package service import ( "os" "path/filepath" "testing" ) func TestConversationServiceAllowsNestedProjectPaths(t *testing.T) { root := t.TempDir() projectDir := filepath.Join(root, "team", "app") if err := os.MkdirAll(projectDir, 0o755); err != nil { t.Fatalf("MkdirAll() error = %v", err) } sessionPath := filepath.Join(projectDir, "session.jsonl") if err := os.WriteFile(sessionPath, []byte( `{"timestamp":"2026-03-19T12:00:00Z","type":"user","message":"hello"}`+"\n"+ `{"timestamp":"2026-03-19T12:00:01Z","type":"assistant","message":{"model":"claude-opus-4-6","role":"assistant","content":[{"type":"text","text":"hi"}]}}`+"\n", ), 0o600); err != nil { t.Fatalf("WriteFile() error = %v", err) } svc := &conversationService{claudeProjectsPath: root} conversation, err := svc.GetConversation("team/app", "session") if err != nil { t.Fatalf("GetConversation() error = %v", err) } if conversation.SessionID != "session" { t.Fatalf("expected session ID %q, got %q", "session", conversation.SessionID) } if conversation.ProjectPath != "team/app" { t.Fatalf("expected project path %q, got %q", "team/app", conversation.ProjectPath) } if len(conversation.Messages) != 2 { t.Fatalf("expected 2 messages, got %d", len(conversation.Messages)) } if conversation.Model != "claude-opus-4-6" { t.Fatalf("expected model %q, got %q", "claude-opus-4-6", conversation.Model) } conversations, err := svc.GetConversationsByProject("team/app") if err != nil { t.Fatalf("GetConversationsByProject() error = %v", err) } if len(conversations) != 1 { t.Fatalf("expected 1 conversation, got %d", len(conversations)) } } func TestConversationServiceRejectsTraversalPaths(t *testing.T) { root := t.TempDir() projectDir := filepath.Join(root, "team", "app") if err := os.MkdirAll(projectDir, 0o755); err != nil { t.Fatalf("MkdirAll() error = %v", err) } sessionPath := filepath.Join(projectDir, "session.jsonl") if err := os.WriteFile(sessionPath, []byte(`{"timestamp":"2026-03-19T12:00:00Z","type":"user","message":"hello"}`+"\n"), 0o600); err != nil { t.Fatalf("WriteFile() error = %v", err) } svc := &conversationService{claudeProjectsPath: root} if _, err := svc.GetConversation("../outside", "session"); err == nil { t.Fatal("expected traversal project path to be rejected") } if _, err := svc.GetConversation("team/app", "../session"); err == nil { t.Fatal("expected traversal session ID to be rejected") } if _, err := svc.GetConversationsByProject("../../outside"); err == nil { t.Fatal("expected traversal project listing to be rejected") } } func TestConversationServiceRejectsSymlinkEscapes(t *testing.T) { root := t.TempDir() projectDir := filepath.Join(root, "team") if err := os.MkdirAll(projectDir, 0o755); err != nil { t.Fatalf("MkdirAll() error = %v", err) } outsideDir := filepath.Join(t.TempDir(), "outside") if err := os.MkdirAll(outsideDir, 0o755); err != nil { t.Fatalf("MkdirAll() error = %v", err) } if err := os.WriteFile(filepath.Join(outsideDir, "session.jsonl"), []byte(`{"timestamp":"2026-03-19T12:00:00Z","type":"user","message":"hello"}`+"\n"), 0o600); err != nil { t.Fatalf("WriteFile() error = %v", err) } linkPath := filepath.Join(projectDir, "app") if err := os.Symlink(outsideDir, linkPath); err != nil { t.Skipf("symlink not supported in this environment: %v", err) } svc := &conversationService{claudeProjectsPath: root} if _, err := svc.GetConversation("team/app", "session"); err == nil { t.Fatal("expected symlink escape to be rejected") } if _, err := svc.GetConversationsByProject("team/app"); err == nil { t.Fatal("expected symlink project listing to be rejected") } }