Summary
The androidContainerUtility.ts module contains critical input-validation functions (validateAppName, validateFilePath, validateFileContent) and command dispatch logic (executeCommandAsApp, executeCommandWithSu) used by the Network Inspector to push/pull files on Android devices. This module was recently touched by a security fix (CVE-2026-9277) but has no dedicated unit tests.
Why this is useful
Validation functions are security-sensitive (path traversal prevention, app name allowlist) and have subtle branching behavior (fallback from run-as to su, error classification via RunAsError). Unit tests lock in the expected behavior, catch regressions from future refactors, and document the security invariants in an executable form — consistent with the recent test additions for NetworkInspectorServer (#2694) and DebuggerEndpointHelper (#2705).
Suggested scope
- Cover
validateAppName: valid names pass, invalid characters reject
- Cover
validateFilePath: allowed paths pass, .. traversal and forbidden characters reject
- Cover
validateFileContent: no quotes pass, content with quotes reject
- Cover
_executeCommandWithRunner: mock adbHelper.executeShellCommand and assert RunAsError is thrown for not an application / not debuggable / not permitted outputs
- Cover
_push fallback path: run-as failure escalates to executeCommandWithSu
Evidence
src/extension/android/androidContainerUtility.ts — 255 lines, no corresponding test file in test/extension/android/- Commit
a358c4a5 (fix: upgrade shell-quote to 1.8.4, CVE-2026-9277) directly modifies this file
- Existing pattern:
test/extension/android/androidPlatform.test.ts, networkInspectorServer.test.ts
Validation
npm test (or gulp test-unit) with the new androidContainerUtility.test.ts passing all cases
Summary
The
androidContainerUtility.tsmodule contains critical input-validation functions (validateAppName,validateFilePath,validateFileContent) and command dispatch logic (executeCommandAsApp,executeCommandWithSu) used by the Network Inspector to push/pull files on Android devices. This module was recently touched by a security fix (CVE-2026-9277) but has no dedicated unit tests.Why this is useful
Validation functions are security-sensitive (path traversal prevention, app name allowlist) and have subtle branching behavior (fallback from
run-astosu, error classification viaRunAsError). Unit tests lock in the expected behavior, catch regressions from future refactors, and document the security invariants in an executable form — consistent with the recent test additions for NetworkInspectorServer (#2694) and DebuggerEndpointHelper (#2705).Suggested scope
validateAppName: valid names pass, invalid characters rejectvalidateFilePath: allowed paths pass,..traversal and forbidden characters rejectvalidateFileContent: no quotes pass, content with quotes reject_executeCommandWithRunner: mockadbHelper.executeShellCommandand assertRunAsErroris thrown fornot an application/not debuggable/not permittedoutputs_pushfallback path:run-asfailure escalates toexecuteCommandWithSuEvidence
src/extension/android/androidContainerUtility.ts— 255 lines, no corresponding test file intest/extension/android/a358c4a5(fix: upgrade shell-quote to 1.8.4, CVE-2026-9277) directly modifies this filetest/extension/android/androidPlatform.test.ts,networkInspectorServer.test.tsValidation
npm test(orgulp test-unit) with the newandroidContainerUtility.test.tspassing all cases