added tests for java and cpp

Author: Anga205

.github/workflows/test.yml

@@ -236,3 +236,72 @@ jobs:
         env:
           ENABLE_QUEUE: "false"
         run: sudo -E go test -v -run 'TestContainerizationAPISecurityIntegration/privileged reboot syscall is denied' ./...
+
+  test-python3-suite:
+    name: "Language Gap: Python3 Security/Resilience Suite (Expected Fail)"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install native dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc libc6-dev python3
+
+      - name: Run Python3 mirrored suite
+        env:
+          ENABLE_QUEUE: "false"
+        run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationPython3$' ./...
+
+  test-cpp-suite:
+    name: "Language Gap: C++ Security/Resilience Suite (Expected Fail)"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install native dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc g++ libc6-dev
+
+      - name: Run C++ mirrored suite
+        env:
+          ENABLE_QUEUE: "false"
+        run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$' ./...
+
+  test-java-suite:
+    name: "Language Gap: Java Security/Resilience Suite (Expected Fail)"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install native dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc libc6-dev openjdk-21-jdk
+
+      - name: Run Java mirrored suite
+        env:
+          ENABLE_QUEUE: "false"
+        run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationJava$' ./...

integration_test.go

@@ -111,9 +111,6 @@ func TestContainerizationAPISecurityIntegrationPython3(t *testing.T) {
 
 	h := integrationHarness{baseURL: testServer.URL}
 	h.apiPort = mustExtractPort(t, h.baseURL)
-	if !python3SupportAvailable(t, h.baseURL) {
-		t.Skip("python3 execution is not supported by the API yet")
-	}
 
 	cases := []struct {
 		name string
@@ -136,6 +133,77 @@ func TestContainerizationAPISecurityIntegrationPython3(t *testing.T) {
 	}
 }
 
+func TestContainerizationAPISecurityIntegrationCpp(t *testing.T) {
+	if config.Config.Globals.ENABLE_QUEUE {
+		t.Fatal("ENABLE_QUEUE must be false for integration tests")
+	}
+
+	h := integrationHarness{baseURL: testServer.URL}
+	h.apiPort = mustExtractPort(t, h.baseURL)
+	runLanguageMirrorSuite(t, h, "cpp", "cpp")
+}
+
+func TestContainerizationAPISecurityIntegrationJava(t *testing.T) {
+	if config.Config.Globals.ENABLE_QUEUE {
+		t.Fatal("ENABLE_QUEUE must be false for integration tests")
+	}
+
+	h := integrationHarness{baseURL: testServer.URL}
+	h.apiPort = mustExtractPort(t, h.baseURL)
+	runLanguageMirrorSuite(t, h, "java", "java")
+}
+
+func runLanguageMirrorSuite(t *testing.T, h integrationHarness, language, ext string) {
+	t.Helper()
+
+	cases := []struct {
+		name string
+		run  func(*testing.T, integrationHarness)
+	}{
+		{name: "file privacy across request IDs", run: func(t *testing.T, h integrationHarness) {
+			testFilesystemIsolationForLanguage(t, h, language, "file_privacy_write_read."+ext, "file_privacy_read_only."+ext)
+		}},
+		{name: "disk spammer is terminated and data is reclaimed", run: func(t *testing.T, h integrationHarness) {
+			testDiskCleanupForLanguage(t, h, language, "disk_spammer."+ext)
+		}},
+		{name: "fork bomb does not poison subsequent requests", run: func(t *testing.T, h integrationHarness) {
+			testForkBombContainmentForLanguage(t, h, language, "fork_bomb."+ext, "hello_world."+ext)
+		}},
+		{name: "network namespace blocks localhost bridge", run: func(t *testing.T, h integrationHarness) {
+			testNetworkIsolationForLanguage(t, h, language, "network_localhost_bridge."+ext)
+		}},
+		{name: "memory hard limit triggers oom kill", run: func(t *testing.T, h integrationHarness) {
+			testMemoryHardLimitForLanguage(t, h, language, "memory_bomb."+ext)
+		}},
+		{name: "io flood is bounded and returns before timeout", run: func(t *testing.T, h integrationHarness) {
+			testIOFloodResilienceForLanguage(t, h, language, "io_spam."+ext)
+		}},
+		{name: "signal trap cannot survive forced timeout", run: func(t *testing.T, h integrationHarness) {
+			testSignalTrapTimeoutForLanguage(t, h, language, "signal_trap."+ext)
+		}},
+		{name: "orphan grandchild is reaped after request exits", run: func(t *testing.T, h integrationHarness) {
+			name := "orphanmakergc"
+			if language == "python3" {
+				name = "orphanpygc"
+			}
+			if language == "java" {
+				name = "orphanjavagc"
+			}
+			testOrphanReapingForLanguage(t, h, language, "orphan_maker."+ext, name)
+		}},
+		{name: "inode bomb does not poison host temp filesystem", run: func(t *testing.T, h integrationHarness) {
+			testInodeExhaustionForLanguage(t, h, language, "inode_bomb."+ext)
+		}},
+		{name: "privileged reboot syscall is denied", run: func(t *testing.T, h integrationHarness) {
+			testPrivilegedSyscallDeniedForLanguage(t, h, language, "try_reboot."+ext)
+		}},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) { tc.run(t, h) })
+	}
+}
+
 func testFilesystemIsolation(t *testing.T, h integrationHarness) {
 	writeCode := mustLoadSampleCode(t, "file_privacy_write_read.c", nil)
 	writeResp := callSimpleExecute(t, h.baseURL, buildCRequest(writeCode, 4, 32768))
@@ -447,6 +515,155 @@ func testPrivilegedSyscallDeniedPython3(t *testing.T, h integrationHarness) {
 	}
 }
 
+func testFilesystemIsolationForLanguage(t *testing.T, h integrationHarness, language, writeFile, readFile string) {
+	writeCode := mustLoadSampleCode(t, writeFile, nil)
+	writeResp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, writeCode, 4, 32768))
+	if !strings.Contains(writeResp.Output, "SecretData123") {
+		t.Fatalf("step A did not return secret in stdout; stdout=%q stderr=%q", writeResp.Output, writeResp.Error)
+	}
+
+	readCode := mustLoadSampleCode(t, readFile, nil)
+	readResp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, readCode, 4, 32768))
+	if !strings.Contains(strings.ToLower(readResp.Error), "no such file or directory") {
+		t.Fatalf("step B unexpectedly accessed file from another sandbox; stdout=%q stderr=%q", readResp.Output, readResp.Error)
+	}
+}
+
+func testDiskCleanupForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	beforeFree := mustFreeBytes(t, os.TempDir())
+	beforeCount := countSandboxTempDirs(t)
+
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 2, 32768))
+	stderrLower := strings.ToLower(resp.Error)
+	if !containsAny(stderrLower, []string{"execution timed out", "memory limit exceeded"}) {
+		t.Fatalf("disk spammer was not terminated as expected; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+
+	time.Sleep(400 * time.Millisecond)
+	assertDiskReclaimed(t, beforeFree, mustFreeBytes(t, os.TempDir()))
+	assertNoSandboxLeak(t, beforeCount, countSandboxTempDirs(t))
+}
+
+func testForkBombContainmentForLanguage(t *testing.T, h integrationHarness, language, bombFile, helloFile string) {
+	bombCode := mustLoadSampleCode(t, bombFile, nil)
+	_ = callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, bombCode, 2, 32768))
+
+	helloCode := mustLoadSampleCode(t, helloFile, nil)
+	helloResp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, helloCode, 4, 32768))
+	if !strings.Contains(helloResp.Output, "Hello World") {
+		t.Fatalf("follow-up request failed after fork bomb; stdout=%q stderr=%q", helloResp.Output, helloResp.Error)
+	}
+	if strings.Contains(strings.ToLower(helloResp.Error), "resource temporarily unavailable") {
+		t.Fatalf("follow-up request indicates host PID exhaustion; stderr=%q", helloResp.Error)
+	}
+}
+
+func testNetworkIsolationForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	replacements := map[string]string{"__API_PORT__": strconv.Itoa(h.apiPort)}
+	code := mustLoadSampleCode(t, payload, replacements)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 3, 32768))
+
+	combined := strings.ToLower(resp.Output + "\n" + resp.Error)
+	if strings.Contains(combined, "connected") {
+		t.Fatalf("localhost bridge unexpectedly succeeded; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+	if !containsAny(combined, []string{"connection refused", "network is unreachable", "no route to host"}) {
+		t.Fatalf("network isolation did not produce expected connect error; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+}
+
+func testMemoryHardLimitForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 3, 16384))
+	if !containsAny(strings.ToLower(resp.Error), []string{"memory limit exceeded", "killed", "execution timed out"}) {
+		t.Fatalf("memory bomb did not terminate as expected; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+
+	execDur, err := time.ParseDuration(resp.CPUTime)
+	if err != nil {
+		t.Fatalf("failed to parse cpu_time %q: %v", resp.CPUTime, err)
+	}
+	if execDur > 500*time.Millisecond {
+		t.Fatalf("memory enforcement was too slow: cpu_time=%s stderr=%q", resp.CPUTime, resp.Error)
+	}
+}
+
+func testIOFloodResilienceForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 1, 32768))
+
+	stderrLower := strings.ToLower(resp.Error)
+	if !containsAny(stderrLower, []string{"execution timed out", "killed", "memory limit exceeded"}) {
+		t.Fatalf("io flood did not terminate with expected error; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+
+	if strings.TrimSpace(resp.Error) == "" {
+		t.Fatalf("io flood returned empty stderr; expected bounded but non-empty error output")
+	}
+
+	const maxErrorBytes = (1 << 20) + 4096
+	if len(resp.Error) > maxErrorBytes {
+		t.Fatalf("stderr exceeded resilience cap: got=%d bytes cap=%d", len(resp.Error), maxErrorBytes)
+	}
+
+	assertDurationNotExcessive(t, resp.CPUTime, 3*time.Second, "io flood request")
+}
+
+func testSignalTrapTimeoutForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 1, 32768))
+
+	if !strings.Contains(strings.ToLower(resp.Error), "execution timed out") {
+		t.Fatalf("signal trap did not timeout as expected; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+
+	assertDurationWindow(t, resp.CPUTime, 900*time.Millisecond, 2500*time.Millisecond, "signal trap timeout")
+}
+
+func testOrphanReapingForLanguage(t *testing.T, h integrationHarness, language, payload, orphanName string) {
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 2, 32768))
+	assertDurationNotExcessive(t, resp.CPUTime, 3*time.Second, "orphan maker request")
+
+	time.Sleep(400 * time.Millisecond)
+	if cnt := countProcessesByComm(t, orphanName); cnt > 0 {
+		t.Fatalf("orphan grandchild leaked to host after request completion: count=%d stderr=%q", cnt, resp.Error)
+	}
+}
+
+func testInodeExhaustionForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	beforeFree := mustFreeBytes(t, os.TempDir())
+	beforeCount := countSandboxTempDirs(t)
+
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 4, 32768))
+
+	combinedLower := strings.ToLower(resp.Output + "\n" + resp.Error)
+	if !containsAny(combinedLower, []string{"inode bomb completed", "no space left", "disk quota exceeded"}) {
+		t.Fatalf("inode exhaustion test produced unexpected result; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+
+	time.Sleep(400 * time.Millisecond)
+	assertDiskReclaimed(t, beforeFree, mustFreeBytes(t, os.TempDir()))
+	assertNoSandboxLeak(t, beforeCount, countSandboxTempDirs(t))
+	mustCreateAndDeleteTempFile(t)
+}
+
+func testPrivilegedSyscallDeniedForLanguage(t *testing.T, h integrationHarness, language, payload string) {
+	code := mustLoadSampleCode(t, payload, nil)
+	resp := callSimpleExecute(t, h.baseURL, buildLanguageRequest(language, code, 3, 32768))
+	assertDurationNotExcessive(t, resp.CPUTime, 3*time.Second, "privileged reboot syscall")
+
+	combinedLower := strings.ToLower(resp.Output + "\n" + resp.Error)
+	if strings.Contains(combinedLower, "reboot succeeded unexpectedly") {
+		t.Fatalf("privileged reboot syscall unexpectedly succeeded; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+	if !containsAny(combinedLower, []string{"operation not permitted", "permission denied", "bad system call", "killed", "hangup"}) {
+		t.Fatalf("expected privileged syscall denial signal was not observed; stdout=%q stderr=%q", resp.Output, resp.Error)
+	}
+}
+
 func mustLoadSampleCode(t *testing.T, fileName string, replacements map[string]string) string {
 	t.Helper()
 	path := filepath.Join(sampleCodeDir, fileName)
@@ -463,44 +680,23 @@ func mustLoadSampleCode(t *testing.T, fileName string, replacements map[string]s
 }
 
 func buildCRequest(code string, timeoutSec, maxMemoryKB uint) simpleExecuteRequest {
-	return simpleExecuteRequest{Language: "c", Code: code, Timeout: timeoutSec, MaxMemory: maxMemoryKB}
+	return buildLanguageRequest("c", code, timeoutSec, maxMemoryKB)
 }
 
 func buildPython3Request(code string, timeoutSec, maxMemoryKB uint) simpleExecuteRequest {
-	return simpleExecuteRequest{Language: "python3", Code: code, Timeout: timeoutSec, MaxMemory: maxMemoryKB}
+	return buildLanguageRequest("python3", code, timeoutSec, maxMemoryKB)
 }
 
-func python3SupportAvailable(t *testing.T, baseURL string) bool {
-	t.Helper()
-	req := buildPython3Request("print('py-ok')", 1, 32768)
-	body, err := json.Marshal(req)
-	if err != nil {
-		return false
-	}
-
-	httpReq, err := http.NewRequest(http.MethodPost, baseURL+"/simple-execute", bytes.NewReader(body))
-	if err != nil {
-		return false
-	}
-	httpReq.Header.Set("Content-Type", "application/json")
-
-	httpResp, err := httpClient.Do(httpReq)
-	if err != nil {
-		return false
-	}
-	defer httpResp.Body.Close()
-
-	rawBody, err := io.ReadAll(httpResp.Body)
-	if err != nil || httpResp.StatusCode != http.StatusOK {
-		return false
-	}
+func buildCppRequest(code string, timeoutSec, maxMemoryKB uint) simpleExecuteRequest {
+	return buildLanguageRequest("cpp", code, timeoutSec, maxMemoryKB)
+}
 
-	var parsed simpleExecuteResponse
-	if err := json.Unmarshal(rawBody, &parsed); err != nil {
-		return false
-	}
+func buildJavaRequest(code string, timeoutSec, maxMemoryKB uint) simpleExecuteRequest {
+	return buildLanguageRequest("java", code, timeoutSec, maxMemoryKB)
+}
 
-	return strings.Contains(parsed.Output, "py-ok")
+func buildLanguageRequest(language, code string, timeoutSec, maxMemoryKB uint) simpleExecuteRequest {
+	return simpleExecuteRequest{Language: language, Code: code, Timeout: timeoutSec, MaxMemory: maxMemoryKB}
 }
 
 func callSimpleExecute(t *testing.T, baseURL string, req simpleExecuteRequest) simpleExecuteResponse {

sample_code_for_tests/disk_spammer.cpp

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <string.h>
+
+int main() {
+    static char buf[1024 * 1024];
+    memset(buf, 'A', sizeof(buf));
+
+    FILE *f = fopen("/disk_spam.bin", "w");
+    if (!f) {
+        perror("fopen");
+        return 1;
+    }
+
+    while (1) {
+        if (fwrite(buf, 1, sizeof(buf), f) != sizeof(buf)) {
+            perror("fwrite");
+            fflush(f);
+            return 1;
+        }
+        fflush(f);
+    }
+}