Linux sandbox bubblewrap (#22680)

This commit is contained in:
David Pierce
2026-03-16 21:34:48 +00:00
committed by GitHub
parent 44ce90d76c
commit 8f22ffd2b1
7 changed files with 348 additions and 19 deletions
@@ -11,6 +11,7 @@ import {
NEVER_ALLOWED_NAME_PATTERNS,
NEVER_ALLOWED_VALUE_PATTERNS,
sanitizeEnvironment,
getSecureSanitizationConfig,
} from './environmentSanitization.js';
const EMPTY_OPTIONS = {
@@ -372,3 +373,80 @@ describe('sanitizeEnvironment', () => {
expect(sanitized).toEqual(env);
});
});
describe('getSecureSanitizationConfig', () => {
it('should enable environment variable redaction by default', () => {
const config = getSecureSanitizationConfig();
expect(config.enableEnvironmentVariableRedaction).toBe(true);
});
it('should merge allowed and blocked variables from base and requested configs', () => {
const baseConfig = {
allowedEnvironmentVariables: ['SAFE_VAR_1'],
blockedEnvironmentVariables: ['BLOCKED_VAR_1'],
enableEnvironmentVariableRedaction: true,
};
const requestedConfig = {
allowedEnvironmentVariables: ['SAFE_VAR_2'],
blockedEnvironmentVariables: ['BLOCKED_VAR_2'],
};
const config = getSecureSanitizationConfig(requestedConfig, baseConfig);
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR_1');
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR_2');
expect(config.blockedEnvironmentVariables).toContain('BLOCKED_VAR_1');
expect(config.blockedEnvironmentVariables).toContain('BLOCKED_VAR_2');
});
it('should filter out variables from allowed list that match NEVER_ALLOWED_ENVIRONMENT_VARIABLES', () => {
const requestedConfig = {
allowedEnvironmentVariables: ['SAFE_VAR', 'GOOGLE_CLOUD_PROJECT'],
};
const config = getSecureSanitizationConfig(requestedConfig);
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
expect(config.allowedEnvironmentVariables).not.toContain(
'GOOGLE_CLOUD_PROJECT',
);
});
it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
const requestedConfig = {
allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'],
};
const config = getSecureSanitizationConfig(requestedConfig);
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN');
});
it('should deduplicate variables in allowed and blocked lists', () => {
const baseConfig = {
allowedEnvironmentVariables: ['SAFE_VAR'],
blockedEnvironmentVariables: ['BLOCKED_VAR'],
enableEnvironmentVariableRedaction: true,
};
const requestedConfig = {
allowedEnvironmentVariables: ['SAFE_VAR'],
blockedEnvironmentVariables: ['BLOCKED_VAR'],
};
const config = getSecureSanitizationConfig(requestedConfig, baseConfig);
expect(config.allowedEnvironmentVariables).toEqual(['SAFE_VAR']);
expect(config.blockedEnvironmentVariables).toEqual(['BLOCKED_VAR']);
});
it('should force enableEnvironmentVariableRedaction to true even if requested false', () => {
const requestedConfig = {
enableEnvironmentVariableRedaction: false,
};
const config = getSecureSanitizationConfig(requestedConfig);
expect(config.enableEnvironmentVariableRedaction).toBe(true);
});
});