test: add coverage for newline and tab rejection in volume strings
Added test to verify parseDockerVolumeString rejects: - Newline characters (command separator) - Tab characters (token separator) Both characters are blocked by validateShellSafePath which is called during volume string parsing, ensuring they cannot be used for command injection attacks. All 80 security tests pass (217 assertions).
This commit is contained in:
Andras Bacsai
parent
97868c3264
commit
8b20b0e45a
1 changed files with 10 additions and 0 deletions
|
|
@ -174,3 +174,13 @@
|
|||
->toThrow(Exception::class);
|
||||
}
|
||||
});
|
||||
|
||||
test('parseDockerVolumeString rejects newline and tab in volume strings', function () {
|
||||
// Newline can be used as command separator
|
||||
expect(fn () => parseDockerVolumeString("/data\n:/app"))
|
||||
->toThrow(Exception::class);
|
||||
|
||||
// Tab can be used as token separator
|
||||
expect(fn () => parseDockerVolumeString("/data\t:/app"))
|
||||
->toThrow(Exception::class);
|
||||
});
|
||||
|
|
|
|||
Loading…
Reference in a new issue