Sabo/webui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c1dcd735027b69ef8c7db382c5be1b7296b95b09
webui/tests/test_sprint23.py
Nathan Esquenazi c1dcd73502 fix: security, correctness, and test hardening from review 
- routes.py: reject glob wildcards (* ? [ ]) in skill name param to
  prevent rglob wildcard injection when serving linked files
- panels.js: replace inline onclick+esc() with data-* attributes and
  addEventListener for skill tag removal and linked-file clicks;
  esc() is HTML-safe but not JS-safe -- apostrophes in names caused
  JS syntax errors and _cronSelectedSkills array corruption
- ui.js: fix _fmtTokens(null/undefined) returning 'null'/'undefined'
  by guarding with (!n||n<0) -> '0'; add data-role attribute to msg-row
  elements so usage badge correctly targets the last assistant row
  instead of the last row regardless of speaker
- tests: rename test_sprint24.py -> test_sprint23.py (wrong sprint #);
  add 3 new tests: path traversal rejection, wildcard name rejection,
  cron create with skills; strengthen existing tests to assert field
  presence explicitly (was using .get(field, 0)==0 which never caught
  a missing field)
2026-04-03 19:11:36 -07:00

194 lines
7.9 KiB
Python
Raw Blame History

"""
Sprint 23 Tests: agentic transparency — token/cost display, session usage fields,
subagent card names, skill picker in cron, skill linked files.
"""
import json, urllib.error, urllib.request
BASE = "http://127.0.0.1:8788"
def get(path):
with urllib.request.urlopen(BASE + path, timeout=10) as r:
return json.loads(r.read()), r.status
def post(path, body=None):
data = json.dumps(body or {}).encode()
req = urllib.request.Request(BASE + path, data=data,
headers={"Content-Type": "application/json"})
try:
with urllib.request.urlopen(req, timeout=10) as r:
return json.loads(r.read()), r.status
except urllib.error.HTTPError as e:
return json.loads(e.read()), e.code
def make_session(created_list):
d, _ = post("/api/session/new", {})
sid = d["session"]["session_id"]
created_list.append(sid)
return sid, d["session"]
# ── Session usage fields ─────────────────────────────────────────────────
def test_new_session_has_usage_fields():
"""New session should include input_tokens, output_tokens, estimated_cost."""
created = []
try:
sid, sess = make_session(created)
post("/api/session/rename", {"session_id": sid, "title": "Usage Test"})
d, status = get(f"/api/session?session_id={sid}")
assert status == 200
sess = d["session"]
assert "input_tokens" in sess, "input_tokens field missing from session"
assert "output_tokens" in sess, "output_tokens field missing from session"
assert "estimated_cost" in sess, "estimated_cost field missing from session"
assert sess["input_tokens"] == 0
assert sess["output_tokens"] == 0
finally:
for s in created:
post("/api/session/delete", {"session_id": s})
def test_session_compact_has_usage_fields():
"""Session list should include usage fields in compact form."""
created = []
try:
sid, _ = make_session(created)
post("/api/session/rename", {"session_id": sid, "title": "Compact Usage"})
d, status = get("/api/sessions")
assert status == 200
match = [s for s in d["sessions"] if s["session_id"] == sid]
assert len(match) == 1
assert "input_tokens" in match[0], "input_tokens missing from session list"
assert "output_tokens" in match[0], "output_tokens missing from session list"
assert match[0]["input_tokens"] == 0
assert match[0]["output_tokens"] == 0
finally:
for s in created:
post("/api/session/delete", {"session_id": s})
def test_session_usage_defaults_zero():
"""New session usage fields should default to 0/None in creation response."""
created = []
try:
sid, sess = make_session(created)
assert "input_tokens" in sess, "input_tokens missing from new session response"
assert "output_tokens" in sess, "output_tokens missing from new session response"
assert sess["input_tokens"] == 0
assert sess["output_tokens"] == 0
finally:
for s in created:
post("/api/session/delete", {"session_id": s})
# ── Skills content linked_files ──────────────────────────────────────────
def test_skills_content_requires_name():
"""GET /api/skills/content without name should return 400."""
try:
d, status = get("/api/skills/content")
assert status == 400, f"Expected 400 for missing name, got {status}"
except urllib.error.HTTPError as e:
assert e.code == 400, f"Expected 400 for missing name, got {e.code}"
def test_skills_content_has_linked_files_key():
"""GET /api/skills/content should always return a linked_files key."""
try:
d, status = get("/api/skills")
if not d.get("skills"):
return # no skills in test env, skip
name = d["skills"][0]["name"]
d2, status2 = get(f"/api/skills/content?name={name}")
assert status2 == 200
assert "linked_files" in d2, "linked_files key missing from skills/content response"
# linked_files must be a dict (possibly empty), not None
assert isinstance(d2["linked_files"], dict), "linked_files must be a dict"
except urllib.error.HTTPError:
pass # skills module unavailable in this env
def test_skills_content_file_path_traversal_rejected():
"""GET /api/skills/content with traversal path should be rejected."""
try:
d, status = get("/api/skills")
if not d.get("skills"):
return # no skills in test env, skip
name = d["skills"][0]["name"]
# Attempt path traversal via file param
import urllib.parse
traversal = urllib.parse.quote("../../etc/passwd", safe="")
try:
d2, status2 = get(f"/api/skills/content?name={name}&file={traversal}")
assert status2 in (400, 404), f"Path traversal should be rejected, got {status2}"
except urllib.error.HTTPError as e:
assert e.code in (400, 404), f"Path traversal should be rejected, got {e.code}"
except urllib.error.HTTPError:
pass
def test_skills_content_wildcard_name_rejected():
"""GET /api/skills/content with glob wildcard in name should be rejected when file param present."""
try:
try:
d2, status2 = get("/api/skills/content?name=*&file=SKILL.md")
assert status2 == 400, f"Wildcard name should return 400, got {status2}"
except urllib.error.HTTPError as e:
assert e.code in (400, 404), f"Wildcard name should be rejected, got {e.code}"
except Exception:
pass
# ── Cron create with skills ───────────────────────────────────────────────
def test_cron_create_accepts_skills():
"""POST /api/crons/create should accept and store a skills array."""
created_jobs = []
try:
body = {
"name": "test-sprint23-skills",
"schedule": "0 9 * * *",
"prompt": "test prompt",
"deliver": "local",
"skills": ["some-skill"]
}
d, status = post("/api/crons/create", body)
assert status == 200, f"Expected 200 from cron create, got {status}: {d}"
assert d.get("ok"), f"Cron create did not return ok: {d}"
job_id = d.get("job", {}).get("id") or d.get("id")
if job_id:
created_jobs.append(job_id)
# Verify job appears in list
jobs_d, _ = get("/api/crons")
job = next((j for j in jobs_d.get("jobs", []) if j.get("name") == "test-sprint23-skills"), None)
assert job is not None, "Created cron job not found in job list"
assert job.get("skills") == ["some-skill"] or job.get("skill") == "some-skill", \
f"skills not stored on job: {job}"
finally:
for jid in created_jobs:
post("/api/crons/delete", {"id": jid})
# Also cleanup by name if ID unavailable
jobs_d, _ = get("/api/crons")
for j in jobs_d.get("jobs", []):
if j.get("name") == "test-sprint23-skills":
post("/api/crons/delete", {"id": j["id"]})
# ── Tool call integrity ──────────────────────────────────────────────────
def test_tool_calls_have_real_names():
"""Tool calls in session JSON should not have unresolved 'tool' name."""
created = []
try:
sid, _ = make_session(created)
d, status = get(f"/api/session?session_id={sid}")
assert status == 200
for tc in d["session"].get("tool_calls", []):
assert tc.get("name") not in ("tool", "", None), f"Unresolved tool name: {tc}"
finally:
for s in created:
post("/api/session/delete", {"session_id": s})
Reference in New Issue View Git Blame Copy Permalink