2019-04-19 15:38:03 +09:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2017-02-27 17:38:07 +01:00
|
|
|
require "sandbox"
|
|
|
|
|
|
2024-02-18 15:11:11 -08:00
|
|
|
RSpec.describe Sandbox, :needs_macos do
|
2017-05-09 23:00:51 +02:00
|
|
|
define_negated_matcher :not_matching, :matching
|
|
|
|
|
|
2021-01-31 13:14:23 -05:00
|
|
|
subject(:sandbox) { described_class.new }
|
|
|
|
|
|
2017-02-28 14:50:46 +01:00
|
|
|
let(:dir) { mktmpdir }
|
2017-02-27 17:38:07 +01:00
|
|
|
let(:file) { dir/"foo" }
|
|
|
|
|
|
2018-03-25 13:30:37 +01:00
|
|
|
before do
|
2017-02-27 17:38:07 +01:00
|
|
|
skip "Sandbox not implemented." unless described_class.available?
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
specify "#allow_write" do
|
2024-04-24 20:36:57 -04:00
|
|
|
sandbox.allow_write path: file
|
2024-08-28 03:45:26 +01:00
|
|
|
sandbox.run "touch", file
|
2017-02-27 17:38:07 +01:00
|
|
|
|
|
|
|
|
expect(file).to exist
|
|
|
|
|
end
|
|
|
|
|
|
2024-07-13 14:39:53 -04:00
|
|
|
describe "#path_filter" do
|
2024-07-31 12:10:51 -04:00
|
|
|
["'", '"', "(", ")", "\n", "\\"].each do |char|
|
2024-07-13 14:39:53 -04:00
|
|
|
it "fails if the path contains #{char}" do
|
|
|
|
|
expect do
|
|
|
|
|
sandbox.path_filter("foo#{char}bar", :subpath)
|
|
|
|
|
end.to raise_error(ArgumentError)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe "#allow_write_cellar" do
|
|
|
|
|
it "fails when the formula has a name including )" do
|
|
|
|
|
f = formula do
|
|
|
|
|
url "https://brew.sh/foo-1.0.tar.gz"
|
|
|
|
|
version "1.0"
|
|
|
|
|
|
|
|
|
|
def initialize(*, **)
|
|
|
|
|
super
|
|
|
|
|
@name = "foo)bar"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
sandbox.allow_write_cellar f
|
|
|
|
|
end.to raise_error(ArgumentError)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "fails when the formula has a name including \"" do
|
|
|
|
|
f = formula do
|
|
|
|
|
url "https://brew.sh/foo-1.0.tar.gz"
|
|
|
|
|
version "1.0"
|
|
|
|
|
|
|
|
|
|
def initialize(*, **)
|
|
|
|
|
super
|
|
|
|
|
@name = "foo\"bar"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
expect do
|
|
|
|
|
sandbox.allow_write_cellar f
|
|
|
|
|
end.to raise_error(ArgumentError)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2024-08-28 03:45:26 +01:00
|
|
|
describe "#run" do
|
2017-02-27 17:38:07 +01:00
|
|
|
it "fails when writing to file not specified with ##allow_write" do
|
2023-03-08 23:14:46 +00:00
|
|
|
expect do
|
2024-08-28 03:45:26 +01:00
|
|
|
sandbox.run "touch", file
|
2023-03-08 23:14:46 +00:00
|
|
|
end.to raise_error(ErrorDuringExecution)
|
2017-02-27 17:38:07 +01:00
|
|
|
|
|
|
|
|
expect(file).not_to exist
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "complains on failure" do
|
|
|
|
|
ENV["HOMEBREW_VERBOSE"] = "1"
|
|
|
|
|
|
2021-09-01 16:06:07 +01:00
|
|
|
allow(Utils).to receive(:popen_read).and_call_original
|
|
|
|
|
allow(Utils).to receive(:popen_read).with("syslog", any_args).and_return("foo")
|
2017-02-27 17:38:07 +01:00
|
|
|
|
2024-08-28 03:45:26 +01:00
|
|
|
expect { sandbox.run "false" }
|
2017-02-27 17:38:07 +01:00
|
|
|
.to raise_error(ErrorDuringExecution)
|
|
|
|
|
.and output(/foo/).to_stdout
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "ignores bogus Python error" do
|
|
|
|
|
ENV["HOMEBREW_VERBOSE"] = "1"
|
|
|
|
|
|
2017-10-15 02:28:32 +02:00
|
|
|
with_bogus_error = <<~EOS
|
2017-02-27 17:38:07 +01:00
|
|
|
foo
|
|
|
|
|
Mar 17 02:55:06 sandboxd[342]: Python(49765) deny file-write-unlink /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/errors.pyc
|
|
|
|
|
bar
|
|
|
|
|
EOS
|
2021-09-01 16:06:07 +01:00
|
|
|
allow(Utils).to receive(:popen_read).and_call_original
|
|
|
|
|
allow(Utils).to receive(:popen_read).with("syslog", any_args).and_return(with_bogus_error)
|
2017-02-27 17:38:07 +01:00
|
|
|
|
2024-08-28 03:45:26 +01:00
|
|
|
expect { sandbox.run "false" }
|
2017-02-27 17:38:07 +01:00
|
|
|
.to raise_error(ErrorDuringExecution)
|
|
|
|
|
.and output(a_string_matching(/foo/).and(matching(/bar/).and(not_matching(/Python/)))).to_stdout
|
|
|
|
|
end
|
|
|
|
|
end
|
2024-07-13 16:07:48 -04:00
|
|
|
|
|
|
|
|
describe "#disallow chmod on some directory" do
|
|
|
|
|
it "formula does a chmod to opt" do
|
2024-08-28 03:45:26 +01:00
|
|
|
expect { sandbox.run "chmod", "ug-w", HOMEBREW_PREFIX }.to raise_error(ErrorDuringExecution)
|
2024-07-13 16:07:48 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "allows chmod on a path allowed to write" do
|
|
|
|
|
mktmpdir do |path|
|
|
|
|
|
FileUtils.touch path/"foo"
|
|
|
|
|
sandbox.allow_write_path(path)
|
2024-08-28 03:45:26 +01:00
|
|
|
expect { sandbox.run "chmod", "ug-w", path/"foo" }.not_to raise_error(ErrorDuringExecution)
|
2024-07-13 16:28:17 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe "#disallow chmod SUID or SGID on some directory" do
|
|
|
|
|
it "formula does a chmod 4000 to opt" do
|
2024-08-28 03:45:26 +01:00
|
|
|
expect { sandbox.run "chmod", "4000", HOMEBREW_PREFIX }.to raise_error(ErrorDuringExecution)
|
2024-07-13 16:28:17 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it "allows chmod 4000 on a path allowed to write" do
|
|
|
|
|
mktmpdir do |path|
|
|
|
|
|
FileUtils.touch path/"foo"
|
|
|
|
|
sandbox.allow_write_path(path)
|
2024-08-28 03:45:26 +01:00
|
|
|
expect { sandbox.run "chmod", "4000", path/"foo" }.not_to raise_error(ErrorDuringExecution)
|
2024-07-13 16:07:48 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2017-02-27 17:38:07 +01:00
|
|
|
end
|
