test: conditionally deny network access in sandbox

2025-07-14 16:09:03 +08:00 · 2024-04-13 00:25:32 -04:00 · 2024-04-13 00:25:32 -04:00 · 934398dd9a
commit 934398dd9a
parent a3cfff72fd
2 changed files with 18 additions and 1 deletions
--- a/Library/Homebrew/dev-cmd/test.rb
+++ b/Library/Homebrew/dev-cmd/test.rb
@ -80,7 +80,7 @@ module Homebrew

            exec_args << "--HEAD" if f.head?

-            Utils.safe_fork do
+            Utils.safe_fork do |error_pipe|
              if Sandbox.available?
                sandbox = Sandbox.new
                f.logs.mkpath
@ -92,6 +92,7 @@ module Homebrew
                sandbox.allow_write_path(HOMEBREW_PREFIX/"var/homebrew/locks")
                sandbox.allow_write_path(HOMEBREW_PREFIX/"var/log")
                sandbox.allow_write_path(HOMEBREW_PREFIX/"var/run")
+                sandbox.deny_all_network_except_pipe(error_pipe) unless f.class.network_access_allowed?(:test)
                sandbox.exec(*exec_args)
              else
                exec(*exec_args)
--- a/Library/Homebrew/test/dev-cmd/test_spec.rb
+++ b/Library/Homebrew/test/dev-cmd/test_spec.rb
@ -2,6 +2,7 @@

 require "cmd/shared_examples/args_parse"
 require "dev-cmd/test"
+require "sandbox"

 RSpec.describe Homebrew::DevCmd::Test do
  it_behaves_like "parseable arguments"
@ -18,4 +19,19 @@ RSpec.describe Homebrew::DevCmd::Test do
      .and not_to_output.to_stderr
      .and be_a_success
  end
+
+  it "blocks network access when test phase is offline", :integration_test do
+    if Sandbox.available?
+      install_test_formula "testball_offline_test", <<~RUBY
+        deny_network_access! :test
+        test do
+          system "curl", "example.org"
+        end
+      RUBY
+
+      expect { brew "test", "--verbose", "testball_offline_test" }
+        .to output(/curl: \(6\) Could not resolve host: example\.org/).to_stdout
+        .and be_a_failure
+    end
+  end
 end