Summary
The credential hiding feature (PR #681, #738) protects 14 credential file/directory paths, but integration tests only verify 3 of them. The untested paths include high-value targets like SSH keys, AWS credentials, and cloud provider configs.
Current Coverage
Tested (3 of 14):
~/.docker/config.json - Tests 1, 2, 6, 7, 10~/.npmrc - Tests 3, 12~/.config/gh/hosts.yml - Tests 4, 11
UNTESTED (11 of 14):
| Path |
Risk Level |
Contains |
~/.ssh/id_rsa |
Critical |
SSH private key |
~/.ssh/id_ed25519 |
Critical |
SSH private key |
~/.ssh/id_ecdsa |
Critical |
SSH private key |
~/.ssh/id_dsa |
Critical |
SSH private key |
~/.aws/credentials |
Critical |
AWS access keys |
~/.aws/config |
High |
AWS account/region config |
~/.kube/config |
Critical |
Kubernetes cluster credentials |
~/.azure/credentials |
Critical |
Azure service principal |
~/.config/gcloud/credentials.db |
Critical |
GCP OAuth tokens |
~/.cargo/credentials |
Medium |
Cargo/crates.io API token |
~/.composer/auth.json |
Medium |
PHP Composer auth tokens |
Impact
A regression in the tmpfs mount logic for any of these 11 untested paths would silently expose credentials without any test catching it. Since the mounting approach changed from /dev/null file overlays (PR #681) to tmpfs directory overlays (PR #738), there's already been one major refactor without regression tests for most paths.
Proposed Fix
Add integration tests for at least the Critical paths. Each test should:
- Create a fake credential file at the expected path on the host
- Run a command inside the container that attempts to read it
- Verify the file is not accessible (empty tmpfs or permission denied)
- Test both normal mode and chroot mode
Test File
tests/integration/credential-hiding.test.ts
Summary
The credential hiding feature (PR #681, #738) protects 14 credential file/directory paths, but integration tests only verify 3 of them. The untested paths include high-value targets like SSH keys, AWS credentials, and cloud provider configs.
Current Coverage
Tested (3 of 14):
~/.docker/config.json- Tests 1, 2, 6, 7, 10~/.npmrc- Tests 3, 12~/.config/gh/hosts.yml- Tests 4, 11UNTESTED (11 of 14):
~/.ssh/id_rsa~/.ssh/id_ed25519~/.ssh/id_ecdsa~/.ssh/id_dsa~/.aws/credentials~/.aws/config~/.kube/config~/.azure/credentials~/.config/gcloud/credentials.db~/.cargo/credentials~/.composer/auth.jsonImpact
A regression in the tmpfs mount logic for any of these 11 untested paths would silently expose credentials without any test catching it. Since the mounting approach changed from
/dev/nullfile overlays (PR #681) to tmpfs directory overlays (PR #738), there's already been one major refactor without regression tests for most paths.Proposed Fix
Add integration tests for at least the Critical paths. Each test should:
Test File
tests/integration/credential-hiding.test.ts