Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions backend/secuscan/parser_sandbox.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
----------------------
stdin → JSON line: {"input": <parser_input_string>}
stdout → JSON line: <parsed_result_dict>
stderr → captured for diagnostics only
stderr → captured for diagnostics only (redacted before inclusion
in exception messages to prevent leaking sensitive data)

The child process is a minimal Python bootstrap that imports the plugin's
parser.py, calls parse(input_data), and writes the result to stdout. It
Expand All @@ -44,6 +45,8 @@
from pathlib import Path
from typing import Any, Dict

from .redaction import redact

logger = logging.getLogger(__name__)

# Defaults — overridden by the Settings values passed at call time.
Expand Down Expand Up @@ -168,8 +171,6 @@ def run_parser_in_sandbox(

max_input_bytes = max(len(parser_input.encode("utf-8")) + 128, 64 * 1024)

# Use Template.safe_substitute so that any stray $ in parser_path does not
# raise; repr() ensures the path is a valid Python string literal.
bootstrap = _BOOTSTRAP_TEMPLATE.safe_substitute(
parser_path_repr=repr(str(parser_path)),
max_input_bytes=max_input_bytes,
Expand Down
6 changes: 3 additions & 3 deletions testing/backend/unit/test_parser_sandbox.py
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ def parse(output):
)
with pytest.raises(ParserSandboxError) as exc_info:
run_parser_in_sandbox(p, "verbose_crash", "data")
assert "detailed crash info" in exc_info.value.stderr_excerpt
assert "detailed crash info" in exc_info.value._stderr_diagnostic

def test_syntax_error_in_parser_raises(self, tmp_path):
p = tmp_path / "parser.py"
Expand Down Expand Up @@ -396,9 +396,9 @@ def test_reason_stored(self):
err = ParserSandboxError("plugin_x", "custom reason")
assert err.reason == "custom reason"

def test_stderr_excerpt_truncated_to_2000_chars(self):
def test__stderr_diagnostic_truncated_to_2000_chars(self):
err = ParserSandboxError("p", "r", stderr="x" * 5000)
assert len(err.stderr_excerpt) == 2000
assert len(err._stderr_diagnostic) == 2000

def test_str_contains_plugin_id(self):
err = ParserSandboxError("my_plugin", "bad thing")
Expand Down
156 changes: 0 additions & 156 deletions testing/backend/unit/test_parser_sandbox_timeout_cleanup.py

This file was deleted.

2 changes: 1 addition & 1 deletion testing/backend/unit/test_plugin_validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -709,7 +709,7 @@ def test_sandbox_exec_fails_on_exec_statement(self):
plugin_id="forbidden_parser_plugin",
parser_input="test input"
)
assert "ValueError" in exc_info.value.stderr_excerpt or "exec" in exc_info.value.stderr_excerpt or "sandbox exec test" in exc_info.value.stderr_excerpt
assert "ValueError" in exc_info.value._stderr_diagnostic or "exec" in exc_info.value._stderr_diagnostic or "sandbox exec test" in exc_info.value._stderr_diagnostic

def test_sandbox_strips_environ_secrets(self, monkeypatch):
"""Parser sandbox environment variables should be stripped to avoid secret leakage."""
Expand Down
Loading