[Testing] Missing integration test for workDir tmpfs hiding (docker-compose.yml secret exposure) #759
Description
Summary
PR #718 added tmpfs overlays on workDir to prevent the agent from reading docker-compose.yml which contains plaintext tokens (GITHUB_TOKEN, ANTHROPIC_API_KEY, COPILOT_GITHUB_TOKEN, etc.). However, there is no integration test verifying this protection actually works.
Current Test Coverage
- Unit test (
src/docker-manager.test.ts, lines 1424-1455): Only verifies the Docker Compose config includes a tmpfs entry for workDir. Does NOT verify the actual protection. - Integration test: NONE
What Should Be Tested
An integration test that:
- Runs
awfwith--env-all(or specific env vars) passing sensitive tokens - Inside the container, attempts
cat /tmp/awf-*/docker-compose.yml - Verifies the command returns empty/error (tmpfs overlay is working)
- In chroot mode, also attempts
cat /host/tmp/awf-*/docker-compose.yml
Why This Matters
- The
docker-compose.ymlcontains every environment variable passed to the container, in plaintext - This was the primary vulnerability fixed by PR fix: hide workDir from agent container to prevent secrets exposure #718
- A regression here silently exposes ALL secrets passed via environment variables
- The tmpfs overlay interacts with bind mounts in complex ways (concerns raised in PR fix: hide workDir from agent container to prevent secrets exposure #718 review about mount ordering)
Related
- PR fix: hide workDir from agent container to prevent secrets exposure #718: fix: hide workDir from agent container to prevent secrets exposure
- Issue fix: restrict /proc/self/environ and docker-compose.yml secret exposure #620: /proc/self/environ and docker-compose.yml secret exposure (the original vulnerability report)