More windows test fixes

library/sinks/BetterSQLite3.test.ts

@@ -2,6 +2,7 @@ import * as t from "tap";
 import { runWithContext, type Context } from "../agent/Context";
 import { BetterSQLite3 } from "./BetterSQLite3";
 import { createTestAgent } from "../helpers/createTestAgent";
+import { tmpdir } from "node:os";
 
 const dangerousContext: Context = {
   remoteAddress: "::1",
@@ -118,10 +119,10 @@ t.test("it detects SQL injections", async (t) => {
           "Zen has blocked a path traversal attack: better-sqlite3.backup(...) originating from body.myTitle"
         );
       }
-      await db.backup("/tmp/sqlite-test-secure");
+      await db.backup(`${tmpdir()}/sqlite-test-secure`);
     });
 
-    await db.backup("/tmp/sqlite-test-secure-2");
+    await db.backup(`${tmpdir()}/sqlite-test-secure-2`);
 
     try {
       await db.backup();

library/sinks/ChildProcess.test.ts

@@ -3,6 +3,8 @@ import { Context, runWithContext } from "../agent/Context";
 import { ChildProcess } from "./ChildProcess";
 import { execFile, execFileSync } from "child_process";
 import { createTestAgent } from "../helpers/createTestAgent";
+import { join } from "path";
+import { isWindows } from "../helpers/isWindows";
 
 const unsafeContext: Context = {
   remoteAddress: "::1",
@@ -71,19 +73,27 @@ t.test("it works", async (t) => {
   });
 
   const runSafeCommands = () => {
-    exec("ls", (err, stdout, stderr) => {}).unref();
-    execSync("ls");
+    if (!isWindows) {
+      exec("ls", (err, stdout, stderr) => {}).unref();
+      execSync("ls");
 
-    spawn("ls", ["-la"], {}).unref();
-    spawnSync("ls", ["-la"], {});
+      spawn("ls", ["-la"], {}).unref();
+      spawnSync("ls", ["-la"], {});
 
-    spawn("ls", ["-la"], { shell: false }).unref();
-    spawnSync("ls", ["-la"], { shell: false });
+      spawn("ls", ["-la"], { shell: false }).unref();
+      spawnSync("ls", ["-la"], { shell: false });
 
-    execFile("ls", ["-la"], {}, (err, stdout, stderr) => {}).unref();
-    execFileSync("ls", ["-la"], {});
+      execFile("ls", ["-la"], {}, (err, stdout, stderr) => {}).unref();
+      execFileSync("ls", ["-la"], {});
+    } else {
+      exec("dir", (err, stdout, stderr) => {}).unref();
+      execSync("dir");
 
-    fork("./fixtures/helloWorld.js").unref();
+      spawn("dir", [], { shell: true }).unref();
+      spawnSync("dir", [], { shell: true });
+    }
+
+    fork(join(__dirname, "fixtures/helloWorld.js")).unref();
   };
 
   runSafeCommands();

library/sources/Fastify.test.ts

@@ -409,7 +409,7 @@ t.test(
   },
   async (t) => {
     const app = getApp();
-    await app.listen({ port: 4123 });
+    await app.listen({ port: 4123, host: "127.0.0.1" });
     await app.ready();
 
     const response = await fetch("http://127.0.0.1:4123/blocked-user");

library/sources/HTTPServer.test.ts

@@ -14,6 +14,7 @@ import { mkdtemp, writeFile, unlink } from "fs/promises";
 import { exec } from "child_process";
 import { promisify } from "util";
 const execAsync = promisify(exec);
+import { tmpdir } from "node:os";
 
 // Before require("http")
 const api = new ReportingAPIForTesting({
@@ -385,7 +386,7 @@ async function sendUsingCurl({
     .map(([key, value]) => `-H "${key}: ${value}"`)
     .join(" ");
 
-  const tmpDir = await mkdtemp("/tmp/aikido-");
+  const tmpDir = await mkdtemp(join(tmpdir(), "aikido-"));
   const tmpFile = join(tmpDir, "/body.json");
   await writeFile(tmpFile, body, { encoding: "utf-8" });
 

library/vulnerabilities/path-traversal/detectPathTraversal.ts

@@ -21,8 +21,6 @@ export function detectPathTraversal(
   // Also /./ is checked by normal absolute path traversal check (if #219 is merged)
   if (isUrl && containsUnsafePathParts(userInput)) {
     const filePathFromUrl = parseAsFileUrl(userInput);
-    console.log("filePathFromUrl", filePathFromUrl);
-    console.log("filePath", filePath);
     if (filePathFromUrl && filePath.includes(filePathFromUrl)) {
       return true;
     }