From c1e64bb4ef9193827825f64542a26642ac4629de Mon Sep 17 00:00:00 2001
From: Samuel Aubertin <samuel.aubertin@gmail.com>
Date: Thu, 27 Nov 2025 16:12:22 +0100
Subject: [PATCH] More tests

---
 tests/abs_path_ignore/.sloptrapignore      |   1 +
 tests/dotdot_ignore/.sloptrapignore        |   1 +
 tests/invalid_allow_host_network/.sloptrap |   2 +
 tests/invalid_manifest_name/.sloptrap      |   1 +
 tests/invalid_manifest_packages/.sloptrap  |   2 +
 tests/invalid_manifest_sandbox/.sloptrap   |   2 +
 tests/outside.txt                          |   1 +
 tests/run_tests.sh                         | 119 +++++++++++++++++++++
 8 files changed, 129 insertions(+)
 create mode 100644 tests/abs_path_ignore/.sloptrapignore
 create mode 100644 tests/dotdot_ignore/.sloptrapignore
 create mode 100644 tests/invalid_allow_host_network/.sloptrap
 create mode 100644 tests/invalid_manifest_name/.sloptrap
 create mode 100644 tests/invalid_manifest_packages/.sloptrap
 create mode 100644 tests/invalid_manifest_sandbox/.sloptrap
 create mode 100644 tests/outside.txt

diff --git a/tests/abs_path_ignore/.sloptrapignore b/tests/abs_path_ignore/.sloptrapignore
new file mode 100644
index 0000000..88d4064
--- /dev/null
+++ b/tests/abs_path_ignore/.sloptrapignore
@@ -0,0 +1 @@
+/../outside.txt
diff --git a/tests/dotdot_ignore/.sloptrapignore b/tests/dotdot_ignore/.sloptrapignore
new file mode 100644
index 0000000..0c269d5
--- /dev/null
+++ b/tests/dotdot_ignore/.sloptrapignore
@@ -0,0 +1 @@
+../outside.txt
diff --git a/tests/invalid_allow_host_network/.sloptrap b/tests/invalid_allow_host_network/.sloptrap
new file mode 100644
index 0000000..650991a
--- /dev/null
+++ b/tests/invalid_allow_host_network/.sloptrap
@@ -0,0 +1,2 @@
+name=invalid-allow-host
+allow_host_network=maybe
diff --git a/tests/invalid_manifest_name/.sloptrap b/tests/invalid_manifest_name/.sloptrap
new file mode 100644
index 0000000..06b6737
--- /dev/null
+++ b/tests/invalid_manifest_name/.sloptrap
@@ -0,0 +1 @@
+name=bad/name
diff --git a/tests/invalid_manifest_packages/.sloptrap b/tests/invalid_manifest_packages/.sloptrap
new file mode 100644
index 0000000..83db4e1
--- /dev/null
+++ b/tests/invalid_manifest_packages/.sloptrap
@@ -0,0 +1,2 @@
+name=invalid-packages
+packages_extra=curl$bad
diff --git a/tests/invalid_manifest_sandbox/.sloptrap b/tests/invalid_manifest_sandbox/.sloptrap
new file mode 100644
index 0000000..4b7cc8c
--- /dev/null
+++ b/tests/invalid_manifest_sandbox/.sloptrap
@@ -0,0 +1,2 @@
+name=invalid-sandbox
+codex_args=--sandbox host
diff --git a/tests/outside.txt b/tests/outside.txt
new file mode 100644
index 0000000..06d10a5
--- /dev/null
+++ b/tests/outside.txt
@@ -0,0 +1 @@
+outside
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
index 57b9e40..d58b1db 100755
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -306,6 +306,115 @@ run_resume_target() {
   teardown_stub_env
 }
 
+run_codex_symlink_home() {
+  local scenario_dir
+  scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
+  printf '==> codex_symlink_home\n'
+  local tmp_home
+  tmp_home=$(mktemp -d)
+  ln -s /etc "$tmp_home/.codex"
+  if HOME="$tmp_home" "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "codex_symlink_home: expected rejection when ~/.codex is a symlink"
+  fi
+  rm -rf "$tmp_home"
+}
+
+run_root_directory_project() {
+  printf '==> root_directory_project\n'
+  local tmp_home
+  tmp_home=$(mktemp -d)
+  if HOME="$tmp_home" "$SLOPTRAP_BIN" --dry-run / >/dev/null 2>&1; then
+    record_failure "root_directory_project: expected rejection for '/' project root"
+  fi
+  rm -rf "$tmp_home"
+}
+
+run_shared_dir_override() {
+  local scenario_dir
+  scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
+  printf '==> shared_dir_override\n'
+  setup_stub_env
+  local bogus_shared
+  bogus_shared=$(mktemp -d)
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" \
+    SLOPTRAP_SHARED_DIR="$bogus_shared" FAKE_PODMAN_INSPECT_FAIL=1 \
+    "$SLOPTRAP_BIN" "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "shared_dir_override: sloptrap exited non-zero"
+    teardown_stub_env
+    rm -rf "$bogus_shared"
+    return
+  fi
+  if grep -q "$bogus_shared" "$STUB_LOG"; then
+    record_failure "shared_dir_override: respected SLOPTRAP_SHARED_DIR override"
+  fi
+  if ! grep -q -- "-v ${scenario_dir}:/workspace" "$STUB_LOG"; then
+    record_failure "shared_dir_override: missing expected project bind mount"
+  fi
+  teardown_stub_env
+  rm -rf "$bogus_shared"
+}
+
+run_packages_env_validation() {
+  local scenario_dir
+  scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
+  printf '==> packages_env_validation\n'
+  local tmp_home
+  tmp_home=$(mktemp -d)
+  if HOME="$tmp_home" SLOPTRAP_PACKAGES='curl";touch /tmp/pwn #' \
+    "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "packages_env_validation: expected rejection of invalid SLOPTRAP_PACKAGES"
+  fi
+  rm -rf "$tmp_home"
+}
+
+run_abs_path_ignore() {
+  local scenario_dir="$TEST_ROOT/abs_path_ignore"
+  printf '==> abs_path_ignore\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "abs_path_ignore: expected rejection for anchored parent traversal entry"
+  fi
+}
+
+run_dotdot_ignore() {
+  local scenario_dir="$TEST_ROOT/dotdot_ignore"
+  printf '==> dotdot_ignore\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "dotdot_ignore: expected rejection for parent traversal entry"
+  fi
+}
+
+run_invalid_manifest_name() {
+  local scenario_dir="$TEST_ROOT/invalid_manifest_name"
+  printf '==> invalid_manifest_name\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "invalid_manifest_name: expected rejection for illegal name"
+  fi
+}
+
+run_invalid_manifest_sandbox() {
+  local scenario_dir="$TEST_ROOT/invalid_manifest_sandbox"
+  printf '==> invalid_manifest_sandbox\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "invalid_manifest_sandbox: expected rejection for sandbox mode"
+  fi
+}
+
+run_invalid_manifest_packages() {
+  local scenario_dir="$TEST_ROOT/invalid_manifest_packages"
+  printf '==> invalid_manifest_packages\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "invalid_manifest_packages: expected rejection for bad packages"
+  fi
+}
+
+run_invalid_allow_host_network() {
+  local scenario_dir="$TEST_ROOT/invalid_allow_host_network"
+  printf '==> invalid_allow_host_network\n'
+  if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
+    record_failure "invalid_allow_host_network: expected rejection for invalid value"
+  fi
+}
+
 run_shellcheck
 run_mount_injection
 run_root_target
@@ -314,6 +423,16 @@ run_manifest_injection
 run_helper_symlink
 run_secret_mask
 run_resume_target
+run_codex_symlink_home
+run_root_directory_project
+run_shared_dir_override
+run_packages_env_validation
+run_abs_path_ignore
+run_dotdot_ignore
+run_invalid_manifest_name
+run_invalid_manifest_sandbox
+run_invalid_manifest_packages
+run_invalid_allow_host_network
 
 if [[ ${#failures[@]} -gt 0 ]]; then
   printf '\nTest failures:\n'