aaronrene / knowtation public
mcp-image-resources.test.mjs
104 lines 3.6 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 1 day ago
1 /**
2 * Tests for Phase 18A: MCP Image Resources — image-fetch.mjs security + resource registration.
3 */
4 import { describe, it, mock, beforeEach, afterEach } from 'node:test';
5 import assert from 'node:assert';
6
7 describe('fetchImageAsBase64', () => {
8 it('rejects non-https URLs', async () => {
9 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
10 await assert.rejects(
11 () => fetchImageAsBase64('http://example.com/img.png'),
12 /https:\/\//,
13 );
14 });
15
16 it('rejects data: URIs', async () => {
17 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
18 await assert.rejects(
19 () => fetchImageAsBase64('data:image/png;base64,abc'),
20 /https:\/\//,
21 );
22 });
23
24 it('rejects javascript: URIs', async () => {
25 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
26 await assert.rejects(
27 () => fetchImageAsBase64('javascript:alert(1)'),
28 /https:\/\//,
29 );
30 });
31
32 it('rejects file: URIs', async () => {
33 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
34 await assert.rejects(
35 () => fetchImageAsBase64('file:///etc/passwd'),
36 /https:\/\//,
37 );
38 });
39
40 it('rejects localhost', async () => {
41 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
42 await assert.rejects(
43 () => fetchImageAsBase64('https://localhost/img.png'),
44 /localhost.*blocked/i,
45 );
46 });
47
48 it('rejects URLs with empty string', async () => {
49 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
50 await assert.rejects(
51 () => fetchImageAsBase64(''),
52 /https:\/\//,
53 );
54 });
55
56 it('rejects null/undefined', async () => {
57 const { fetchImageAsBase64 } = await import('../mcp/resources/image-fetch.mjs');
58 await assert.rejects(() => fetchImageAsBase64(null));
59 await assert.rejects(() => fetchImageAsBase64(undefined));
60 });
61 });
62
63 describe('extractImageUrls used in resource context', () => {
64 it('extracts correct structure for resource listing', async () => {
65 const { extractImageUrls } = await import('../lib/media-url-extract.mjs');
66 const body = '![Screenshot](https://example.com/screen.png)\nSome text\n![Logo](https://example.com/logo.jpg)';
67 const images = extractImageUrls(body);
68 assert.strictEqual(images.length, 2);
69 assert.strictEqual(images[0].alt, 'Screenshot');
70 assert.strictEqual(images[0].mimeType, 'image/png');
71 assert.strictEqual(images[1].alt, 'Logo');
72 assert.strictEqual(images[1].mimeType, 'image/jpeg');
73
74 for (const img of images) {
75 assert.ok(img.url.startsWith('https://'));
76 assert.ok(typeof img.mimeType === 'string');
77 assert.ok(typeof img.alt === 'string');
78 }
79 });
80
81 it('resource URI format is correct', () => {
82 const notePath = 'inbox/my-note.md';
83 const index = 0;
84 const uri = `knowtation://vault/${notePath}/image/${index}`;
85 assert.strictEqual(uri, 'knowtation://vault/inbox/my-note.md/image/0');
86 });
87
88 it('index out of range is detectable', async () => {
89 const { extractImageUrls } = await import('../lib/media-url-extract.mjs');
90 const body = '![a](https://ex.com/a.png)';
91 const images = extractImageUrls(body);
92 assert.strictEqual(images.length, 1);
93 const oobIndex = 5;
94 assert.ok(oobIndex >= images.length, 'Index should be out of range');
95 });
96 });
97
98 describe('SSRF protection constants', () => {
99 it('private IP patterns reject common ranges', async () => {
100 const mod = await import('../mcp/resources/image-fetch.mjs');
101 assert.ok(mod.DEFAULT_MAX_BYTES > 0);
102 assert.ok(mod.DEFAULT_TIMEOUT_MS > 0);
103 });
104 });
File History 2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 1 day ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6 docs: accept Calendar Events v0 spec with Phase 0 security … Human 2 days ago