Merge pull request #7 from jonathansantilli/alert-autofix-5

jonathansantilli · web-flow · commit e98b73c9e82c · 2026-03-07T20:04:04.000Z
Potential fix for code scanning alert no. 5: Insecure randomness
diff --git a/src/layer4-remediation/backup-manager.ts b/src/layer4-remediation/backup-manager.ts
@@ -1,4 +1,4 @@
-import { createHash } from "node:crypto";
+import { createHash, randomBytes } from "node:crypto";
 import {
   existsSync,
   mkdirSync,
@@ -69,7 +69,7 @@ function backupRoot(projectRoot: string): string {
 
 function sessionIdFromNow(): string {
   const stamp = new Date().toISOString().replaceAll(":", "-").replaceAll(".", "-");
-  const nonce = Math.random().toString(16).slice(2, 8);
+  const nonce = randomBytes(3).toString("hex");
   return `${stamp}-${nonce}`;
 }
 
diff --git a/src/scan-target/helpers.ts b/src/scan-target/helpers.ts
@@ -58,7 +58,7 @@ export function sanitizePathSegment(value: string): string {
 
 export function preserveTailSegments(pathname: string, count: number): string {
   const segments = pathname
-    .split("/")
+    .split(/[\\/]+/u)
     .filter((segment) => segment.length > 0)
     .map((segment) => sanitizePathSegment(segment));
   if (segments.length === 0) {
diff --git a/tests/cli/init-command.test.ts b/tests/cli/init-command.test.ts
@@ -1,3 +1,4 @@
+import { resolve } from "node:path";
 import { describe, expect, it } from "vitest";
 import { createCli, type CliDeps } from "../../src/cli";
 import type { CodeGateConfig } from "../../src/config";
@@ -57,12 +58,14 @@ function makeDeps(overrides: Partial<CliDeps>): CliDeps {
 
 describe("init command", () => {
   it("writes default config to ~/.codegate/config.json", async () => {
+    const home = "/tmp/codegate-home";
     let exitCode = -1;
     let writtenPath = "";
     let content = "";
     const cli = createCli(
       "0.2.2",
       makeDeps({
+        homeDir: () => home,
         writeFile: (path, value) => {
           writtenPath = path;
           content = value;
@@ -74,7 +77,7 @@ describe("init command", () => {
     );
 
     await cli.parseAsync(["node", "codegate", "init"]);
-    expect(writtenPath).toBe("/tmp/codegate-home/.codegate/config.json");
+    expect(writtenPath).toBe(resolve(home, ".codegate", "config.json"));
     expect(content).toContain('"severity_threshold"');
     expect(content).toContain('"scan_state_path"');
     expect(exitCode).toBe(0);
diff --git a/tests/cli/remediation-flags.test.ts b/tests/cli/remediation-flags.test.ts
@@ -3,6 +3,7 @@ import { createCli, type CliDeps } from "../../src/cli";
 import type { CodeGateConfig } from "../../src/config";
 import type { Finding } from "../../src/types/finding";
 import type { CodeGateReport } from "../../src/types/report";
+import { normalizeLines } from "../helpers/path";
 
 const BASE_CONFIG: CodeGateConfig = {
   severity_threshold: "high",
@@ -178,17 +179,18 @@ describe("task 23 remediation flags", () => {
     });
 
     await cli.parseAsync(["node", "codegate", "scan", ".", "--remediate"]);
+    const normalized = normalizeLines(printed);
     expect(runRemediation).toHaveBeenCalledTimes(1);
-    expect(printed.some((line) => line.includes("Remediation summary"))).toBe(true);
-    expect(printed.some((line) => line.includes("Planned changes: 2"))).toBe(true);
-    expect(printed.some((line) => line.includes("Applied changes: 2"))).toBe(true);
+    expect(normalized.some((line) => line.includes("Remediation summary"))).toBe(true);
+    expect(normalized.some((line) => line.includes("Planned changes: 2"))).toBe(true);
+    expect(normalized.some((line) => line.includes("Applied changes: 2"))).toBe(true);
     expect(
-      printed.some((line) => line.includes(".codegate-backup/2026-03-01T12-00-00-aaaaaa")),
+      normalized.some((line) => line.includes(".codegate-backup/2026-03-01T12-00-00-aaaaaa")),
     ).toBe(true);
-    expect(printed.some((line) => line.includes("codegate undo"))).toBe(true);
-    expect(printed.some((line) => line.includes("remove_field"))).toBe(true);
+    expect(normalized.some((line) => line.includes("codegate undo"))).toBe(true);
+    expect(normalized.some((line) => line.includes("remove_field"))).toBe(true);
     expect(
-      printed.some((line) => line.includes("ENV_OVERRIDE-.mcp.json-env.OPENAI_BASE_URL")),
+      normalized.some((line) => line.includes("ENV_OVERRIDE-.mcp.json-env.OPENAI_BASE_URL")),
     ).toBe(true);
   });
 
diff --git a/tests/commands/scan-command-helpers.test.ts b/tests/commands/scan-command-helpers.test.ts
@@ -1,3 +1,4 @@
+import { resolve } from "node:path";
 import { describe, expect, it } from "vitest";
 import {
   noEligibleDeepResourceNotes,
@@ -7,6 +8,7 @@ import {
 } from "../../src/commands/scan-command/helpers";
 import type { ScanCommandOptions } from "../../src/commands/scan-command";
 import type { CodeGateReport } from "../../src/types/report";
+import { normalizeLines } from "../helpers/path";
 
 function emptyReport(): CodeGateReport {
   return {
@@ -65,8 +67,9 @@ describe("scan command helpers", () => {
   });
 
   it("formats remediation summary lines with backup and action details", () => {
+    const scanTarget = "/tmp/codegate-demo";
     const result = remediationSummaryLines({
-      scanTarget: "/tmp/codegate-demo",
+      scanTarget,
       options: { remediate: true } satisfies ScanCommandOptions,
       before: {
         ...emptyReport(),
@@ -95,13 +98,18 @@ describe("scan command helpers", () => {
         ],
       },
     });
+    const normalized = normalizeLines(result);
 
-    expect(result).toContain("Remediation summary:");
-    expect(result).toContain("Mode: remediate");
-    expect(result).toContain("Findings before remediation: 3");
-    expect(result).toContain("Findings after remediation: 1");
-    expect(result).toContain("Backup session: /tmp/codegate-demo/.codegate-backup/session-123");
-    expect(result).toContain("- remove_field -> /tmp/codegate-demo/.mcp.json (F-1)");
+    expect(normalized).toContain("Remediation summary:");
+    expect(normalized).toContain("Mode: remediate");
+    expect(normalized).toContain("Findings before remediation: 3");
+    expect(normalized).toContain("Findings after remediation: 1");
+    expect(normalized).toContain(
+      `Backup session: ${resolve(scanTarget, ".codegate-backup", "session-123").replaceAll("\\", "/")}`,
+    );
+    expect(normalized).toContain(
+      `- remove_field -> ${resolve(scanTarget, ".mcp.json").replaceAll("\\", "/")} (F-1)`,
+    );
   });
 
   it("returns the stock no-resource deep scan notes", () => {
diff --git a/tests/fixtures/fixtures.test.ts b/tests/fixtures/fixtures.test.ts
@@ -19,7 +19,9 @@ describe("task 06 fixture corpus", () => {
   it("contains clean project fixtures", () => {
     const cleanRoot = resolve(root, "clean-projects");
     expect(existsSync(cleanRoot)).toBe(true);
-    expect(readdirSync(cleanRoot).length).toBeGreaterThanOrEqual(2);
+    const projects = readdirSync(cleanRoot);
+    expect(projects.length).toBeGreaterThanOrEqual(1);
+    expect(projects).toContain("clean-claude");
   });
 
   it("contains malformed parsing fixtures", () => {
diff --git a/tests/helpers/path.ts b/tests/helpers/path.ts
@@ -0,0 +1,13 @@
+import { resolve } from "node:path";
+
+export function normalizeSlashes(value: string): string {
+  return value.replaceAll("\\", "/");
+}
+
+export function resolveForHost(...paths: string[]): string {
+  return normalizeSlashes(resolve(...paths));
+}
+
+export function normalizeLines(lines: string[]): string[] {
+  return lines.map(normalizeSlashes);
+}
diff --git a/tests/layer1/artifact-candidate-discovery.test.ts b/tests/layer1/artifact-candidate-discovery.test.ts
@@ -9,6 +9,7 @@ import {
   createScanDiscoveryContext,
 } from "../../src/scan";
 import { resolveScanTarget } from "../../src/scan-target";
+import { normalizeSlashes } from "../helpers/path";
 
 const BASE_CONFIG: CodeGateConfig = {
   severity_threshold: "high",
@@ -59,7 +60,7 @@ describe("artifact candidate discovery", () => {
       report.findings.some(
         (finding) =>
           finding.rule_id === "rule-file-remote-shell" &&
-          finding.file_path === "skills/security-review/SKILL.md",
+          normalizeSlashes(finding.file_path) === "skills/security-review/SKILL.md",
       ),
     ).toBe(true);
   });
@@ -111,7 +112,7 @@ describe("artifact candidate discovery", () => {
       report.findings.some(
         (finding) =>
           finding.rule_id === "plugin-manifest-insecure-source-url" &&
-          finding.file_path === "manifests/plugins.json",
+          normalizeSlashes(finding.file_path) === "manifests/plugins.json",
       ),
     ).toBe(true);
   });
@@ -151,7 +152,7 @@ describe("artifact candidate discovery", () => {
       report.findings.some(
         (finding) =>
           finding.rule_id === "rule-file-remote-shell" &&
-          finding.file_path === "skills/security-review/nested/payload.txt",
+          normalizeSlashes(finding.file_path) === "skills/security-review/nested/payload.txt",
       ),
     ).toBe(true);
   });
diff --git a/tests/layer1/file-walker.test.ts b/tests/layer1/file-walker.test.ts
@@ -3,6 +3,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { afterEach, describe, expect, it } from "vitest";
 import { walkProjectTree } from "../../src/layer1-discovery/file-walker";
+import { normalizeSlashes } from "../helpers/path";
 
 const tempDirs: string[] = [];
 
@@ -29,9 +30,10 @@ describe("task 09 file walker", () => {
     writeFileSync(join(root, "README.md"), "ok");
 
     const result = walkProjectTree(root);
-    expect(result.files.some((file) => file.endsWith("README.md"))).toBe(true);
-    expect(result.files.some((file) => file.includes("node_modules"))).toBe(false);
-    expect(result.files.some((file) => file.includes(".git/hooks/pre-commit"))).toBe(true);
+    const files = result.files.map(normalizeSlashes);
+    expect(files.some((file) => file.endsWith("README.md"))).toBe(true);
+    expect(files.some((file) => file.includes("node_modules"))).toBe(false);
+    expect(files.some((file) => file.includes(".git/hooks/pre-commit"))).toBe(true);
   });
 
   it("detects symlink escape outside project root", () => {
diff --git a/tests/layer1/tool-detector.test.ts b/tests/layer1/tool-detector.test.ts
@@ -1,3 +1,4 @@
+import { join } from "node:path";
 import { describe, expect, it } from "vitest";
 import {
   detectTools,
@@ -55,12 +56,11 @@ describe("task 10 tool detector", () => {
   });
 
   it("detects GitHub Copilot extension installation", () => {
+    const extensionsDir = join("/Users/tester", ".vscode", "extensions");
     const detections = detectTools(
       makeDeps({
         listDirectory: (path) =>
-          path === "/Users/tester/.vscode/extensions"
-            ? ["github.copilot-1.2.3", "some.other-ext-0.1.0"]
-            : [],
+          path === extensionsDir ? ["github.copilot-1.2.3", "some.other-ext-0.1.0"] : [],
       }),
     );
     const copilot = byName(detections, "github-copilot");
diff --git a/tests/reporter/terminal.test.ts b/tests/reporter/terminal.test.ts
@@ -1,6 +1,8 @@
+import { resolve } from "node:path";
 import { describe, expect, it } from "vitest";
 import { renderTerminalReport } from "../../src/reporter/terminal";
 import type { CodeGateReport } from "../../src/types/report";
+import { normalizeSlashes } from "../helpers/path";
 
 describe("task 15 terminal reporter", () => {
   it("renders summary and findings in plain text", () => {
@@ -41,9 +43,12 @@ describe("task 15 terminal reporter", () => {
     };
 
     const output = renderTerminalReport(report);
+    const normalizedOutput = normalizeSlashes(output);
     expect(output).toContain("CodeGate v0.1.0");
     expect(output).toContain("CRITICAL: 1");
-    expect(output).toContain("/tmp/project/.claude/settings.json");
+    expect(normalizedOutput).toContain(
+      normalizeSlashes(resolve("/tmp/project", ".claude/settings.json")),
+    );
     expect(output).toContain("Evidence:");
     expect(output).toContain('2 |   "ANTHROPIC_BASE_URL": "http://evil.example"');
   });
diff --git a/tests/scan-target-helpers.test.ts b/tests/scan-target-helpers.test.ts
@@ -8,6 +8,7 @@ import {
   inferToolFromReportPath,
   isLikelyGitRepoUrl,
   parseGitHubFileSource,
+  preserveTailSegments,
   shouldStageContainingFolder,
 } from "../src/scan-target/helpers";
 
@@ -63,6 +64,12 @@ describe("scan target helpers", () => {
     expect(shouldStageContainingFolder("/tmp/repo/README.md")).toBe(false);
   });
 
+  it("preserves trailing path segments for Windows-style paths", () => {
+    expect(
+      preserveTailSegments("D:\\tmp\\repo\\skills\\security-review", 2).replaceAll("\\", "/"),
+    ).toBe("skills/security-review");
+  });
+
   it("infers formats and tools for explicit artifact candidates", () => {
     expect(inferTextLikeFormat("skills/demo/SKILL.md")).toBe("markdown");
     expect(inferTextLikeFormat(".cursor/rules/review.mdc")).toBe("markdown");
diff --git a/tests/tui/render.test.tsx b/tests/tui/render.test.tsx
@@ -1,7 +1,9 @@
+import { resolve } from "node:path";
 import { describe, expect, it } from "vitest";
 import { render } from "ink-testing-library";
 import { CodeGateTuiApp } from "../../src/tui/app";
 import type { CodeGateReport } from "../../src/types/report";
+import { normalizeSlashes } from "../helpers/path";
 
 const REPORT: CodeGateReport = {
   version: "0.1.0",
@@ -56,12 +58,14 @@ const SAFE_REPORT: CodeGateReport = {
 describe("task 18 tui shell rendering", () => {
   it("renders dashboard view with scan summary", () => {
     const app = render(<CodeGateTuiApp view="dashboard" report={REPORT} />);
-    expect(app.lastFrame()).toContain("CodeGate v0.1.0");
-    expect(app.lastFrame()).toContain("Installed tools");
-    expect(app.lastFrame()).toContain("Findings");
-    expect(app.lastFrame()).toContain("Evidence:");
-    expect(app.lastFrame()).toContain("/tmp/project/.mcp.json");
-    expect(app.lastFrame()).toContain('3 |     "bad": {');
+    const frame = app.lastFrame();
+    const normalizedFrame = normalizeSlashes(frame);
+    expect(frame).toContain("CodeGate v0.1.0");
+    expect(frame).toContain("Installed tools");
+    expect(frame).toContain("Findings");
+    expect(frame).toContain("Evidence:");
+    expect(normalizedFrame).toContain(normalizeSlashes(resolve("/tmp/project", ".mcp.json")));
+    expect(frame).toContain('3 |     "bad": {');
   });
 
   it("renders progress view while scanning", () => {
