Merge pull request #4 from greysquirr3l/security/harden-unsafe-and-env-races

greysquirr3l · web-flow · commit 8d82e5c52be9 · 2026-03-02T11:31:50.000-05:00
security: deny unsafe_code in stygian-browser; fix env-var race in jobber tests
diff --git a/crates/stygian-browser/src/config.rs b/crates/stygian-browser/src/config.rs
@@ -978,6 +978,7 @@ mod tests {
 // cleanup to isolate side effects.
 
 #[cfg(test)]
+#[allow(unsafe_code)] // env::set_var / remove_var are unsafe in Rust ≥1.93; guarded by ENV_LOCK
 mod temp_env {
     use std::env;
     use std::ffi::OsStr;
diff --git a/crates/stygian-browser/src/lib.rs b/crates/stygian-browser/src/lib.rs
@@ -1,6 +1,7 @@
 //! # stygian-browser
 //!
 #![allow(clippy::multiple_crate_versions)]
+#![deny(unsafe_code)] // All unsafe usage is confined to #[cfg(test)] modules with explicit #[allow]
 //! High-performance, anti-detection browser automation library for Rust.
 //!
 //! Built on Chrome `DevTools` Protocol (CDP) via [`chromiumoxide`](https://github.com/mattsse/chromiumoxide)
diff --git a/crates/stygian-graph/src/adapters/graphql_plugins/jobber.rs b/crates/stygian-graph/src/adapters/graphql_plugins/jobber.rs
@@ -62,6 +62,10 @@ impl GraphQlTargetPlugin for JobberPlugin {
 #[allow(unsafe_code, clippy::expect_used)] // set_var/remove_var are unsafe in Rust ≥1.93; scoped to tests only
 mod tests {
     use super::*;
+    use std::sync::Mutex;
+
+    // Serialise env-var mutations so parallel test threads don't race each other.
+    static ENV_LOCK: Mutex<()> = Mutex::new(());
 
     #[test]
     fn plugin_name_is_jobber() {
@@ -88,8 +92,11 @@ mod tests {
     #[test]
     fn default_auth_reads_env() {
         let key = "JOBBER_ACCESS_TOKEN";
+        let _guard = ENV_LOCK
+            .lock()
+            .unwrap_or_else(std::sync::PoisonError::into_inner);
         let prev = std::env::var(key).ok();
-        // SAFETY: single-threaded test; no concurrent env access
+        // SAFETY: ENV_LOCK serialises all env mutations in this module
         unsafe { std::env::set_var(key, "test-token-abc") };
 
         let auth = JobberPlugin.default_auth();
@@ -109,8 +116,11 @@ mod tests {
     #[test]
     fn default_auth_absent_when_no_env() {
         let key = "JOBBER_ACCESS_TOKEN";
+        let _guard = ENV_LOCK
+            .lock()
+            .unwrap_or_else(std::sync::PoisonError::into_inner);
         let prev = std::env::var(key).ok();
-        // SAFETY: single-threaded test; no concurrent env access
+        // SAFETY: ENV_LOCK serialises all env mutations in this module
         unsafe { std::env::remove_var(key) };
 
         assert!(JobberPlugin.default_auth().is_none());
