Add mask option to hide paths/files from sandbox

2026-04-01 23:19:08 +02:00
parent 0119834d5a
commit c7c4c673cb
5 changed files with 176 additions and 1 deletions
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -577,3 +577,79 @@ fn config_invalid_toml_errors() {
        "expected parse error, got: {stderr}"
    );
 }
+
+#[test]
+fn mask_hides_directory() {
+    let dir = TempDir::new().unwrap();
+    fs::write(dir.path().join("secret.txt"), "sensitive").expect("failed to write");
+    let dir_str = dir.path().canonicalize().unwrap();
+
+    let output = sandbox(&["--mask", dir_str.to_str().unwrap()])
+        .args([
+            "--",
+            "bash",
+            "-c",
+            &format!("ls {} 2>/dev/null | wc -l", dir_str.display()),
+        ])
+        .output()
+        .expect("failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+    assert_eq!(
+        stdout, "0",
+        "expected masked directory to be empty, got {stdout} entries"
+    );
+}
+
+#[test]
+fn mask_hides_file() {
+    let dir = TempDir::new().unwrap();
+    let file = dir.path().join("secret.txt");
+    fs::write(&file, "sensitive").expect("failed to write");
+    let file_str = file.canonicalize().unwrap();
+
+    let output = sandbox(&["--mask", file_str.to_str().unwrap()])
+        .args([
+            "--",
+            "bash",
+            "-c",
+            &format!("cat {} 2>/dev/null || echo HIDDEN", file_str.display()),
+        ])
+        .output()
+        .expect("failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    assert!(
+        !stdout.contains("sensitive"),
+        "expected masked file contents to be hidden, got: {stdout}"
+    );
+}
+
+#[test]
+fn mask_nonexistent_path_becomes_tmpfs() {
+    let dir = TempDir::new().unwrap();
+    let fake = dir.path().join("does_not_exist");
+    let fake_str = fake.to_str().unwrap();
+
+    let output = sandbox(&["--mask", fake_str])
+        .args([
+            "--",
+            "bash",
+            "-c",
+            &format!(
+                "test -d {fake_str} && touch {fake_str}/canary && echo WRITABLE || echo MISSING"
+            ),
+        ])
+        .output()
+        .expect("failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    assert!(
+        stdout.contains("WRITABLE"),
+        "expected nonexistent mask to create a writable tmpfs, got: {stdout}"
+    );
+    assert!(
+        !fake.join("canary").exists(),
+        "tmpfs writes should not leak to host"
+    );
+}