fix(test): address review feedback for S3 CRLF injection tests

- Use Bun's async toThrow pattern (await expect(async () => { ... })) instead of Jest-style .rejects.toThrow for write() rejection tests - Replace try/finally + manual server.stop() with `using` for deterministic resource cleanup and remove Bun.sleep(200) delay - Replace secret-like credential strings with clearly fake placeholders (FAKE_ACCESS_KEY / FAKE_SECRET) to avoid gitleaks triggers Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-17 14:22:01 +00:00 · 2026-02-12 05:16:15 +00:00
parent f2ff72116c
commit 6c95487fee
1 changed files with 25 additions and 30 deletions
--- a/test/js/bun/s3/s3-crlf-injection.test.ts
+++ b/test/js/bun/s3/s3-crlf-injection.test.ts
@@ -6,8 +6,8 @@ import { describe, expect, it } from "bun:test";

 describe("S3 - CRLF Header Injection Prevention", () => {
  const baseOptions = {
-    accessKeyId: "test",
-    secretAccessKey: "test",
+    accessKeyId: "FAKE_ACCESS_KEY",
+    secretAccessKey: "FAKE_SECRET",
    endpoint: "http://127.0.0.1:1234",
    bucket: "test",
  };
@@ -150,21 +150,23 @@ describe("S3 - CRLF Header Injection Prevention", () => {
    it("should reject CRLF in contentDisposition on write()", async () => {
      const client = new S3Client(baseOptions);
      const file = client.file("test-key");
-      expect(file.write("data", { contentDisposition: "attachment\r\nX-Injected: true" })).rejects.toThrow(
-        /contentDisposition/,
-      );
+      await expect(async () => {
+        await file.write("data", { contentDisposition: "attachment\r\nX-Injected: true" });
+      }).toThrow(/contentDisposition/);
    });

    it("should reject CRLF in contentEncoding on write()", async () => {
      const client = new S3Client(baseOptions);
      const file = client.file("test-key");
-      expect(file.write("data", { contentEncoding: "gzip\r\nX-Injected: true" })).rejects.toThrow(/contentEncoding/);
+      await expect(async () => {
+        await file.write("data", { contentEncoding: "gzip\r\nX-Injected: true" });
+      }).toThrow(/contentEncoding/);
    });
  });

  it("CRLF in contentDisposition should not reach the wire", async () => {
    const requests: string[] = [];
-    const server = Bun.listen({
+    using server = Bun.listen({
      hostname: "127.0.0.1",
      port: 0,
      socket: {
@@ -179,32 +181,25 @@ describe("S3 - CRLF Header Injection Prevention", () => {
      },
    });

+    const client = new S3Client({
+      accessKeyId: "FAKE_ACCESS_KEY",
+      secretAccessKey: "FAKE_SECRET",
+      endpoint: `http://127.0.0.1:${server.port}`,
+      bucket: "test",
+    });
+
+    const file = client.file("test-key");
    try {
-      const client = new S3Client({
-        accessKeyId: "test",
-        secretAccessKey: "testsecret1234567890123456789012",
-        endpoint: `http://127.0.0.1:${server.port}`,
-        bucket: "test",
+      await file.write("test-data", {
+        contentDisposition: "attachment; filename=report.pdf\r\nX-Injected: true",
      });
+    } catch {
+      // Expected to throw
+    }

-      const file = client.file("test-key");
-      try {
-        await file.write("test-data", {
-          contentDisposition: "attachment; filename=report.pdf\r\nX-Injected: true",
-        });
-      } catch {
-        // Expected to throw
-      }
-
-      // Give a moment for any request to arrive
-      await Bun.sleep(200);
-
-      // Verify no injected header made it to the wire
-      for (const req of requests) {
-        expect(req).not.toContain("X-Injected");
-      }
-    } finally {
-      server.stop();
+    // Verify no injected header made it to the wire
+    for (const req of requests) {
+      expect(req).not.toContain("X-Injected");
    }
  });
 });