[flutter_tools, devicelab] Add safety filesystem guard to tests (flutter#186748)

Implement `FSGuardIOOverrides` along with custom wrapping proxies
(`GuardedFile`, `GuardedDirectory`, and `GuardedLink`) to intercept and
isolate filesystem modifications during test execution.

This prevents tests in `flutter_tools` and `devicelab` from executing
destructive filesystem operations (e.g., writes, deletes, and creations)
outside the system temporary directory, while still permitting safe
non-modifying operations (like reading templates and source files).

Provides an unstageable environment variable bypass toggle
`FLUTTER_TEST_DISABLE_FS_GUARD=true` to allow developers to safely
deactivate the guard for local debugging and custom logging without the
risk of committing configuration overrides to git.

Fixes flutter#186419

Author: bkonyi

dev/devicelab/lib/framework/fs_safety.dart

@@ -2,9 +2,40 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-import 'package:test/test.dart';
+import 'dart:async';
+import 'dart:io' as io;
 
-export 'package:test/test.dart' hide isInstanceOf;
+import 'package:flutter_devicelab/framework/fs_safety.dart';
+import 'package:meta/meta.dart';
+import 'package:test/test.dart' as test_package show test;
+import 'package:test/test.dart' hide test;
+
+export 'package:test/test.dart' hide isInstanceOf, test;
 
 /// A matcher that compares the type of the actual value to the type argument T.
 TypeMatcher<T> isInstanceOf<T>() => isA<T>();
+
+@isTest
+void test(
+  String description,
+  FutureOr<void> Function() body, {
+  String? testOn,
+  Timeout? timeout,
+  dynamic skip,
+  List<String>? tags,
+  Map<String, dynamic>? onPlatform,
+  int? retry,
+}) {
+  test_package.test(
+    description,
+    () async {
+      return io.IOOverrides.runWithIOOverrides(() => body(), FSGuardIOOverrides());
+    },
+    skip: skip,
+    tags: tags,
+    onPlatform: onPlatform,
+    retry: retry,
+    testOn: testOn,
+    timeout: timeout,
+  );
+}

dev/devicelab/test/common.dart

@@ -2,7 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+import 'dart:io' as io;
 import 'package:flutter_devicelab/framework/utils.dart';
+import 'package:path/path.dart' as path;
 
 import 'common.dart';
 
@@ -41,4 +43,35 @@ void main() {
       expect(localEngineSrcPathFromEnv, null);
     });
   });
+
+  group('filesystem safety guard', () {
+    test('isolates modifications to system temp directory', () {
+      final tempFile = io.File(
+        path.join(io.Directory.systemTemp.path, 'devicelab_fs_guard_test_safe.txt'),
+      );
+      addTearDown(() {
+        if (tempFile.existsSync()) {
+          tempFile.deleteSync();
+        }
+      });
+      // Writing under system temp should succeed
+      tempFile.writeAsStringSync('safe-devicelab-content');
+      expect(tempFile.readAsStringSync(), 'safe-devicelab-content');
+
+      // Modifying outside system temp should fail and throw our guarded exception
+      final String root = path.rootPrefix(io.Directory.current.absolute.path);
+      final unsafeFile = io.File(path.join(root, 'tmp_unsafe_devicelab.txt'));
+      expect(unsafeFile.existsSync(), false);
+      expect(
+        () => unsafeFile.writeAsStringSync('unsafe-content'),
+        throwsA(
+          isA<io.FileSystemException>().having(
+            (e) => e.message,
+            'message',
+            contains('Test attempted to modify file outside of temp directory'),
+          ),
+        ),
+      );
+    });
+  });
 }

dev/devicelab/test/utils_test.dart

@@ -9,9 +9,11 @@ import 'package:file/memory.dart';
 import 'package:flutter_tools/src/base/exit.dart';
 import 'package:flutter_tools/src/base/io.dart';
 import 'package:flutter_tools/src/base/platform.dart';
+import 'package:path/path.dart' as path; // flutter_ignore: package_path_import
 import 'package:test/fake.dart';
 
 import '../../src/common.dart';
+import '../../src/fs_safety.dart';
 import '../../src/io.dart';
 
 void main() {
@@ -115,6 +117,38 @@ void main() {
     expect(await PosixProcessSignal(fakeSignalA, platform: windows).watch().isEmpty, true);
     expect(await PosixProcessSignal(fakeSignalB, platform: linux).watch().first, isNotNull);
   });
+
+  testWithoutContext(
+    'FSGuardIOOverrides isolates filesystem modifications to system temp directory',
+    () {
+      io.IOOverrides.runWithIOOverrides(() {
+        final tempFile = io.File(path.join(io.Directory.systemTemp.path, 'fs_guard_test_safe.txt'));
+        addTearDown(() {
+          if (tempFile.existsSync()) {
+            tempFile.deleteSync();
+          }
+        });
+        // Writing under system temp should succeed
+        tempFile.writeAsStringSync('safe-content');
+        expect(tempFile.readAsStringSync(), 'safe-content');
+
+        // Modifying outside system temp should fail and throw our guarded exception
+        final String root = path.rootPrefix(io.Directory.current.absolute.path);
+        final unsafeFile = io.File(path.join(root, 'tmp_unsafe_outside_temp.txt'));
+        expect(unsafeFile.existsSync(), false);
+        expect(
+          () => unsafeFile.writeAsStringSync('unsafe-content'),
+          throwsA(
+            isA<io.FileSystemException>().having(
+              (e) => e.message,
+              'message',
+              contains('Test attempted to modify file outside of temp directory'),
+            ),
+          ),
+        );
+      }, FSGuardIOOverrides());
+    },
+  );
 }
 
 class FakeProcessSignal extends Fake implements io.ProcessSignal {

packages/flutter_tools/test/general.shard/base/io_test.dart

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+import 'dart:io' as io;
+
 import 'package:code_assets/code_assets.dart';
 import 'package:data_assets/data_assets.dart';
 import 'package:file/file.dart';
@@ -40,13 +42,23 @@ class FakeFlutterNativeAssetsBuildRunner implements FlutterNativeAssetsBuildRunn
     required bool linkingEnabled,
   }) async {
     BuildResult? result = buildResult;
+    final io.Directory tempDir = io.Directory.systemTemp.createTempSync(
+      'flutter_native_assets_test.',
+    );
+    final String tempPath = tempDir.path;
     for (final String package in packagesWithNativeAssetsResult) {
+      final packageDir = io.Platform.isWindows ? '$tempPath\\$package' : '$tempPath/$package';
+      final sharedDir = io.Platform.isWindows
+          ? '$tempPath\\build-out-dir-shared'
+          : '$tempPath/build-out-dir-shared';
       final input = BuildInputBuilder()
         ..setupShared(
-          packageRoot: Uri.parse('$package/'),
+          packageRoot: Uri.file('$packageDir/'),
           packageName: package,
-          outputDirectoryShared: Uri.parse('build-out-dir-shared'),
-          outputFile: Uri.file('output.json'),
+          outputDirectoryShared: Uri.file('$sharedDir/'),
+          outputFile: Uri.file(
+            io.Platform.isWindows ? '$packageDir\\output.json' : '$packageDir/output.json',
+          ),
         )
         ..setupBuildInput()
         ..config.setupBuild(linkingEnabled: linkingEnabled);

packages/flutter_tools/test/general.shard/isolated/fake_native_assets_build_runner.dart

@@ -123,7 +123,7 @@ void main() {
           'add keys in $buildConfiguration under ${verbose ? 'verbose' : 'non-verbose'} mode',
           () async {
             infoPlist.writeAsStringSync(emptyPlist);
-            final File pipe = fileSystem.file('/tmp/pipe')..createSync(recursive: true);
+            final File pipe = buildDirectory.childFile('pipe')..createSync(recursive: true);
 
             final ProcessResult result = await Process.run(
               xcodeBackendPath,

packages/flutter_tools/test/integration.shard/xcode_backend_test.dart

@@ -3,6 +3,7 @@
 // found in the LICENSE file.
 
 import 'dart:async';
+import 'dart:io' as io show IOOverrides;
 
 import 'package:args/command_runner.dart';
 import 'package:collection/collection.dart';
@@ -20,6 +21,7 @@ import 'package:test/test.dart' hide test;
 import 'package:unified_analytics/unified_analytics.dart';
 
 import 'fakes.dart';
+import 'fs_safety.dart';
 
 export 'package:path/path.dart' show Context; // flutter_ignore: package_path_import
 export 'package:test/test.dart' hide isInstanceOf, test;
@@ -189,7 +191,7 @@ void test(
         await globals.localFileSystem.dispose();
       });
 
-      return body();
+      return io.IOOverrides.runWithIOOverrides(() => body(), FSGuardIOOverrides());
     },
     skip: skip,
     tags: tags,