1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
//! Security tests using fail-rs for fault injection
//!
//! These tests verify that Bashkit handles failure scenarios securely:
//! - Resource limits are enforced even under failure conditions
//! - Filesystem operations fail gracefully
//! - Interpreter handles errors without exposing internal state
//!
//! **NOTE**: These tests use global state (fail-rs failpoints) and must run
//! serially. The `#[serial]` attribute ensures this.
#![cfg(feature = "failpoints")]
use bashkit::{Bash, ControlFlow, ExecResult, ExecutionLimits};
use serial_test::serial;
use std::time::Duration;
/// Helper to run a script and capture the result
async fn run_script(script: &str) -> ExecResult {
let mut bash = Bash::new();
bash.exec(script).await.unwrap_or_else(|e| ExecResult {
stdout: String::new(),
stderr: e.to_string(),
exit_code: 1,
control_flow: ControlFlow::None,
..Default::default()
})
}
/// Helper to run a script with custom limits
async fn run_script_with_limits(script: &str, limits: ExecutionLimits) -> ExecResult {
let mut bash = Bash::builder().limits(limits).build();
bash.exec(script).await.unwrap_or_else(|e| ExecResult {
stdout: String::new(),
stderr: e.to_string(),
exit_code: 1,
control_flow: ControlFlow::None,
..Default::default()
})
}
// =============================================================================
// Resource Limit Fail Point Tests
// =============================================================================
/// Test: Command counter corruption doesn't allow bypass
///
/// Security property: Even if the counter is corrupted to skip increment,
/// the limit should still be enforced eventually.
#[tokio::test]
#[serial]
async fn security_command_limit_skip_increment() {
fail::cfg("limits::tick_command", "return(skip_increment)").unwrap();
// With skip_increment, commands don't count - this is a vulnerability test
// The script should still complete (no infinite execution)
let result = run_script_with_limits(
"echo 1; echo 2; echo 3; echo 4; echo 5",
ExecutionLimits::new().max_commands(3),
)
.await;
fail::cfg("limits::tick_command", "off").unwrap();
// When skip_increment is active, commands bypass the limit
// This test documents the behavior under this failure mode
assert!(result.exit_code == 0 || result.stderr.contains("limit"));
}
/// Test: Command counter overflow is handled
#[tokio::test]
#[serial]
async fn security_command_limit_overflow() {
fail::cfg("limits::tick_command", "return(force_overflow)").unwrap();
let result = run_script("echo hello").await;
fail::cfg("limits::tick_command", "off").unwrap();
// Should fail with limit exceeded
assert!(
result.stderr.contains("limit") || result.stderr.contains("exceeded"),
"Expected limit error, got: {}",
result.stderr
);
}
/// Test: Loop counter reset doesn't cause infinite loop
#[tokio::test]
#[serial]
async fn security_loop_counter_reset() {
// Note: This test would cause infinite loop if limit wasn't also checked elsewhere
// We set a reasonable iteration limit to prevent actual infinite loop
fail::cfg("limits::tick_loop", "1*return(reset_counter)").unwrap();
let result = run_script_with_limits(
"for i in 1 2 3 4 5; do echo $i; done",
ExecutionLimits::new()
.max_loop_iterations(10)
.max_commands(50)
.timeout(Duration::from_secs(2)),
)
.await;
fail::cfg("limits::tick_loop", "off").unwrap();
// Should complete (counter resets only once due to 1* prefix)
// Accept either success or command-not-found (for $i variable in some shells)
assert!(result.exit_code == 0 || result.exit_code == 127);
}
/// Test: Function depth bypass is detected
///
/// This test deliberately bypasses function depth limits, causing deep recursion.
/// Run on a thread with 8MB stack so the command limit (not the OS stack) halts it.
#[test]
#[serial]
fn security_function_depth_bypass() {
let handle = std::thread::Builder::new()
.stack_size(8 * 1024 * 1024) // 8 MB stack
.spawn(|| {
let rt = tokio::runtime::Builder::new_current_thread()
.enable_all()
.build()
.unwrap();
rt.block_on(async {
fail::cfg("limits::push_function", "return(skip_check)").unwrap();
let result = run_script_with_limits(
r#"
recurse() {
echo "depth"
recurse
}
recurse
"#,
ExecutionLimits::new()
.max_function_depth(5)
.max_commands(100)
.timeout(Duration::from_secs(2)),
)
.await;
fail::cfg("limits::push_function", "off").unwrap();
assert!(
result.stderr.contains("limit")
|| result.stderr.contains("exceeded")
|| result.exit_code != 0,
"Recursive function should be limited"
);
});
})
.unwrap();
handle.join().unwrap();
}
// =============================================================================
// Filesystem Fail Point Tests
// =============================================================================
/// Test: Read failure is handled gracefully
#[tokio::test]
#[serial]
async fn security_fs_read_io_error() {
fail::cfg("fs::read_file", "return(io_error)").unwrap();
let result = run_script("cat /tmp/test.txt").await;
fail::cfg("fs::read_file", "off").unwrap();
// Should fail gracefully, not crash
assert!(result.exit_code != 0);
}
/// Test: Permission denied is handled
#[tokio::test]
#[serial]
async fn security_fs_read_permission_denied() {
fail::cfg("fs::read_file", "return(permission_denied)").unwrap();
let result = run_script("cat /tmp/test.txt").await;
fail::cfg("fs::read_file", "off").unwrap();
// Should fail with permission error
assert!(result.exit_code != 0);
assert!(
result.stderr.contains("permission")
|| result.stderr.contains("denied")
|| result.stderr.contains("error"),
"Expected permission error, got: {}",
result.stderr
);
}
/// Test: Corrupt data doesn't cause crash
#[tokio::test]
#[serial]
async fn security_fs_corrupt_data() {
fail::cfg("fs::read_file", "return(corrupt_data)").unwrap();
// Try to read and process data that would be corrupted
let result = run_script("cat /tmp/test.txt | grep something").await;
fail::cfg("fs::read_file", "off").unwrap();
// Should handle corrupt data gracefully
// The test verifies no panic occurred - any exit code is acceptable
let _ = result.exit_code;
}
/// Test: Write failure doesn't corrupt state
#[tokio::test]
#[serial]
async fn security_fs_write_failure() {
fail::cfg("fs::write_file", "return(io_error)").unwrap();
let result = run_script("echo 'test' > /tmp/output.txt").await;
fail::cfg("fs::write_file", "off").unwrap();
// Write should fail
assert!(result.exit_code != 0 || result.stderr.contains("error"));
}
/// Test: Disk full is handled
#[tokio::test]
#[serial]
async fn security_fs_disk_full() {
fail::cfg("fs::write_file", "return(disk_full)").unwrap();
let result = run_script("echo 'large data' > /tmp/output.txt").await;
fail::cfg("fs::write_file", "off").unwrap();
// Should fail with disk full error
assert!(result.exit_code != 0);
}
// =============================================================================
// Interpreter Fail Point Tests
// =============================================================================
/// Test: Command execution error is handled
#[tokio::test]
#[serial]
async fn security_interp_execution_error() {
fail::cfg("interp::execute_command", "return(error)").unwrap();
let result = run_script("echo hello").await;
fail::cfg("interp::execute_command", "off").unwrap();
// Should fail with execution error
assert!(result.exit_code != 0 || result.stderr.contains("error"));
}
/// Test: Non-zero exit code injection
#[tokio::test]
#[serial]
async fn security_interp_exit_nonzero() {
fail::cfg("interp::execute_command", "return(exit_nonzero)").unwrap();
let result = run_script("echo hello").await;
fail::cfg("interp::execute_command", "off").unwrap();
// Should have non-zero exit code
assert_eq!(result.exit_code, 127);
assert!(result.stderr.contains("injected failure"));
}
// =============================================================================
// Combination/Stress Tests
// =============================================================================
/// Test: Multiple fail points active simultaneously
#[tokio::test]
#[serial]
async fn security_multiple_failpoints() {
// Activate multiple fail points
fail::cfg("limits::tick_command", "5%return(skip_increment)").unwrap();
fail::cfg("fs::read_file", "10%return(io_error)").unwrap();
// Run a complex script
let result = run_script_with_limits(
r#"
for i in 1 2 3; do
echo "iteration $i"
done
"#,
ExecutionLimits::new()
.max_commands(100)
.max_loop_iterations(100),
)
.await;
fail::cfg("limits::tick_command", "off").unwrap();
fail::cfg("fs::read_file", "off").unwrap();
// Should complete or fail gracefully - the test verifies no panic occurred
let _ = result.exit_code;
}
/// Test: Fail point with probability (fuzz-like testing)
#[tokio::test]
#[serial]
async fn security_probabilistic_failures() {
// 10% chance of failure on each command
fail::cfg("limits::tick_command", "10%return(corrupt_high)").unwrap();
let mut success_count = 0;
let mut failure_count = 0;
for _ in 0..10 {
let result = run_script_with_limits(
"echo 1; echo 2; echo 3",
ExecutionLimits::new().max_commands(100),
)
.await;
if result.exit_code == 0 {
success_count += 1;
} else {
failure_count += 1;
}
}
fail::cfg("limits::tick_command", "off").unwrap();
// With 10% failure rate across multiple commands, we expect some failures
// This is a smoke test - the exact ratio depends on RNG
println!(
"Probabilistic test: {} successes, {} failures",
success_count, failure_count
);
}
// =============================================================================
// Documentation Tests
// =============================================================================
/// Demonstrates how to use fail points for custom security testing
#[tokio::test]
#[serial]
async fn security_example_custom_failpoint_usage() {
// Setup: Configure fail point
fail::cfg("fs::write_file", "return(permission_denied)").unwrap();
// Action: Run code that should trigger the fail point
let result = run_script("echo 'secret' > /tmp/sensitive.txt").await;
// Cleanup: Always disable fail points after test
fail::cfg("fs::write_file", "off").unwrap();
// Assert: Verify expected behavior
assert!(
result.exit_code != 0,
"Write to sensitive file should fail with permission denied"
);
}