Prevent the environment from leaking into the sandbox.

ac4c37d4 · Ned Batchelder · e4151f31 · ac4c37d4 · ac4c37d4
Commit ac4c37d4 authored May 13, 2013 by Ned Batchelder
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 1 deletions

codejail/jail_code.py
+5 -1

codejail/tests/test_jailpy.py
+11 -0

No files found.
--- a/codejail/jail_code.py
+++ b/codejail/jail_code.py
@@ -33,8 +33,12 @@ def configure(command, bin_path, user=None):
    """
    cmd_argv = []
    if user:
+        # Run as the specified user
        cmd_argv.extend(['sudo', '-u', user])
+    # Run the command!
    cmd_argv.append(bin_path)
    # Command-specific arguments
@@ -154,7 +158,7 @@ def jail_code(command, code=None, files=None, argv=None, stdin=None):
        cmd = COMMANDS[command] + argv
        subproc = subprocess.Popen(
-            cmd, preexec_fn=set_process_limits, cwd=tmpdir,
+            cmd, preexec_fn=set_process_limits, cwd=tmpdir, env={},
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE, stderr=subprocess.PIPE,
        )

--- a/codejail/tests/test_jailpy.py
+++ b/codejail/tests/test_jailpy.py
 """Test jail_code.py"""
+import os
 import os.path
 import textwrap
 import unittest
@@ -138,6 +139,16 @@ class TestLimits(JailCodeHelpers, unittest.TestCase):
        self.assertEqual(res.stdout, "Forking\n")
        self.assertIn("OSError", res.stderr)
+    def test_cant_see_environment_variables(self):
+        os.environ['HONEY_BOO_BOO'] = 'Look!'
+        res = jailpy(code=dedent("""\
+                import os
+                for name, value in os.environ.items():
+                    print "%s: %r" % (name, value)
+                """))
+        self.assertResultOk(res)
+        self.assertNotIn("HONEY", res.stdout)
 class TestChangingLimits(JailCodeHelpers, unittest.TestCase):
    def setUp(self):