socktop-webterm/scripts/test-shell-security.sh

#!/bin/bash
# Security test script for restricted shell
# Tests various injection and escape attempts

set -e

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

echo -e "${BLUE}╔════════════════════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║   Restricted Shell Security Test                      ║${NC}"
echo -e "${BLUE}╚════════════════════════════════════════════════════════╝${NC}"
echo ""

PASSED=0
FAILED=0
TOTAL=0

# Function to test a command
test_command() {
    local test_name="$1"
    local test_input="$2"
    local should_block="$3"  # "block" or "allow"

    TOTAL=$((TOTAL + 1))

    echo -ne "${YELLOW}Testing:${NC} $test_name ... "

    # Note: This is a template. In practice, you'd need to:
    # 1. Send input to the restricted shell
    # 2. Check if it was blocked or executed
    # 3. Verify no unauthorized commands ran

    # For now, we'll test the regex patterns
    if [[ "$should_block" == "block" ]]; then
        # These should be blocked
        if [[ "$test_input" =~ ^-P[[:space:]]+[a-zA-Z0-9_-]+$ ]] || \
           [[ "$test_input" =~ ^wss?://[a-zA-Z0-9\.\:/_-]+$ ]]; then
            echo -e "${RED}FAIL${NC} - Should have blocked but pattern matched"
            FAILED=$((FAILED + 1))
        else
            echo -e "${GREEN}PASS${NC} - Correctly blocked"
            PASSED=$((PASSED + 1))
        fi
    else
        # These should be allowed
        if [[ "$test_input" =~ ^-P[[:space:]]+[a-zA-Z0-9_-]+$ ]] || \
           [[ "$test_input" =~ ^wss?://[a-zA-Z0-9\.\:/_-]+$ ]]; then
            echo -e "${GREEN}PASS${NC} - Correctly allowed"
            PASSED=$((PASSED + 1))
        else
            echo -e "${RED}FAIL${NC} - Should have allowed but pattern didn't match"
            FAILED=$((FAILED + 1))
        fi
    fi
}

echo -e "${BLUE}═══ Testing Valid Commands (Should Allow) ═══${NC}"
echo ""

test_command "Local profile" "-P local" "allow"
test_command "Remote profile" "-P rpi-master" "allow"
test_command "Profile with dash" "-P rpi-worker-1" "allow"
test_command "Profile with underscore" "-P my_profile" "allow"
test_command "Websocket URL" "ws://192.168.1.100:3000" "allow"
test_command "Secure websocket" "wss://example.com:3000" "allow"
test_command "Websocket with path" "ws://192.168.1.100:3000/ws" "allow"

echo ""
echo -e "${BLUE}═══ Testing Command Injection (Should Block) ═══${NC}"
echo ""

test_command "Command substitution \$()" "-P \$(whoami)" "block"
test_command "Command substitution backticks" "-P \`id\`" "block"
test_command "Shell semicolon" "-P local; ls -la" "block"
test_command "Shell AND operator" "-P local && cat /etc/passwd" "block"
test_command "Shell OR operator" "-P local || /bin/sh" "block"
test_command "Shell pipe" "-P local | grep root" "block"
test_command "Shell redirect" "-P local > /tmp/output" "block"
test_command "Shell background" "-P local &" "block"

echo ""
echo -e "${BLUE}═══ Testing Path Traversal (Should Block) ═══${NC}"
echo ""

test_command "Parent directory" "-P ../etc/passwd" "block"
test_command "Absolute path" "-P /etc/passwd" "block"
test_command "Multiple parent dirs" "-P ../../bin/bash" "block"
test_command "Encoded path" "-P %2e%2e%2f" "block"

echo ""
echo -e "${BLUE}═══ Testing Special Characters (Should Block) ═══${NC}"
echo ""

test_command "Newline injection" "-P local\nls" "block"
test_command "Carriage return" "-P local\rls" "block"
test_command "Null byte" "-P local\x00ls" "block"
test_command "Single quote" "-P local' ls" "block"
test_command "Double quote" "-P local\" ls" "block"
test_command "Dollar sign" "-P \$HOME" "block"
test_command "Asterisk wildcard" "-P local*" "block"
test_command "Question wildcard" "-P local?" "block"

echo ""
echo -e "${BLUE}═══ Testing Environment Variables (Should Block) ═══${NC}"
echo ""

test_command "HOME variable" "-P \$HOME" "block"
test_command "PATH variable" "-P \$PATH" "block"
test_command "SHELL variable" "-P \$SHELL" "block"
test_command "Braced variable" "-P \${HOME}" "block"

echo ""
echo -e "${BLUE}═══ Testing WebSocket URL Exploits (Should Block) ═══${NC}"
echo ""

test_command "WS with command injection" "ws://evil.com/\$(id)" "block"
test_command "WS with backticks" "ws://evil.com/\`whoami\`" "block"
test_command "WS with semicolon" "ws://evil.com/; ls" "block"
test_command "WS with spaces" "ws://evil.com/ /bin/sh" "block"

echo ""
echo -e "${BLUE}════════════════════════════════════════════════════${NC}"
echo -e "${BLUE}                  TEST SUMMARY                       ${NC}"
echo -e "${BLUE}════════════════════════════════════════════════════${NC}"
echo ""
echo -e "Total Tests:  ${BLUE}$TOTAL${NC}"
echo -e "Passed:       ${GREEN}$PASSED${NC}"
echo -e "Failed:       ${RED}$FAILED${NC}"
echo ""

if [ $FAILED -eq 0 ]; then
    echo -e "${GREEN}✓ All security tests passed!${NC}"
    echo ""
    echo -e "${YELLOW}Note:${NC} These are pattern validation tests only."
    echo "For complete security verification, you should:"
    echo "  1. Test in actual container environment"
    echo "  2. Verify socktop binary doesn't process malicious args"
    echo "  3. Monitor for unexpected process execution"
    echo "  4. Check logs for injection attempts"
    echo ""
    exit 0
else
    echo -e "${RED}✗ Some security tests failed!${NC}"
    echo ""
    echo "Review the failed tests and update regex patterns in restricted-shell.sh"
    echo ""
    exit 1
fi
- trim container image size - sanitize socktop inputs 2025-11-29 00:20:18 +00:00			`#!/bin/bash`
			`# Security test script for restricted shell`
			`# Tests various injection and escape attempts`

			`set -e`

			`RED='\033[0;31m'`
			`GREEN='\033[0;32m'`
			`YELLOW='\033[1;33m'`
			`BLUE='\033[0;34m'`
			`NC='\033[0m' # No Color`

			`echo -e "${BLUE}╔════════════════════════════════════════════════════════╗${NC}"`
			`echo -e "${BLUE}║ Restricted Shell Security Test ║${NC}"`
			`echo -e "${BLUE}╚════════════════════════════════════════════════════════╝${NC}"`
			`echo ""`

			`PASSED=0`
			`FAILED=0`
			`TOTAL=0`

			`# Function to test a command`
			`test_command() {`
			`local test_name="$1"`
			`local test_input="$2"`
			`local should_block="$3" # "block" or "allow"`

			`TOTAL=$((TOTAL + 1))`

			`echo -ne "${YELLOW}Testing:${NC} $test_name ... "`

			`# Note: This is a template. In practice, you'd need to:`
			`# 1. Send input to the restricted shell`
			`# 2. Check if it was blocked or executed`
			`# 3. Verify no unauthorized commands ran`

			`# For now, we'll test the regex patterns`
			`if [[ "$should_block" == "block" ]]; then`
			`# These should be blocked`
			`if [[ "$test_input" =~ ^-P[[:space:]]+[a-zA-Z0-9_-]+$ ]] \|\| \`
			`[[ "$test_input" =~ ^wss?://[a-zA-Z0-9\.\:/_-]+$ ]]; then`
			`echo -e "${RED}FAIL${NC} - Should have blocked but pattern matched"`
			`FAILED=$((FAILED + 1))`
			`else`
			`echo -e "${GREEN}PASS${NC} - Correctly blocked"`
			`PASSED=$((PASSED + 1))`
			`fi`
			`else`
			`# These should be allowed`
			`if [[ "$test_input" =~ ^-P[[:space:]]+[a-zA-Z0-9_-]+$ ]] \|\| \`
			`[[ "$test_input" =~ ^wss?://[a-zA-Z0-9\.\:/_-]+$ ]]; then`
			`echo -e "${GREEN}PASS${NC} - Correctly allowed"`
			`PASSED=$((PASSED + 1))`
			`else`
			`echo -e "${RED}FAIL${NC} - Should have allowed but pattern didn't match"`
			`FAILED=$((FAILED + 1))`
			`fi`
			`fi`
			`}`

			`echo -e "${BLUE}═══ Testing Valid Commands (Should Allow) ═══${NC}"`
			`echo ""`

			`test_command "Local profile" "-P local" "allow"`
			`test_command "Remote profile" "-P rpi-master" "allow"`
			`test_command "Profile with dash" "-P rpi-worker-1" "allow"`
			`test_command "Profile with underscore" "-P my_profile" "allow"`
			`test_command "Websocket URL" "ws://192.168.1.100:3000" "allow"`
			`test_command "Secure websocket" "wss://example.com:3000" "allow"`
			`test_command "Websocket with path" "ws://192.168.1.100:3000/ws" "allow"`

			`echo ""`
			`echo -e "${BLUE}═══ Testing Command Injection (Should Block) ═══${NC}"`
			`echo ""`

			`test_command "Command substitution \$()" "-P \$(whoami)" "block"`
			test_command "Command substitution backticks" "-P \`id\`" "block"
			`test_command "Shell semicolon" "-P local; ls -la" "block"`
			`test_command "Shell AND operator" "-P local && cat /etc/passwd" "block"`
			`test_command "Shell OR operator" "-P local \|\| /bin/sh" "block"`
			`test_command "Shell pipe" "-P local \| grep root" "block"`
			`test_command "Shell redirect" "-P local > /tmp/output" "block"`
			`test_command "Shell background" "-P local &" "block"`

			`echo ""`
			`echo -e "${BLUE}═══ Testing Path Traversal (Should Block) ═══${NC}"`
			`echo ""`

			`test_command "Parent directory" "-P ../etc/passwd" "block"`
			`test_command "Absolute path" "-P /etc/passwd" "block"`
			`test_command "Multiple parent dirs" "-P ../../bin/bash" "block"`
			`test_command "Encoded path" "-P %2e%2e%2f" "block"`

			`echo ""`
			`echo -e "${BLUE}═══ Testing Special Characters (Should Block) ═══${NC}"`
			`echo ""`

			`test_command "Newline injection" "-P local\nls" "block"`
			`test_command "Carriage return" "-P local\rls" "block"`
			`test_command "Null byte" "-P local\x00ls" "block"`
			`test_command "Single quote" "-P local' ls" "block"`
			`test_command "Double quote" "-P local\" ls" "block"`
			`test_command "Dollar sign" "-P \$HOME" "block"`
			`test_command "Asterisk wildcard" "-P local*" "block"`
			`test_command "Question wildcard" "-P local?" "block"`

			`echo ""`
			`echo -e "${BLUE}═══ Testing Environment Variables (Should Block) ═══${NC}"`
			`echo ""`

			`test_command "HOME variable" "-P \$HOME" "block"`
			`test_command "PATH variable" "-P \$PATH" "block"`
			`test_command "SHELL variable" "-P \$SHELL" "block"`
			`test_command "Braced variable" "-P \${HOME}" "block"`

			`echo ""`
			`echo -e "${BLUE}═══ Testing WebSocket URL Exploits (Should Block) ═══${NC}"`
			`echo ""`

			`test_command "WS with command injection" "ws://evil.com/\$(id)" "block"`
			test_command "WS with backticks" "ws://evil.com/\`whoami\`" "block"
			`test_command "WS with semicolon" "ws://evil.com/; ls" "block"`
			`test_command "WS with spaces" "ws://evil.com/ /bin/sh" "block"`

			`echo ""`
			`echo -e "${BLUE}════════════════════════════════════════════════════${NC}"`
			`echo -e "${BLUE} TEST SUMMARY ${NC}"`
			`echo -e "${BLUE}════════════════════════════════════════════════════${NC}"`
			`echo ""`
			`echo -e "Total Tests: ${BLUE}$TOTAL${NC}"`
			`echo -e "Passed: ${GREEN}$PASSED${NC}"`
			`echo -e "Failed: ${RED}$FAILED${NC}"`
			`echo ""`

			`if [ $FAILED -eq 0 ]; then`
			`echo -e "${GREEN}✓ All security tests passed!${NC}"`
			`echo ""`
			`echo -e "${YELLOW}Note:${NC} These are pattern validation tests only."`
			`echo "For complete security verification, you should:"`
			`echo " 1. Test in actual container environment"`
			`echo " 2. Verify socktop binary doesn't process malicious args"`
			`echo " 3. Monitor for unexpected process execution"`
			`echo " 4. Check logs for injection attempts"`
			`echo ""`
			`exit 0`
			`else`
			`echo -e "${RED}✗ Some security tests failed!${NC}"`
			`echo ""`
			`echo "Review the failed tests and update regex patterns in restricted-shell.sh"`
			`echo ""`
			`exit 1`
			`fi`