35 lines
1.4 KiB
PHP
35 lines
1.4 KiB
PHP
<?php
|
|
|
|
it('passes a simple command through correctly', function () {
|
|
$result = executeInDocker('test-container', 'ls -la /app');
|
|
|
|
expect($result)->toBe("docker exec test-container bash -c 'ls -la /app'");
|
|
});
|
|
|
|
it('escapes single quotes in command', function () {
|
|
$result = executeInDocker('test-container', "echo 'hello world'");
|
|
|
|
expect($result)->toBe("docker exec test-container bash -c 'echo '\\''hello world'\\'''");
|
|
});
|
|
|
|
it('prevents command injection via single quote breakout', function () {
|
|
$malicious = "cd /dir && docker compose build'; id; #";
|
|
$result = executeInDocker('test-container', $malicious);
|
|
|
|
// The single quote in the malicious command should be escaped so it cannot break out of bash -c
|
|
// The raw unescaped pattern "build'; id;" must not appear — the quote must be escaped
|
|
expect($result)->not->toContain("build'; id;");
|
|
expect($result)->toBe("docker exec test-container bash -c 'cd /dir && docker compose build'\\''; id; #'");
|
|
});
|
|
|
|
it('handles empty command', function () {
|
|
$result = executeInDocker('test-container', '');
|
|
|
|
expect($result)->toBe("docker exec test-container bash -c ''");
|
|
});
|
|
|
|
it('handles command with multiple single quotes', function () {
|
|
$result = executeInDocker('test-container', "echo 'a' && echo 'b'");
|
|
|
|
expect($result)->toBe("docker exec test-container bash -c 'echo '\\''a'\\'' && echo '\\''b'\\'''");
|
|
});
|