heel 0.1.1

Cross-platform native sandboxing library for running untrusted code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

#!/usr/bin/env python3
"""Test that security protections are working (these should fail in strict mode)"""

import os
import sys

def test_read_ssh():
    """Try to read SSH keys (should be denied)"""
    ssh_dir = os.path.expanduser("~/.ssh")
    try:
        if os.path.exists(ssh_dir):
            files = os.listdir(ssh_dir)
            print(f"SSH directory readable: {files}")
            return False  # Should have been denied!
        else:
            print("SSH directory does not exist")
            return None
    except PermissionError:
        print("SSH access denied (expected)")
        return True
    except Exception as e:
        print(f"SSH access error: {e}")
        return True  # Any error is acceptable

def test_read_aws():
    """Try to read AWS credentials (should be denied)"""
    aws_dir = os.path.expanduser("~/.aws")
    try:
        if os.path.exists(aws_dir):
            files = os.listdir(aws_dir)
            print(f"AWS directory readable: {files}")
            return False  # Should have been denied!
        else:
            print("AWS directory does not exist")
            return None
    except PermissionError:
        print("AWS access denied (expected)")
        return True
    except Exception as e:
        print(f"AWS access error: {e}")
        return True

def test_read_browser_data():
    """Try to read browser data (should be denied)"""
    chrome_dir = os.path.expanduser("~/Library/Application Support/Google/Chrome")
    try:
        if os.path.exists(chrome_dir):
            files = os.listdir(chrome_dir)
            print(f"Chrome directory readable: {files[:5]}...")
            return False  # Should have been denied!
        else:
            print("Chrome directory does not exist")
            return None
    except PermissionError:
        print("Chrome access denied (expected)")
        return True
    except Exception as e:
        print(f"Chrome access error: {e}")
        return True

def test_read_keychain():
    """Try to read keychain (should be denied)"""
    keychain_dir = os.path.expanduser("~/Library/Keychains")
    try:
        if os.path.exists(keychain_dir):
            files = os.listdir(keychain_dir)
            print(f"Keychain directory readable: {files}")
            return False  # Should have been denied!
        else:
            print("Keychain directory does not exist")
            return None
    except PermissionError:
        print("Keychain access denied (expected)")
        return True
    except Exception as e:
        print(f"Keychain access error: {e}")
        return True

if __name__ == "__main__":
    print("=== Security Protection Test ===")
    print("(All accesses should be DENIED in strict mode)\n")

    print("Testing SSH access...")
    ssh_result = test_read_ssh()

    print("\nTesting AWS access...")
    aws_result = test_read_aws()

    print("\nTesting browser data access...")
    browser_result = test_read_browser_data()

    print("\nTesting keychain access...")
    keychain_result = test_read_keychain()

    print("\n=== Results ===")
    results = {
        "SSH": ssh_result,
        "AWS": aws_result,
        "Browser": browser_result,
        "Keychain": keychain_result,
    }

    all_protected = True
    for name, result in results.items():
        if result is None:
            status = "N/A (not present)"
        elif result:
            status = "PROTECTED"
        else:
            status = "EXPOSED!"
            all_protected = False
        print(f"{name}: {status}")

    if not all_protected:
        print("\nWARNING: Some sensitive data is exposed!")
        sys.exit(1)
    else:
        print("\nAll sensitive data is protected.")