[Testing] Credential hiding integration tests only cover 3 of 14 protected paths #761
Description
Summary
The credential hiding feature (PR #681, #738) protects 14 credential file/directory paths, but integration tests only verify 3 of them. The untested paths include high-value targets like SSH keys, AWS credentials, and cloud provider configs.
Current Coverage
Tested (3 of 14):
~/.docker/config.json- Tests 1, 2, 6, 7, 10~/.npmrc- Tests 3, 12~/.config/gh/hosts.yml- Tests 4, 11
UNTESTED (11 of 14):
| Path | Risk Level | Contains |
|---|---|---|
~/.ssh/id_rsa |
Critical | SSH private key |
~/.ssh/id_ed25519 |
Critical | SSH private key |
~/.ssh/id_ecdsa |
Critical | SSH private key |
~/.ssh/id_dsa |
Critical | SSH private key |
~/.aws/credentials |
Critical | AWS access keys |
~/.aws/config |
High | AWS account/region config |
~/.kube/config |
Critical | Kubernetes cluster credentials |
~/.azure/credentials |
Critical | Azure service principal |
~/.config/gcloud/credentials.db |
Critical | GCP OAuth tokens |
~/.cargo/credentials |
Medium | Cargo/crates.io API token |
~/.composer/auth.json |
Medium | PHP Composer auth tokens |
Impact
A regression in the tmpfs mount logic for any of these 11 untested paths would silently expose credentials without any test catching it. Since the mounting approach changed from /dev/null file overlays (PR #681) to tmpfs directory overlays (PR #738), there's already been one major refactor without regression tests for most paths.
Proposed Fix
Add integration tests for at least the Critical paths. Each test should:
- Create a fake credential file at the expected path on the host
- Run a command inside the container that attempts to read it
- Verify the file is not accessible (empty tmpfs or permission denied)
- Test both normal mode and chroot mode
Test File
tests/integration/credential-hiding.test.ts