bytelyst/learning_ai_invt_trdg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
de040ea25c
learning_ai_invt_trdg/backend/testBacktestStrategySafety.ts
Saravana Achu Mac 6aa001a530 fix(C1): refuse unsafe code strategy backtests 
Reject inline JavaScript strategy payloads before backtest execution, both at the API boundary and inside runBacktest, so saved profiles and direct internal calls cannot route unsandboxed code into replay handling.

Refs: docs/AUDIT_REDESIGN.md item C1.

Co-Authored-By: GPT-5 Codex <noreply@openai.com>
2026-05-04 16:31:04 -07:00

73 lines
2.2 KiB
TypeScript
Raw Blame History

import assert from 'node:assert/strict';
import { config } from './src/config/index.js';
import { runBacktest } from './src/backtest/index.js';
import {
assertBacktestBodyDoesNotContainInlineCode,
assertBacktestStrategyConfigSafe,
UnsafeCodeStrategyError,
} from './src/backtest/strategySafety.js';
import type { BacktestRequest } from './src/backtest/types.js';
const unsafeError = (error: unknown): boolean =>
error instanceof UnsafeCodeStrategyError &&
error.message.includes('sandboxed evaluator');
const buildUnsafeRequest = (): BacktestRequest => ({
mode: 'backtest',
symbols: ['BTC/USDT'],
timeframe: '15m',
dateRange: {
from: '2025-01-01T00:00:00.000Z',
to: '2025-01-02T00:00:00.000Z',
},
dataSource: {
type: 'json',
payload: {
candles: {
'BTC/USDT': {
'15m': [],
},
},
},
},
strategyConfig: {
type: 'code',
language: 'javascript',
code: 'return true;',
},
});
const originalFlag = config.ENABLE_BACKTEST;
config.ENABLE_BACKTEST = true;
try {
assert.doesNotThrow(
() => assertBacktestStrategyConfigSafe({ rules: [] }),
'rule-based strategy configs must stay accepted',
);
assert.throws(
() => assertBacktestStrategyConfigSafe({ type: ' CODE ', code: 'return true;' }),
unsafeError,
'strategyConfig.type=code must be refused before execution',
);
assert.throws(
() => assertBacktestBodyDoesNotContainInlineCode({ strategyCode: 'return true;' }),
unsafeError,
'legacy strategyCode payloads must be refused before execution',
);
assert.doesNotThrow(
() => assertBacktestBodyDoesNotContainInlineCode({ strategyCode: ' ' }),
'empty legacy strategyCode payloads should not mask normal validation errors',
);
await assert.rejects(
() => runBacktest(buildUnsafeRequest()),
unsafeError,
'runBacktest must refuse code strategies even when called outside the API route',
);
} finally {
config.ENABLE_BACKTEST = originalFlag;
}
console.log('[backtest-strategy-safety] OK: code strategy backtests are refused before execution');
Reference in New Issue View Git Blame Copy Permalink