test: conditionally deny network access in sandbox

alebcay · alebcay · commit 4d5d65b25e29 · 2024-04-13T01:20:44.000-04:00
diff --git a/Library/Homebrew/dev-cmd/test.rb b/Library/Homebrew/dev-cmd/test.rb
@@ -80,7 +80,7 @@ def run
 
             exec_args << "--HEAD" if f.head?
 
-            Utils.safe_fork do
+            Utils.safe_fork do |error_pipe|
               if Sandbox.available?
                 sandbox = Sandbox.new
                 f.logs.mkpath
@@ -92,6 +92,10 @@ def run
                 sandbox.allow_write_path(HOMEBREW_PREFIX/"var/homebrew/locks")
                 sandbox.allow_write_path(HOMEBREW_PREFIX/"var/log")
                 sandbox.allow_write_path(HOMEBREW_PREFIX/"var/run")
+                if f.class.offline_phase?(:test)
+                  sandbox.deny_all_network
+                  sandbox.allow_network(error_pipe, type: :literal)
+                end
                 sandbox.exec(*exec_args)
               else
                 exec(*exec_args)
diff --git a/Library/Homebrew/test/dev-cmd/test_spec.rb b/Library/Homebrew/test/dev-cmd/test_spec.rb
@@ -2,6 +2,7 @@
 
 require "cmd/shared_examples/args_parse"
 require "dev-cmd/test"
+require "sandbox"
 
 RSpec.describe Homebrew::DevCmd::Test do
   it_behaves_like "parseable arguments"
@@ -18,4 +19,19 @@
       .and not_to_output.to_stderr
       .and be_a_success
   end
+
+  it "blocks network access when test phase is offline", :integration_test do
+    if Sandbox.available?
+      install_test_formula "testball_offline_test", <<~RUBY
+        enable_offline_phase [:test]
+        test do
+          system "curl", "example.org"
+        end
+      RUBY
+
+      expect { brew "test", "--verbose", "testball_offline_test" }
+        .to output(/curl: \(6\) Could not resolve host: example\.org/).to_stdout
+        .and be_a_failure
+    end
+  end
 end
