Add comprehensive security regression test suite

[Copilot]

• Understand the issue requirements - create comprehensive security regression test suite
• Explore existing test patterns (expression_parser_fuzz_test.go, threat_detection_test.go, expression_safety_test.go)
• Create pkg/workflow/security_regression_test.go - injection, DoS, auth tests
• Create pkg/workflow/security_fuzz_test.go - fuzz tests for YAML parsing, template rendering
• Create pkg/cli/security_regression_test.go - CLI command injection, file path sanitization
• Add test-security target to Makefile
• Update specs/testing.md with security testing strategy
• Add security job in CI workflow that runs make test-security with needs: [test]
• Run tests to verify all pass
• Run code review and address feedback
• Run CodeQL security scan - no vulnerabilities found
• Run format and lint checks

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Create comprehensive security regression test suite</issue_title>
<issue_description>## Objective

Develop a comprehensive security regression test suite covering injection attacks, authentication bypass, DoS scenarios, and supply chain vulnerabilities to ensure security fixes remain effective over time.

Context

The repository has 30 security/validation test files with 557 validation patterns, but lacks dedicated security regression tests. Need to add tests for injection prevention, DoS scenarios, fuzzing, and end-to-end security validation.

Approach

1. Create pkg/workflow/security_regression_test.go:

   // Injection attack prevention tests
   func TestSecurityTemplateInjectionPrevention(t *testing.T) { }
   func TestSecurityCommandInjectionPrevention(t *testing.T) { }
   func TestSecurityXSSPrevention(t *testing.T) { }
   func TestSecurityYAMLInjectionPrevention(t *testing.T) { }
   
   // DoS prevention tests
   func TestSecurityDoSViaLargeInputs(t *testing.T) { }
   func TestSecurityDoSViaNestedYAML(t *testing.T) { }
   func TestSecurityBillionLaughsAttack(t *testing.T) { }
   
   // Authentication/authorization tests
   func TestSecurityUnauthorizedAccess(t *testing.T) { }
   func TestSecurityTokenLeakage(t *testing.T) { }

2. Create pkg/workflow/security_fuzz_test.go:

   • Fuzz test input validation functions
   • Fuzz test YAML parsing
   • Fuzz test template rendering
   • Use Go's built-in fuzzing support

3. Add end-to-end security tests:

   • Compile malicious workflow attempts
   • Verify safe-output system blocks unsafe operations
   • Test network isolation enforcement
   • Test path traversal prevention

4. Create pkg/cli/security_regression_test.go:

   • Test CLI command injection prevention
   • Test file path sanitization
   • Test unsafe flag combinations

5. Integrate tests into Makefile:

   .PHONY: test-security
   test-security:
       go test -v -tags=security ./pkg/workflow/... ./pkg/cli/...

6. Update specs/testing.md: Document security testing strategy and patterns

7. Add CI/CD job for security regression tests (can be part of existing test workflow)

Files to Create/Modify

• Create: pkg/workflow/security_regression_test.go
• Create: pkg/workflow/security_fuzz_test.go
• Create: pkg/cli/security_regression_test.go
• Modify: Makefile (add test-security target)
• Modify: specs/testing.md (document security testing)
• Modify: .github/workflows/test.yml (add security test job if needed)

Acceptance Criteria

• Security regression tests created covering injection, DoS, auth scenarios
• Fuzz tests added for input validation and parsing functions
• End-to-end security tests verify safe-output system effectiveness
• YAML billion laughs attack prevention tested
• make test-security target added and working
• Security tests integrated into make test and CI/CD
• specs/testing.md updated with security testing strategy
• Tests follow existing patterns from the 30 validation test files
• Tests are deterministic and fast (no flaky tests)
• All tests pass in CI/CD

Priority

Medium - Important for long-term security assurance but can be implemented after immediate security gaps are closed
Related to #5537

AI generated by Plan Command for discussion #5535

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Create comprehensive security regression test suite #5542

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot add job in ci.yml that runs security test suite, needs test

[Copilot]

@copilot add job in ci.yml that runs security test suite, needs test

Added security job to .github/workflows/ci.yml that runs make test-security with needs: [test] dependency (009490e).

[pelikhan]

@copilot format and lint

[Copilot]

@copilot format and lint

Fixed lint error (empty block in TestSecurityCLIUnsafeFlagCombinations) and verified make fmt and make lint both pass (0ce4bd7).