test: add comprehensive test coverage for input validation handlers

jpoehnelt-bot · jpoehnelt-bot · commit 4a9be9b1df32 · 2026-03-03T17:25:25.000-07:00
diff --git a/src/helpers/events/mod.rs b/src/helpers/events/mod.rs
@@ -49,6 +49,7 @@ impl std::fmt::Display for SubscriptionName {
     }
 }
 
+#[allow(dead_code)]
 #[derive(Debug, Clone, Builder)]
 #[builder(setter(into))]
 pub struct SubscribeConfig {
diff --git a/src/helpers/events/subscribe.rs b/src/helpers/events/subscribe.rs
@@ -1,5 +1,30 @@
 use super::*;
 
+#[derive(Debug, Clone, Default, Builder)]
+#[builder(setter(into))]
+pub struct SubscribeConfig {
+    #[builder(default)]
+    target: Option<String>,
+    #[builder(default)]
+    event_types: Vec<String>,
+    #[builder(default)]
+    project: Option<ProjectId>,
+    #[builder(default)]
+    subscription: Option<SubscriptionName>,
+    #[builder(default = "10")]
+    max_messages: u32,
+    #[builder(default = "2")]
+    poll_interval: u64,
+    #[builder(default)]
+    once: bool,
+    #[builder(default)]
+    cleanup: bool,
+    #[builder(default)]
+    no_ack: bool,
+    #[builder(default)]
+    output_dir: Option<String>,
+}
+
 fn parse_subscribe_args(matches: &ArgMatches) -> Result<SubscribeConfig, GwsError> {
     let mut builder = SubscribeConfigBuilder::default();
 
@@ -97,7 +122,9 @@ pub(super) async fn handle_subscribe(
         } else {
             // Full setup: create Pub/Sub topic + subscription + Workspace Events subscription
             let target = config.target.clone().unwrap();
-            let project = config.project.clone().unwrap().0;
+            let project =
+                crate::helpers::validate_resource_name(&config.project.clone().unwrap().0)?
+                    .to_string();
             let event_types_str: Vec<&str> =
                 config.event_types.iter().map(|s| s.as_str()).collect();
 
@@ -515,6 +542,15 @@ mod tests {
         cmd.try_get_matches_from(args).unwrap()
     }
 
+    #[test]
+    fn test_parse_subscribe_args_invalid_output_dir() {
+        let matches = make_matches_subscribe(&["test", "--output-dir", "../../etc"]);
+        let result = parse_subscribe_args(&matches);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("outside the current directory"));
+    }
+
     #[test]
     fn test_parse_subscribe_args() {
         let matches = make_matches_subscribe(&[
diff --git a/src/helpers/gmail/watch.rs b/src/helpers/gmail/watch.rs
@@ -37,8 +37,9 @@ pub(super) async fn handle_watch(
 
         let suffix = format!("{:08x}", rand::random::<u32>());
         let topic = if let Some(ref t) = config.topic {
-            t.clone()
+            crate::helpers::validate_resource_name(t)?.to_string()
         } else {
+            let project = crate::helpers::validate_resource_name(&project)?;
             let t = format!("projects/{project}/topics/gws-gmail-watch-{suffix}");
             // Create Pub/Sub topic
             eprintln!("Creating Pub/Sub topic: {t}");
@@ -97,6 +98,7 @@ pub(super) async fn handle_watch(
             t
         };
 
+        let project = crate::helpers::validate_resource_name(&project)?;
         let sub = format!("projects/{project}/subscriptions/gws-gmail-watch-{suffix}");
 
         // 3. Create Pub/Sub subscription
@@ -499,7 +501,7 @@ fn extract_message_ids_from_history(history_body: &Value) -> Vec<String> {
     result
 }
 
-#[derive(Clone)]
+#[derive(Debug, Clone)]
 struct WatchConfig {
     project: Option<String>,
     subscription: Option<String>,
@@ -630,7 +632,25 @@ mod tests {
     }
 
     #[test]
-    fn test_parse_watch_args() {
+    fn test_parse_watch_args_invalid_format() {
+        let matches = make_matches_watch(&["test", "--msg-format", "invalid-format"]);
+        let result = parse_watch_args(&matches);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("Invalid message format"));
+    }
+
+    #[test]
+    fn test_parse_watch_args_invalid_output_dir() {
+        let matches = make_matches_watch(&["test", "--output-dir", "../../etc"]);
+        let result = parse_watch_args(&matches);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("outside the current directory"));
+    }
+
+    #[test]
+    fn test_parse_watch_args_full() {
         let matches = make_matches_watch(&[
             "test",
             "--project",
diff --git a/src/helpers/workflows.rs b/src/helpers/workflows.rs
@@ -719,4 +719,61 @@ mod tests {
     fn test_helper_only() {
         assert!(WorkflowHelper.helper_only());
     }
+
+    #[test]
+    fn test_epoch_to_rfc3339() {
+        assert_eq!(epoch_to_rfc3339(0), "1970-01-01T00:00:00+00:00");
+        assert_eq!(epoch_to_rfc3339(1710000000), "2024-03-09T16:00:00+00:00");
+    }
+
+    #[test]
+    fn test_build_standup_report_cmd() {
+        let cmd = build_standup_report_cmd();
+        assert_eq!(cmd.get_name(), "+standup-report");
+    }
+
+    #[test]
+    fn test_build_meeting_prep_cmd() {
+        let cmd = build_meeting_prep_cmd();
+        assert_eq!(cmd.get_name(), "+meeting-prep");
+    }
+
+    #[test]
+    fn test_build_email_to_task_cmd() {
+        let cmd = build_email_to_task_cmd();
+        assert_eq!(cmd.get_name(), "+email-to-task");
+
+        // message-id is required
+        let args = cmd
+            .clone()
+            .try_get_matches_from(vec!["+email-to-task", "--message-id", "123"]);
+        assert!(args.is_ok());
+
+        let args_err = cmd.try_get_matches_from(vec!["+email-to-task"]);
+        assert!(args_err.is_err());
+    }
+
+    #[test]
+    fn test_build_weekly_digest_cmd() {
+        let cmd = build_weekly_digest_cmd();
+        assert_eq!(cmd.get_name(), "+weekly-digest");
+    }
+
+    #[test]
+    fn test_build_file_announce_cmd() {
+        let cmd = build_file_announce_cmd();
+        assert_eq!(cmd.get_name(), "+file-announce");
+
+        let args = cmd.clone().try_get_matches_from(vec![
+            "+file-announce",
+            "--file-id",
+            "123",
+            "--space",
+            "spaces/test",
+        ]);
+        assert!(args.is_ok());
+
+        let args_err = cmd.try_get_matches_from(vec!["+file-announce"]);
+        assert!(args_err.is_err());
+    }
 }
diff --git a/src/validate.rs b/src/validate.rs
@@ -243,6 +243,35 @@ mod tests {
         assert!(result.is_ok(), "expected Ok, got: {result:?}");
     }
 
+    #[test]
+    #[serial]
+    fn test_output_dir_rejects_symlink_traversal() {
+        let dir = tempdir().unwrap();
+        let canonical_dir = dir.path().canonicalize().unwrap();
+
+        // Create a directory inside the tempdir
+        let allowed_dir = canonical_dir.join("allowed");
+        fs::create_dir(&allowed_dir).unwrap();
+
+        // Create a symlink pointing OUTSIDE the tempdir (e.g. to /tmp)
+        let symlink_path = canonical_dir.join("sneaky_link");
+        #[cfg(unix)]
+        std::os::unix::fs::symlink("/tmp", &symlink_path).unwrap();
+        #[cfg(windows)]
+        return; // Skip on Windows due to privilege requirements for symlinks
+
+        let saved_cwd = std::env::current_dir().unwrap();
+        std::env::set_current_dir(&canonical_dir).unwrap();
+
+        // Try to validate the symlink resolving outside CWD
+        let result = validate_safe_output_dir("sneaky_link");
+        std::env::set_current_dir(&saved_cwd).unwrap();
+
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("outside the current directory"), "got: {msg}");
+    }
+
     #[test]
     #[serial]
     fn test_output_dir_rejects_traversal() {

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ impl std::fmt::Display for SubscriptionName {`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`
	`52`	`+#[allow(dead_code)]`
`52`	`53`	`#[derive(Debug, Clone, Builder)]`
`53`	`54`	`#[builder(setter(into))]`
`54`	`55`	`pub struct SubscribeConfig {`