From 8b20b0e45a7d5194eec354ae99bbbd34ce7573ae Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 16 Oct 2025 09:11:12 +0200
Subject: [PATCH] test: add coverage for newline and tab rejection in volume
 strings

Added test to verify parseDockerVolumeString rejects:
- Newline characters (command separator)
- Tab characters (token separator)

Both characters are blocked by validateShellSafePath which is called
during volume string parsing, ensuring they cannot be used for
command injection attacks.

All 80 security tests pass (217 assertions).
---
 tests/Unit/VolumeSecurityTest.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/Unit/VolumeSecurityTest.php b/tests/Unit/VolumeSecurityTest.php
index 0196000a3..d7f20fc0e 100644
--- a/tests/Unit/VolumeSecurityTest.php
+++ b/tests/Unit/VolumeSecurityTest.php
@@ -174,3 +174,13 @@
             ->toThrow(Exception::class);
     }
 });
+
+test('parseDockerVolumeString rejects newline and tab in volume strings', function () {
+    // Newline can be used as command separator
+    expect(fn () => parseDockerVolumeString("/data\n:/app"))
+        ->toThrow(Exception::class);
+
+    // Tab can be used as token separator
+    expect(fn () => parseDockerVolumeString("/data\t:/app"))
+        ->toThrow(Exception::class);
+});