Summary
The unit lane currently fails in pkg/eos_postgres on FuzzEnvironmentDSN/seed#6, which treats an invalid control-character URL parse error as a possible command-injection failure.
Evidence
npm run ci:unit --silent fails in pkg/eos_postgres.- The failing seed reports:
Possible command injection in DSN handling: cannot parse ... invalid control character in URL.
- The observed behavior is a parser rejection, not command execution.
Why this matters
- It is an unrelated blocker for the #291-#294 patch set.
- It weakens trust in the fuzz suite by producing false positives instead of actionable security findings.
Proposed work
- Revisit the fuzz oracle in
postgres_fuzz_test.go and distinguish parser rejection from actual execution or interpolation.
- Add regression tests for newline/control-character DSNs and shell-metacharacter DSNs.
- Ensure the failure condition is tied to observable dangerous behavior, not just the presence of suspicious input.
- Keep the seed corpus so future regressions remain reproducible.
Acceptance criteria
go test ./pkg/eos_postgres passes.npm run ci:unit --silent no longer fails on this seed.- The fuzz oracle documents what counts as a real security regression versus expected input rejection.
Summary
The unit lane currently fails in
pkg/eos_postgresonFuzzEnvironmentDSN/seed#6, which treats an invalid control-character URL parse error as a possible command-injection failure.Evidence
npm run ci:unit --silentfails inpkg/eos_postgres.Possible command injection in DSN handling: cannot parse ... invalid control character in URL.Why this matters
Proposed work
postgres_fuzz_test.goand distinguish parser rejection from actual execution or interpolation.Acceptance criteria
go test ./pkg/eos_postgrespasses.npm run ci:unit --silentno longer fails on this seed.