refactor(test): standardize env helpers across suites

2026-04-25 23:47:20 +00:00 · 2026-02-21 13:22:16 +00:00
parent ae70bf4dca
commit e588e3cc20
5 changed files with 177 additions and 287 deletions
--- a/src/node-host/invoke.sanitize-env.test.ts
+++ b/src/node-host/invoke.sanitize-env.test.ts
@@ -1,31 +1,18 @@
 import { describe, expect, it } from "vitest";
+import { withEnv } from "../test-utils/env.js";
 import { sanitizeEnv } from "./invoke.js";
 import { buildNodeInvokeResultParams } from "./runner.js";

 describe("node-host sanitizeEnv", () => {
  it("ignores PATH overrides", () => {
-    const prev = process.env.PATH;
-    process.env.PATH = "/usr/bin";
-    try {
+    withEnv({ PATH: "/usr/bin" }, () => {
      const env = sanitizeEnv({ PATH: "/tmp/evil:/usr/bin" });
      expect(env.PATH).toBe("/usr/bin");
-    } finally {
-      if (prev === undefined) {
-        delete process.env.PATH;
-      } else {
-        process.env.PATH = prev;
-      }
-    }
+    });
  });

  it("blocks dangerous env keys/prefixes", () => {
-    const prevPythonPath = process.env.PYTHONPATH;
-    const prevLdPreload = process.env.LD_PRELOAD;
-    const prevBashEnv = process.env.BASH_ENV;
-    try {
-      delete process.env.PYTHONPATH;
-      delete process.env.LD_PRELOAD;
-      delete process.env.BASH_ENV;
+    withEnv({ PYTHONPATH: undefined, LD_PRELOAD: undefined, BASH_ENV: undefined }, () => {
      const env = sanitizeEnv({
        PYTHONPATH: "/tmp/pwn",
        LD_PRELOAD: "/tmp/pwn.so",
@@ -36,46 +23,15 @@ describe("node-host sanitizeEnv", () => {
      expect(env.PYTHONPATH).toBeUndefined();
      expect(env.LD_PRELOAD).toBeUndefined();
      expect(env.BASH_ENV).toBeUndefined();
-    } finally {
-      if (prevPythonPath === undefined) {
-        delete process.env.PYTHONPATH;
-      } else {
-        process.env.PYTHONPATH = prevPythonPath;
-      }
-      if (prevLdPreload === undefined) {
-        delete process.env.LD_PRELOAD;
-      } else {
-        process.env.LD_PRELOAD = prevLdPreload;
-      }
-      if (prevBashEnv === undefined) {
-        delete process.env.BASH_ENV;
-      } else {
-        process.env.BASH_ENV = prevBashEnv;
-      }
-    }
+    });
  });

  it("drops dangerous inherited env keys even without overrides", () => {
-    const prevPath = process.env.PATH;
-    const prevBashEnv = process.env.BASH_ENV;
-    try {
-      process.env.PATH = "/usr/bin:/bin";
-      process.env.BASH_ENV = "/tmp/pwn.sh";
+    withEnv({ PATH: "/usr/bin:/bin", BASH_ENV: "/tmp/pwn.sh" }, () => {
      const env = sanitizeEnv(undefined);
      expect(env.PATH).toBe("/usr/bin:/bin");
      expect(env.BASH_ENV).toBeUndefined();
-    } finally {
-      if (prevPath === undefined) {
-        delete process.env.PATH;
-      } else {
-        process.env.PATH = prevPath;
-      }
-      if (prevBashEnv === undefined) {
-        delete process.env.BASH_ENV;
-      } else {
-        process.env.BASH_ENV = prevBashEnv;
-      }
-    }
+    });
  });
 });