Skip to content

Commit 8aecdfd

Browse files
committed
fix: resolve all clippy warnings
1 parent a0ee5aa commit 8aecdfd

8 files changed

Lines changed: 37 additions & 53 deletions

File tree

crates/evalbox-sandbox/tests/common/mod.rs

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,17 +4,14 @@ use std::path::PathBuf;
44

55
/// Load a pre-compiled C payload binary.
66
///
7-
/// Payloads are compiled by build.rs and stored in OUT_DIR/payloads/.
7+
/// Payloads are compiled by build.rs and stored in `OUT_DIR/payloads`/.
88
pub fn payload(name: &str) -> Vec<u8> {
99
if let Some(path) = find_payload(name) {
1010
return std::fs::read(&path)
1111
.unwrap_or_else(|e| panic!("Failed to read payload {}: {}", path.display(), e));
1212
}
1313

14-
panic!(
15-
"Payload '{}' not found. Run `cargo build -p evalbox-sandbox` first.",
16-
name
17-
);
14+
panic!("Payload '{name}' not found. Run `cargo build -p evalbox-sandbox` first.");
1815
}
1916

2017
/// Find payload in cargo's build directory structure.
@@ -97,4 +94,5 @@ pub fn skip_if_no_namespaces() -> bool {
9794
pub const SIGSYS: i32 = 31;
9895

9996
/// SIGKILL signal number.
97+
#[allow(dead_code)]
10098
pub const SIGKILL: i32 = 9;

crates/evalbox-sandbox/tests/security/cve.rs

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,11 @@ use crate::common::{SIGSYS, payload, skip_if_no_namespaces};
1515

1616
/// Test that CVE-2024-1086 attack vector is blocked.
1717
///
18-
/// CVE-2024-1086 is a use-after-free in Linux kernel's nf_tables.
19-
/// The exploit requires AF_NETLINK socket access to nf_tables subsystem.
18+
/// CVE-2024-1086 is a use-after-free in Linux kernel's `nf_tables`.
19+
/// The exploit requires `AF_NETLINK` socket access to `nf_tables` subsystem.
2020
/// Actively exploited in ransomware campaigns (CISA Oct 2025).
2121
///
22-
/// Reference: https://www.sysdig.com/blog/detecting-cve-2024-1086
22+
/// Reference: <https://www.sysdig.com/blog/detecting-cve-2024-1086>
2323
#[test]
2424
#[ignore]
2525
fn test_cve_2024_1086_nftables_blocked() {
@@ -49,11 +49,11 @@ fn test_cve_2024_1086_nftables_blocked() {
4949

5050
/// Test that CVE-2022-0185 attack vector is blocked.
5151
///
52-
/// CVE-2022-0185 is a heap overflow in fsconfig() syscall.
53-
/// Requires CAP_SYS_ADMIN in user namespace.
52+
/// CVE-2022-0185 is a heap overflow in `fsconfig()` syscall.
53+
/// Requires `CAP_SYS_ADMIN` in user namespace.
5454
/// Won $31,337 bounty for escaping Google's kCTF containers.
5555
///
56-
/// Reference: https://www.willsroot.io/2022/01/cve-2022-0185.html
56+
/// Reference: <https://www.willsroot.io/2022/01/cve-2022-0185.html>
5757
#[test]
5858
#[ignore]
5959
fn test_cve_2022_0185_fsconfig_blocked() {
@@ -85,9 +85,9 @@ fn test_cve_2022_0185_fsconfig_blocked() {
8585
///
8686
/// TIOCSTI ioctl injects characters into terminal input buffer.
8787
/// Allows sandbox escape by injecting commands into parent shell.
88-
/// Affected bubblewrap, SELinux sandbox, util-linux runuser.
88+
/// Affected bubblewrap, `SELinux` sandbox, util-linux runuser.
8989
///
90-
/// Reference: https://github.com/containers/bubblewrap/issues/142
90+
/// Reference: <https://github.com/containers/bubblewrap/issues/142>
9191
#[test]
9292
#[ignore]
9393
fn test_cve_2017_5226_tiocsti_blocked() {
@@ -117,11 +117,11 @@ fn test_cve_2017_5226_tiocsti_blocked() {
117117

118118
/// Test that CVE-2022-0492 cgroups escape is blocked.
119119
///
120-
/// CVE-2022-0492 allows container escape via cgroup release_agent.
120+
/// CVE-2022-0492 allows container escape via cgroup `release_agent`.
121121
/// Requires user namespace + mount capability.
122122
/// CVSS 7.0 (High).
123123
///
124-
/// Reference: https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
124+
/// Reference: <https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups>/
125125
#[test]
126126
#[ignore]
127127
fn test_cve_2022_0492_cgroups_blocked() {
@@ -151,11 +151,11 @@ fn test_cve_2022_0492_cgroups_blocked() {
151151

152152
/// Test that fileless execution is blocked.
153153
///
154-
/// memfd_create + execveat allows executing code without writing to filesystem.
154+
/// `memfd_create` + execveat allows executing code without writing to filesystem.
155155
/// Used by malware to evade detection.
156156
/// Bypasses filesystem-based security controls.
157157
///
158-
/// Reference: https://www.aquasec.com/blog/intro-to-fileless-malware-in-containers/
158+
/// Reference: <https://www.aquasec.com/blog/intro-to-fileless-malware-in-containers>/
159159
#[test]
160160
#[ignore]
161161
fn test_fileless_memfd_blocked() {
@@ -212,7 +212,7 @@ fn test_ioctl_tioclinux_blocked() {
212212
/// Test that TIOCSETD ioctl is blocked.
213213
///
214214
/// TIOCSETD loads TTY line disciplines which have had many vulnerabilities:
215-
/// - CVE-2017-2636: n_hdlc double-free
215+
/// - CVE-2017-2636: `n_hdlc` double-free
216216
/// - CVE-2019-11815: slip line discipline race
217217
/// - Multiple other line discipline bugs
218218
#[test]
@@ -246,7 +246,7 @@ fn test_ioctl_tiocsetd_blocked() {
246246
/// User namespaces are the prerequisite for most kernel exploits:
247247
/// - CVE-2024-1086, CVE-2022-0185, CVE-2022-0492, CVE-2021-22555
248248
///
249-
/// Blocking clone(CLONE_NEWUSER) prevents a large class of kernel exploits.
249+
/// Blocking `clone(CLONE_NEWUSER)` prevents a large class of kernel exploits.
250250
#[test]
251251
#[ignore]
252252
fn test_userns_creation_blocked() {
@@ -280,7 +280,7 @@ fn test_userns_creation_blocked() {
280280
/// - Inject code
281281
/// - Bypass security controls in traced process
282282
///
283-
/// CVE-2019-13272: ptrace PTRACE_TRACEME privilege escalation
283+
/// CVE-2019-13272: ptrace `PTRACE_TRACEME` privilege escalation
284284
#[test]
285285
#[ignore]
286286
fn test_ptrace_blocked() {
@@ -313,7 +313,7 @@ fn test_ptrace_blocked() {
313313
/// By putting garbage in upper 32 bits, attackers bypass filters while kernel
314314
/// processes only the lower 32 bits. Affected Flatpak < 1.0.8.
315315
///
316-
/// Reference: https://github.com/flatpak/flatpak/security/advisories/GHSA-6qcp-mh39-cp53
316+
/// Reference: <https://github.com/flatpak/flatpak/security/advisories/GHSA-6qcp-mh39-cp53>
317317
#[test]
318318
#[ignore]
319319
fn test_cve_2019_10063_ioctl_bypass_blocked() {

crates/evalbox-sandbox/tests/security/filesystem.rs

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,7 @@ fn test_cannot_read_etc_shadow() {
2626
let stderr = output.stderr_str();
2727
assert!(
2828
stderr.contains("No such file") || stderr.contains("Permission denied"),
29-
"Expected 'No such file' or 'Permission denied', got: {}",
30-
stderr
29+
"Expected 'No such file' or 'Permission denied', got: {stderr}"
3130
);
3231
}
3332

@@ -136,17 +135,12 @@ fn test_path_traversal_blocked() {
136135
assert!(
137136
!has_nixbld && !has_real_users && line_count <= 5,
138137
"Path traversal should not leak real /etc/passwd.\n\
139-
Expected minimal sandbox passwd, got {} lines:\n{}",
140-
line_count,
141-
content
138+
Expected minimal sandbox passwd, got {line_count} lines:\n{content}"
142139
);
143140

144141
// If there's root: it should be the sandbox's nobody-only passwd
145142
if has_root {
146-
panic!(
147-
"Path traversal leaked real /etc/passwd with root entry:\n{}",
148-
content
149-
);
143+
panic!("Path traversal leaked real /etc/passwd with root entry:\n{content}");
150144
}
151145
}
152146
}
@@ -190,8 +184,7 @@ fn test_proc_self_exe_safe() {
190184
let exe_path = output.stdout_str();
191185
assert!(
192186
!exe_path.contains("/home/") && !exe_path.contains("/usr/"),
193-
"/proc/self/exe should not reveal host paths: {}",
194-
exe_path
187+
"/proc/self/exe should not reveal host paths: {exe_path}"
195188
);
196189
}
197190
}

crates/evalbox-sandbox/tests/security/network.rs

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -74,9 +74,7 @@ fn test_external_dns_blocked() {
7474
let has_ip = stdout.contains('.') && stdout.chars().any(|c| c.is_ascii_digit());
7575
assert!(
7676
!has_ip || !output.success(),
77-
"External DNS should not resolve. stdout: {}, stderr: {}",
78-
stdout,
79-
stderr
77+
"External DNS should not resolve. stdout: {stdout}, stderr: {stderr}"
8078
);
8179
}
8280

crates/evalbox-sandbox/tests/security/resources.rs

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,7 @@ fn test_timeout_enforced() {
2828
assert_eq!(output.status, Status::Timeout, "Status should be Timeout");
2929
assert!(
3030
elapsed < Duration::from_secs(2),
31-
"Should timeout quickly, took {:?}",
32-
elapsed
31+
"Should timeout quickly, took {elapsed:?}"
3332
);
3433
}
3534

@@ -50,7 +49,7 @@ fn test_infinite_loop_timeout() {
5049
assert_eq!(output.status, Status::Timeout, "Status should be Timeout");
5150
}
5251

53-
/// Test that max_pids limit is enforced.
52+
/// Test that `max_pids` limit is enforced.
5453
#[test]
5554
#[ignore]
5655
fn test_max_pids_enforced() {
@@ -97,8 +96,7 @@ fn test_output_limit_enforced() {
9796

9897
assert!(
9998
total_output <= 1024 * 4, // Allow some buffer for implementation
100-
"Output should be limited to ~1KB, got {} bytes",
101-
total_output
99+
"Output should be limited to ~1KB, got {total_output} bytes"
102100
);
103101

104102
// Either output was truncated or process was killed when limit exceeded
@@ -140,9 +138,7 @@ fn test_memory_limit_set() {
140138
// Just verify the command ran - actual memory enforcement depends on system config
141139
assert!(
142140
output.exit_code.is_some(),
143-
"Should get exit code. stdout: {}, stderr: {}",
144-
stdout,
145-
stderr
141+
"Should get exit code. stdout: {stdout}, stderr: {stderr}"
146142
);
147143
}
148144

@@ -167,8 +163,7 @@ fn test_fd_limit_set() {
167163
// Verify limit is set to a reasonable value (not unlimited)
168164
assert!(
169165
limit < 1000000,
170-
"FD limit should be reasonable, got {}",
171-
limit
166+
"FD limit should be reasonable, got {limit}"
172167
);
173168
}
174169
}

crates/evalbox-sandbox/tests/security/seccomp.rs

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ fn test_reboot_blocked() {
109109
);
110110
}
111111

112-
/// Test that clone(CLONE_NEWUSER) is blocked.
112+
/// Test that `clone(CLONE_NEWUSER)` is blocked.
113113
/// Creating new namespaces inside sandbox could allow escape.
114114
#[test]
115115
#[ignore]
@@ -134,8 +134,8 @@ fn test_clone_newuser_blocked() {
134134
);
135135
}
136136

137-
/// Test that AF_NETLINK sockets are blocked.
138-
/// Netlink gives access to kernel interfaces like nf_tables (CVE-2024-1086).
137+
/// Test that `AF_NETLINK` sockets are blocked.
138+
/// Netlink gives access to kernel interfaces like `nf_tables` (CVE-2024-1086).
139139
#[test]
140140
#[ignore]
141141
fn test_socket_netlink_blocked() {
@@ -159,7 +159,7 @@ fn test_socket_netlink_blocked() {
159159
);
160160
}
161161

162-
/// Test that SOCK_RAW sockets are blocked.
162+
/// Test that `SOCK_RAW` sockets are blocked.
163163
/// Raw sockets allow crafting arbitrary packets.
164164
#[test]
165165
#[ignore]

crates/evalbox/examples/full_test.rs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ fn main() {
1818
output.stdout_str().lines().next().unwrap_or("")
1919
);
2020
}
21-
Err(e) => eprintln!(" Error: {}", e),
21+
Err(e) => eprintln!(" Error: {e}"),
2222
}
2323

2424
// Python test
@@ -32,7 +32,7 @@ fn main() {
3232
);
3333
println!(" Output: {}", output.stdout_str().trim());
3434
}
35-
Err(e) => eprintln!(" Error: {}", e),
35+
Err(e) => eprintln!(" Error: {e}"),
3636
}
3737

3838
// Go test
@@ -49,7 +49,7 @@ fn main() {
4949
);
5050
println!(" Output: {}", output.stdout_str().trim());
5151
}
52-
Err(e) => eprintln!(" Error: {}", e),
52+
Err(e) => eprintln!(" Error: {e}"),
5353
}
5454

5555
println!("\n=== All tests completed ===");

crates/evalbox/src/probe.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
//! Probe trait and RuntimeInfo types.
1+
//! Probe trait and `RuntimeInfo` types.
22
33
use std::collections::HashMap;
44
use std::path::{Path, PathBuf};

0 commit comments

Comments
 (0)