Skip to content

Commit

Permalink
test: conditionally deny network access in sandbox
Browse files Browse the repository at this point in the history
  • Loading branch information
alebcay committed Apr 23, 2024
1 parent a3cfff7 commit 934398d
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
3 changes: 2 additions & 1 deletion Library/Homebrew/dev-cmd/test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ def run

exec_args << "--HEAD" if f.head?

Utils.safe_fork do
Utils.safe_fork do |error_pipe|
if Sandbox.available?
sandbox = Sandbox.new
f.logs.mkpath
Expand All @@ -92,6 +92,7 @@ def run
sandbox.allow_write_path(HOMEBREW_PREFIX/"var/homebrew/locks")
sandbox.allow_write_path(HOMEBREW_PREFIX/"var/log")
sandbox.allow_write_path(HOMEBREW_PREFIX/"var/run")
sandbox.deny_all_network_except_pipe(error_pipe) unless f.class.network_access_allowed?(:test)
sandbox.exec(*exec_args)
else
exec(*exec_args)
Expand Down
16 changes: 16 additions & 0 deletions Library/Homebrew/test/dev-cmd/test_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

require "cmd/shared_examples/args_parse"
require "dev-cmd/test"
require "sandbox"

RSpec.describe Homebrew::DevCmd::Test do
it_behaves_like "parseable arguments"
Expand All @@ -18,4 +19,19 @@
.and not_to_output.to_stderr
.and be_a_success
end

it "blocks network access when test phase is offline", :integration_test do
if Sandbox.available?
install_test_formula "testball_offline_test", <<~RUBY
deny_network_access! :test
test do
system "curl", "example.org"
end
RUBY

expect { brew "test", "--verbose", "testball_offline_test" }
.to output(/curl: \(6\) Could not resolve host: example\.org/).to_stdout
.and be_a_failure
end
end
end

0 comments on commit 934398d

Please sign in to comment.