akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
cde711d77eaf180a9b6d9d393629815979302a0b
Charon/docs/implementation/2026-02-02_backend_coverage_security_fix.md
GitHub Actions 719c340735 fix(ci): security toggles tests, CrowdSec response data, and coverage improvement documentation 
- Implemented comprehensive tests for security toggle handlers in `security_toggles_test.go`, covering enable/disable functionality for ACL, WAF, Cerberus, CrowdSec, and RateLimit.
- Added sample JSON response for CrowdSec decisions in `lapi_decisions_response.json`.
- Created aggressive preset configuration for CrowdSec in `preset_aggressive.json`.
- Documented backend coverage, security fixes, and E2E testing improvements in `2026-02-02_backend_coverage_security_fix.md`.
- Developed a detailed backend test coverage restoration plan in `current_spec.md` to address existing gaps and improve overall test coverage to 86%+.
2026-02-02 11:55:55 +00:00

64 lines
3.2 KiB
Markdown
Raw Blame History

# Backend Coverage, Security & E2E Fixes
**Date**: 2026-02-02
**Context**: Remediation of critical security vulnerabilities, backend test coverage improvements, and cross-browser E2E stability.
## 1. Architectural Constraint: Concrete Types vs Interfaces
### Problem
Initial attempts to increase test coverage for `ConfigLoader` and `ConfigManager` relied on mocking interfaces (`IConfigLoader`, `IConfigManager`). This approach proved problematic:
1. **Brittleness**: Mocks required constant updates whenever internal implementation details changed.
2. **False Confidence**: Mocks masked actual integration issues, particularly with file system interactions.
3. **Complexity**: The setup for mocks became more complex than the code being tested.
### Solution: Real Dependency Pattern
We shifted strategy to test **concrete types** instead of mocks for these specific components.
- **Why**: `ConfigLoader` and `ConfigManager` are "leaf" nodes in the dependency graph responsible for IO. Testing them with real (temporary) files system operations provides higher value.
- **Implementation**:
- Tests now create temporary directories using `t.TempDir()`.
- Concrete `NewConfigLoader` and `NewConfigManager` are instantiated.
- Assertions verify actual file creation and content on disk.
## 2. Security Fix: SafeJoin Remediation
### Vulnerability
Three critical vulnerabilities were identified where `filepath.Join` was used with user-controlled input, creating a risk of Path Traversal attacks.
**Locations:**
1. `backend/internal/caddy/config_loader.go`
2. `backend/internal/caddy/config_manager.go`
3. `backend/internal/caddy/import_handler.go`
### Fix
Replaced all risky `filepath.Join` calls with `utils.SafeJoin`.
**Mechanism**:
`utils.SafeJoin(base, path)` performs the following checks:
1. Joins the paths.
2. Cleans the resulting path.
3. Verifies that the resulting path still has the `base` path as a prefix.
4. Returns an error if the path attempts to traverse outside the base.
## 3. E2E Fix: WebKit/Firefox Switch Interaction
### Issue
E2E tests involving the `Switch` component (shadcn/ui) were reliably passing in Chromium but failing in WebKit (Safari) and Firefox.
- **Symptoms**: Timeouts, `click intercepted` errors, or assertions failing because the switch state didn't change.
- **Root Cause**: The underlying `<input type="checkbox">` is often visually hidden or covered by the styled toggle element. Chromium's event dispatching is slightly more forgiving, while WebKit/Firefox adhere strictly to visibility and hit-testing rules.
### Fix
Refactored `tests/utils/ui-helpers.ts` to improve interaction reliability.
1. **Semantic Clicks**: Instead of trying to force-click the input or specific coordinates, we now locate the accessible label or the wrapper element that handles the click event.
2. **Explicit State Verification**: Replaced arbitrary `waitForTimeout` calls with smart polling assertions:
```typescript
// Before
await toggle.click();
await page.waitForTimeout(500);
// After
await toggle.click();
await expect(toggle).toBeChecked({ timeout: 5000 });
```
3. **Result**: 100% pass rate across all three browser engines for System Settings and User Management tests.
Reference in New Issue View Git Blame Copy Permalink