MediaWiki REL1_33
FirejailCommandIntegrationTest.php
Go to the documentation of this file.
1<?php
2
3use MediaWiki\Shell\FirejailCommand;
4use MediaWiki\Shell\Shell;
5
15class FirejailCommandIntegrationTest extends PHPUnit\Framework\TestCase {
16
17 public function setUp() {
18 parent::setUp();
19 if ( Shell::isDisabled() ) {
20 $this->markTestSkipped( 'shelling out is disabled' );
21 } elseif ( Shell::command( 'which', 'firejail' )->execute()->getExitCode() ) {
22 $this->markTestSkipped( 'firejail not installed' );
23 } elseif ( wfIsWindows() ) {
24 $this->markTestSkipped( 'test supports POSIX environments only' );
25 }
26 }
27
28 public function testSanity() {
29 // Make sure that firejail works at all.
30 $command = new FirejailCommand( 'firejail' );
31 $command
32 ->unsafeParams( 'ls .' )
33 ->restrict( Shell::RESTRICT_DEFAULT );
34 $result = $command->execute();
35 $this->assertSame( 0, $result->getExitCode() );
36 }
37
42 public function testExecute( $testCommand, $flag ) {
43 if ( preg_match( '/^sudo /', $testCommand )
44 && Shell::command( 'sudo', '-n', 'ls', '/' )->execute()->getExitCode()
45 ) {
46 $this->markTestSkipped( 'need passwordless sudo' );
47 }
48
49 $command = new FirejailCommand( 'firejail' );
50 $command
51 ->unsafeParams( $testCommand )
52 // If we don't restrict at all, firejail won't be invoked,
53 // so the test will give a false positive if firejail breaks
54 // the command for some non-flag-related reason. Instead,
55 // set some flag that won't get in the way.
56 ->restrict( $flag === Shell::NO_NETWORK ? Shell::PRIVATE_DEV : Shell::NO_NETWORK );
57 $result = $command->execute();
58 $this->assertSame( 0, $result->getExitCode(), 'sanity check' );
59
60 $command = new FirejailCommand( 'firejail' );
61 $command
62 ->unsafeParams( $testCommand )
63 ->restrict( $flag );
64 $result = $command->execute();
65 $this->assertNotSame( 0, $result->getExitCode(), 'real check' );
66 }
67
68 public function provideExecute() {
69 global $IP;
70 return [
71 [ 'sudo -n ls /', Shell::NO_ROOT ],
72 [ 'sudo -n ls /', Shell::SECCOMP ], // not a great test but seems to work
73 [ 'ls /dev/cpu', Shell::PRIVATE_DEV ],
74 [ 'curl -fsSo /dev/null https://wikipedia.org/', Shell::NO_NETWORK ],
75 [ 'exec ls /', Shell::NO_EXECVE ],
76 [ "cat $IP/LocalSettings.php", Shell::NO_LOCALSETTINGS ],
77 ];
78 }
79
80}
and
and that you know you can do these things To protect your we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the or if you modify it For if you distribute copies of such a whether gratis or for a you must give the recipients all the rights that you have You must make sure that receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two and(2) offer you this license which gives you legal permission to copy
wfIsWindows
wfIsWindows()
Check if the operating system is Windows.
Definition GlobalFunctions.php:1963
$command
$command
Definition cdb.php:65
FirejailCommandIntegrationTest
Integration tests to ensure that firejail actually prevents execution.
Definition FirejailCommandIntegrationTest.php:15
FirejailCommandIntegrationTest\testExecute
testExecute( $testCommand, $flag)
@coversNothing provideExecute
Definition FirejailCommandIntegrationTest.php:42
MediaWiki\Shell\FirejailCommand
Restricts execution of shell commands using firejail.
Definition FirejailCommand.php:31
MediaWiki\Shell\Shell
Executes shell commands.
Definition Shell.php:44
$IP
$IP
Definition update.php:3
execute
$batch execute()