Skip to content

Commit 1f636f8

Browse files
committed
test(cli): tolerate miette line-wrapping in symlink-rejection assertions
`sandbox_download_rejects_symlinks_pointing_outside_workspace` matched the substring `"outside the sandbox workspace"` against the CLI's error output. The check is correct in spirit but fragile in practice: miette wraps long single-line errors across multiple lines at terminal width and inserts a `│ ` continuation marker, so the substring breaks across the wrap and the test fails even though the canonicalisation step correctly refused the source. Split the match into three short markers — `resolves to`, `outside the`, `sandbox workspace` — each guaranteed to fit on one wrapped line. The combined check is stricter than the original (it now requires evidence that the remote `realpath -e` step actually ran, not just the boundary refusal) without inheriting the wrap fragility. Signed-off-by: Tinson Lai <tinsonl@nvidia.com>
1 parent 5633feb commit 1f636f8

1 file changed

Lines changed: 18 additions & 12 deletions

File tree

e2e/rust/tests/sync.rs

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -426,6 +426,21 @@ async fn sandbox_download_directory_only() {
426426
guard.cleanup().await;
427427
}
428428

429+
/// Assert that an error string carries the two markers of a remote-side
430+
/// canonicalisation refusal: `resolves to` (proving `realpath -e` ran) and
431+
/// `outside the` + `sandbox workspace` (proving the boundary check fired).
432+
///
433+
/// miette renders the long single-line error wrapped across multiple lines
434+
/// at terminal width and inserts a `│ ` continuation marker, so a single
435+
/// long substring like `"outside the sandbox workspace"` is fragile —
436+
/// match the short markers individually instead.
437+
fn assert_resolves_outside_workspace(err: &str, label: &str) {
438+
assert!(
439+
err.contains("resolves to") && err.contains("outside the") && err.contains("sandbox workspace"),
440+
"expected resolves-outside-workspace error for {label}, got: {err}"
441+
);
442+
}
443+
429444
/// Regression for the Codex high-severity finding: `validate_sandbox_source_path`
430445
/// is purely lexical, so a sandbox-side symlink that escapes `/sandbox` could
431446
/// slip through and let `tar -C` follow the link into the host filesystem.
@@ -459,30 +474,21 @@ async fn sandbox_download_rejects_symlinks_pointing_outside_workspace() {
459474
.download("/sandbox/etc-link", dest_str)
460475
.await
461476
.expect_err("download of a directory symlink to /etc must be refused");
462-
assert!(
463-
err.contains("outside the sandbox workspace"),
464-
"expected workspace-boundary error for directory symlink, got: {err}"
465-
);
477+
assert_resolves_outside_workspace(&err, "directory symlink");
466478

467479
// File-source symlink: /sandbox/passwd-link -> /etc/passwd
468480
let err = guard
469481
.download("/sandbox/passwd-link", dest_str)
470482
.await
471483
.expect_err("download of a file symlink to /etc/passwd must be refused");
472-
assert!(
473-
err.contains("outside the sandbox workspace"),
474-
"expected workspace-boundary error for file symlink, got: {err}"
475-
);
484+
assert_resolves_outside_workspace(&err, "file symlink");
476485

477486
// Path with a symlinked component: /sandbox/etc-link/passwd
478487
let err = guard
479488
.download("/sandbox/etc-link/passwd", dest_str)
480489
.await
481490
.expect_err("download via a symlinked path component must be refused");
482-
assert!(
483-
err.contains("outside the sandbox workspace"),
484-
"expected workspace-boundary error for symlinked component, got: {err}"
485-
);
491+
assert_resolves_outside_workspace(&err, "symlinked component");
486492

487493
// Sanity check: the host destination should still be empty — no file from
488494
// /etc should have leaked through on any of the three attempts.

0 commit comments

Comments
 (0)