MediaWiki REL1_31
FirejailCommandTest.php
Go to the documentation of this file.
1<?php
2
3use MediaWiki\Shell\FirejailCommand;
4use MediaWiki\Shell\Shell;
5
15class FirejailCommandIntegrationTest extends PHPUnit\Framework\TestCase {
16
17 public function setUp() {
18 parent::setUp();
19 if ( Shell::command( 'which', 'firejail' )->execute()->getExitCode() ) {
20 $this->markTestSkipped( 'firejail not installed' );
21 } elseif ( wfIsWindows() ) {
22 $this->markTestSkipped( 'test supports POSIX environments only' );
23 }
24 }
25
26 public function testSanity() {
27 // Make sure that firejail works at all.
28 $command = new FirejailCommand( 'firejail' );
29 $command
30 ->unsafeParams( 'ls .' )
31 ->restrict( Shell::RESTRICT_DEFAULT );
32 $result = $command->execute();
33 $this->assertSame( 0, $result->getExitCode() );
34 }
35
40 public function testExecute( $testCommand, $flag ) {
41 if ( preg_match( '/^sudo /', $testCommand ) ) {
42 if ( Shell::command( 'sudo', '-n', 'ls', '/' )->execute()->getExitCode() ) {
43 $this->markTestSkipped( 'need passwordless sudo' );
44 }
45 }
46
47 $command = new FirejailCommand( 'firejail' );
48 $command
49 ->unsafeParams( $testCommand )
50 // If we don't restrict at all, firejail won't be invoked,
51 // so the test will give a false positive if firejail breaks
52 // the command for some non-flag-related reason. Instead,
53 // set some flag that won't get in the way.
54 ->restrict( $flag === Shell::NO_NETWORK ? Shell::PRIVATE_DEV : Shell::NO_NETWORK );
55 $result = $command->execute();
56 $this->assertSame( 0, $result->getExitCode(), 'sanity check' );
57
58 $command = new FirejailCommand( 'firejail' );
59 $command
60 ->unsafeParams( $testCommand )
61 ->restrict( $flag );
62 $result = $command->execute();
63 $this->assertNotSame( 0, $result->getExitCode(), 'real check' );
64 }
65
66 public function provideExecute() {
67 global $IP;
68 return [
69 [ 'sudo -n ls /', Shell::NO_ROOT ],
70 [ 'sudo -n ls /', Shell::SECCOMP ], // not a great test but seems to work
71 [ 'ls /dev/cpu', Shell::PRIVATE_DEV ],
72 [ 'curl -fsSo /dev/null https://wikipedia.org/', Shell::NO_NETWORK ],
73 [ 'exec ls /', Shell::NO_EXECVE ],
74 [ "cat $IP/LocalSettings.php", Shell::NO_LOCALSETTINGS ],
75 ];
76 }
77
78}
wfIsWindows
wfIsWindows()
Check if the operating system is Windows.
Definition GlobalFunctions.php:2019
$command
$command
Definition cdb.php:65
FirejailCommandIntegrationTest
Integration tests to ensure that firejail actually prevents execution.
Definition FirejailCommandTest.php:15
FirejailCommandIntegrationTest\testExecute
testExecute( $testCommand, $flag)
@coversNothing provideExecute
Definition FirejailCommandTest.php:40
MediaWiki\Shell\FirejailCommand
Restricts execution of shell commands using firejail.
Definition FirejailCommand.php:31
MediaWiki\Shell\Shell
Executes shell commands.
Definition Shell.php:44
$IP
$IP
Definition update.php:3
execute
$batch execute()