Linux sandbox bubblewrap (#22680)

2026-04-20 10:10:56 -07:00 · 2026-03-16 21:34:48 +00:00
parent 44ce90d76c
commit 8f22ffd2b1
7 changed files with 348 additions and 19 deletions
@@ -11,6 +11,7 @@ import {
  NEVER_ALLOWED_NAME_PATTERNS,
  NEVER_ALLOWED_VALUE_PATTERNS,
  sanitizeEnvironment,
+  getSecureSanitizationConfig,
 } from './environmentSanitization.js';

 const EMPTY_OPTIONS = {
@@ -372,3 +373,80 @@ describe('sanitizeEnvironment', () => {
    expect(sanitized).toEqual(env);
  });
 });
+
+describe('getSecureSanitizationConfig', () => {
+  it('should enable environment variable redaction by default', () => {
+    const config = getSecureSanitizationConfig();
+    expect(config.enableEnvironmentVariableRedaction).toBe(true);
+  });
+
+  it('should merge allowed and blocked variables from base and requested configs', () => {
+    const baseConfig = {
+      allowedEnvironmentVariables: ['SAFE_VAR_1'],
+      blockedEnvironmentVariables: ['BLOCKED_VAR_1'],
+      enableEnvironmentVariableRedaction: true,
+    };
+    const requestedConfig = {
+      allowedEnvironmentVariables: ['SAFE_VAR_2'],
+      blockedEnvironmentVariables: ['BLOCKED_VAR_2'],
+    };
+
+    const config = getSecureSanitizationConfig(requestedConfig, baseConfig);
+
+    expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR_1');
+    expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR_2');
+    expect(config.blockedEnvironmentVariables).toContain('BLOCKED_VAR_1');
+    expect(config.blockedEnvironmentVariables).toContain('BLOCKED_VAR_2');
+  });
+
+  it('should filter out variables from allowed list that match NEVER_ALLOWED_ENVIRONMENT_VARIABLES', () => {
+    const requestedConfig = {
+      allowedEnvironmentVariables: ['SAFE_VAR', 'GOOGLE_CLOUD_PROJECT'],
+    };
+
+    const config = getSecureSanitizationConfig(requestedConfig);
+
+    expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
+    expect(config.allowedEnvironmentVariables).not.toContain(
+      'GOOGLE_CLOUD_PROJECT',
+    );
+  });
+
+  it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
+    const requestedConfig = {
+      allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'],
+    };
+
+    const config = getSecureSanitizationConfig(requestedConfig);
+
+    expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
+    expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN');
+  });
+
+  it('should deduplicate variables in allowed and blocked lists', () => {
+    const baseConfig = {
+      allowedEnvironmentVariables: ['SAFE_VAR'],
+      blockedEnvironmentVariables: ['BLOCKED_VAR'],
+      enableEnvironmentVariableRedaction: true,
+    };
+    const requestedConfig = {
+      allowedEnvironmentVariables: ['SAFE_VAR'],
+      blockedEnvironmentVariables: ['BLOCKED_VAR'],
+    };
+
+    const config = getSecureSanitizationConfig(requestedConfig, baseConfig);
+
+    expect(config.allowedEnvironmentVariables).toEqual(['SAFE_VAR']);
+    expect(config.blockedEnvironmentVariables).toEqual(['BLOCKED_VAR']);
+  });
+
+  it('should force enableEnvironmentVariableRedaction to true even if requested false', () => {
+    const requestedConfig = {
+      enableEnvironmentVariableRedaction: false,
+    };
+
+    const config = getSecureSanitizationConfig(requestedConfig);
+
+    expect(config.enableEnvironmentVariableRedaction).toBe(true);
+  });
+});