
}),
},
},
{
userRole: SystemRole.ADMIN,
permissions: [PermissionKey.MANAGE_PROJECTS],
},
);
const result = await executeTool(
"generate_project_cover",
JSON.stringify({ projectId: "project_1", prompt: "Blue studio lighting" }),
ctx,
);
expect(projectUpdate).toHaveBeenCalledWith({
where: { id: "project_1" },
data: { coverImageUrl: "data:image/png;base64,iVBORw0KGgoAAAAASUVORK5CYII=" },
});
expect(projectFindUnique).toHaveBeenCalledWith({
where: { id: "project_1" },
select: expect.objectContaining({
id: true,
shortCode: true,
name: true,
status: true,
responsiblePerson: true,
startDate: true,
endDate: true,
}),
});
expect(JSON.parse(result.content)).toEqual(
expect.objectContaining({
success: true,
message: 'Generated cover art for project "Project One"',
}),
);
});
});
Reference in New Issue View Git Blame Copy Permalink