vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): enforce v1 node exec approval binding

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 18:08:51 +01:00
parent f4391c1725
commit 10481097f8
19 changed files with 447 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
test/fixtures/system-run-approval-binding-contract.json vendored
View File

@@ -14,7 +14,6 @@
}
},
"invoke": {
"cmdText": "git diff",
"argv": ["git", "diff"],
"binding": {
"cwd": null,
@@ -39,7 +38,6 @@
}
},
"invoke": {
"cmdText": "git diff",
"argv": ["git", "diff"],
"binding": {
"cwd": null,
@@ -63,7 +61,6 @@
}
},
"invoke": {
"cmdText": "git diff",
"argv": ["git", "diff"],
"binding": {
"cwd": null,
@@ -75,14 +72,13 @@
"expected": { "ok": false, "code": "APPROVAL_ENV_BINDING_MISSING" }
},
{
"name": "legacy rejects argv mismatch",
"name": "missing binding rejects requests even with matching argv",
"request": {
"host": "node",
"command": "echo SAFE",
"commandArgv": ["echo SAFE"]
"commandArgv": ["echo", "SAFE"]
},
"invoke": {
"cmdText": "echo SAFE",
"argv": ["echo", "SAFE"],
"binding": {
"cwd": null,
@@ -93,21 +89,24 @@
"expected": { "ok": false, "code": "APPROVAL_REQUEST_MISMATCH" }
},
{
"name": "legacy accepts matching env hash",
"name": "v1 stays authoritative when legacy command text diverges",
"request": {
"host": "node",
"command": "git diff",
"commandArgv": ["git", "diff"],
"envHashFrom": { "SAFE_A": "1", "SAFE_B": "2" }
"command": "echo STALE",
"commandArgv": ["echo", "STALE"],
"bindingV1": {
"argv": ["echo", "SAFE"],
"cwd": null,
"agentId": null,
"sessionKey": null
}
},
"invoke": {
"cmdText": "git diff",
"argv": ["git", "diff"],
"argv": ["echo", "SAFE"],
"binding": {
"cwd": null,
"agentId": null,
"sessionKey": null,
"env": { "SAFE_B": "2", "SAFE_A": "1" }
"sessionKey": null
}
},
"expected": { "ok": true }

67
test/fixtures/system-run-approval-mismatch-contract.json vendored Normal file
View File

@@ -0,0 +1,67 @@
{
"cases": [
{
"name": "request mismatch preserves base details",
"runId": "approval-req-1",
"match": {
"ok": false,
"code": "APPROVAL_REQUEST_MISMATCH",
"message": "approval id does not match request"
},
"expected": {
"ok": false,
"message": "approval id does not match request",
"details": {
"code": "APPROVAL_REQUEST_MISMATCH",
"runId": "approval-req-1"
}
}
},
{
"name": "missing env binding keeps env key details",
"runId": "approval-env-missing",
"match": {
"ok": false,
"code": "APPROVAL_ENV_BINDING_MISSING",
"message": "approval id missing env binding for requested env overrides",
"details": {
"envKeys": ["GIT_EXTERNAL_DIFF"]
}
},
"expected": {
"ok": false,
"message": "approval id missing env binding for requested env overrides",
"details": {
"code": "APPROVAL_ENV_BINDING_MISSING",
"runId": "approval-env-missing",
"envKeys": ["GIT_EXTERNAL_DIFF"]
}
}
},
{
"name": "env mismatch preserves hash diagnostics",
"runId": "approval-env-mismatch",
"match": {
"ok": false,
"code": "APPROVAL_ENV_MISMATCH",
"message": "approval id env binding mismatch",
"details": {
"envKeys": ["SAFE_A"],
"expectedEnvHash": "expected-hash",
"actualEnvHash": "actual-hash"
}
},
"expected": {
"ok": false,
"message": "approval id env binding mismatch",
"details": {
"code": "APPROVAL_ENV_MISMATCH",
"runId": "approval-env-mismatch",
"envKeys": ["SAFE_A"],
"expectedEnvHash": "expected-hash",
"actualEnvHash": "actual-hash"
}
}
}
]
}