feat: run script tests in temp dirs for slightly better sandboxing

2025-12-11 01:30:11 +01:00 · 2025-09-02 13:22:28 +02:00 · 2025-09-02 13:22:28 +02:00 · 5741109cc9
commit 5741109cc9
parent c9298b91f4
3 changed files with 15 additions and 16 deletions
--- a/internal/nix/service.go
+++ b/internal/nix/service.go
@ -3,6 +3,7 @@ package nix
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"os"
 	"os/exec"
 	"strings"
@ -79,6 +80,13 @@ func (s *DefaultService) BuildAndRunScript(derivation string, impureEnv bool) (e
 		return exitCode, "", "", err
 	}

+	// run scripts in a temporary directory
+	tempDir, err := os.MkdirTemp("", "nixtest-script-")
+	if err != nil {
+		return exitCode, "", "", &apperrors.ScriptExecutionError{Path: path, Err: fmt.Errorf("failed to create temporary directory: %w", err)}
+	}
+	defer os.RemoveAll(tempDir)
+
 	var cmdArgs []string
 	if impureEnv {
 		cmdArgs = []string{"bash", path}
@ -87,6 +95,7 @@ func (s *DefaultService) BuildAndRunScript(derivation string, impureEnv bool) (e
 	}

 	cmd := s.commandExecutor(cmdArgs[0], cmdArgs[1:]...)
+	cmd.Dir = tempDir
 	var outBuf, errBuf bytes.Buffer
 	cmd.Stdout = &outBuf
 	cmd.Stderr = &errBuf
--- a/lib/scriptHelpers.sh
+++ b/lib/scriptHelpers.sh
@ -35,16 +35,6 @@ function assert_file_not_contains() {
  }
 }

-function tmpdir() {
-  dir=$(mktemp -d)
-  trap "rm -rf $dir" EXIT
-  echo -n "$dir"
-}
-function tmpfile() {
-  file=$(mktemp)
-  trap "rm -f $file" EXIT
-  echo -n "$file"
-}
 function run() {
  output=$($@ 2>&1)
  exit_code=$?
--- a/tests/lib_test.nix
+++ b/tests/lib_test.nix
@ -70,21 +70,21 @@
        in
          # sh
          ''
-            ${ntlib.helpers.path [pkgs.gnugrep pkgs.mktemp]}
+            ${ntlib.helpers.path [pkgs.gnugrep pkgs.mktemp pkgs.coreutils]}
            ${ntlib.helpers.scriptHelpers}
+            cp -r ${./../snapshots} snapshots

-            TMPDIR=$(tmpdir)
            # start without nix & env binaries to expect errors
-            run "${binary} --junit=$TMPDIR/junit.xml"
+            run "${binary} --junit=junit.xml"
            assert "$exit_code -eq 2" "should exit 2"
-            assert "-f $TMPDIR/junit.xml" "should create junit.xml"
+            assert "-f junit.xml" "should create junit.xml"
            assert_contains "$output" "executable file not found" "nix should not be found in pure mode"

            # now add required deps
            ${ntlib.helpers.pathAdd [pkgs.nix pkgs.coreutils]}
-            run "${binary} --junit=$TMPDIR/junit2.xml"
+            run "${binary} --junit=junit2.xml"
            assert "$exit_code -eq 2" "should exit 2"
-            assert "-f $TMPDIR/junit2.xml" "should create junit2.xml"
+            assert "-f junit2.xml" "should create junit2.xml"
            assert_not_contains "$output" "executable file not found" "nix should now exist"
            assert_contains "$output" "suite-one" "should contain suite-one"
            assert_contains "$output" "8/11 (1 SKIPPED)" "should be 8/11 total"