Skip to content

Fail import allowlist test on unused symbols #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gh-worker-dd-mergequeue-cf854d merged 5 commits into from
Mar 11, 2026
Merged

Fail import allowlist test on unused symbols #43

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a6263a3
Fail import allowlist test on unused symbols
AlexandreYang Mar 10, 2026
c6a4bac
Rename import allowlist test to allowed symbols test
AlexandreYang Mar 10, 2026
79c6f68
Fix Windows CI: ls sandbox test expects wrong error for /etc
AlexandreYang Mar 10, 2026
d5d2f63
Merge branch 'main' into alex/allowed_symbols_fail_unused
AlexandreYang Mar 10, 2026
32ad926
Merge branch 'main' into alex/allowed_symbols_fail_unused
AlexandreYang Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions tests/import_allowlist_test.go β†’ tests/allowed_symbols_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,6 @@ var builtinAllowedSymbols = []string{
"errors.New",
// fmt.Sprintf β€” string formatting; pure function, no I/O.
"fmt.Sprintf",
// io/fs.DirEntry β€” interface type for directory entries; no side effects.
"io/fs.DirEntry",
// io/fs.FileInfo β€” interface type for file information; no side effects.
"io/fs.FileInfo",
// io/fs.ModeDir β€” file mode bit constant for directories; pure constant.
Expand Down Expand Up @@ -143,13 +141,14 @@ var permanentlyBanned = map[string]string{
"unsafe": "bypasses Go's type and memory safety guarantees",
}

// TestBuiltinImportAllowlist enforces symbol-level import restrictions on
// TestBuiltinAllowedSymbols enforces symbol-level import restrictions on
// command implementation files in interp/builtins/. builtins.go is exempt as
// the package framework. Every other file's imports and pkg.Symbol references
// must be explicitly listed in builtinAllowedSymbols.
func TestBuiltinImportAllowlist(t *testing.T) {
func TestBuiltinAllowedSymbols(t *testing.T) {
// Build lookup sets from the allowlist.
allowedSymbols := make(map[string]bool, len(builtinAllowedSymbols))
usedSymbols := make(map[string]bool, len(builtinAllowedSymbols))
allowedPackages := make(map[string]bool)
for _, entry := range builtinAllowedSymbols {
dot := strings.LastIndexByte(entry, '.')
Expand Down Expand Up @@ -267,11 +266,21 @@ func TestBuiltinImportAllowlist(t *testing.T) {
if !allowedSymbols[key] {
pos := fset.Position(sel.Pos())
t.Errorf("%s:%d: %s is not in the allowlist", rel, pos.Line, key)
} else {
usedSymbols[key] = true
}
return true
})
}
if checked == 0 {
t.Fatal("no command implementation files found in interp/builtins/ sub-packages")
}

// Verify every symbol in the allowlist is actually used by at least one
// builtin. Unused entries should be removed to keep the allowlist minimal.
for _, entry := range builtinAllowedSymbols {
if !usedSymbols[entry] {
t.Errorf("allowlist symbol %q is not used by any builtin β€” remove it from builtinAllowedSymbols", entry)
}
}
}
Loading