vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 07:40:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block hook manifest path escapes

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 14:00:17 +01:00
parent 3bbd29bef9
commit 18e8bd68c5
3 changed files with 88 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
src/hooks/workspace.test.ts Normal file
View File

@@ -0,0 +1,69 @@
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import { MANIFEST_KEY } from "../compat/legacy-names.js";
import { loadHookEntriesFromDir } from "./workspace.js";
describe("hooks workspace", () => {
it("ignores package.json hook paths that traverse outside package directory", () => {
const root = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-hooks-workspace-"));
const hooksRoot = path.join(root, "hooks");
fs.mkdirSync(hooksRoot, { recursive: true });
const pkgDir = path.join(hooksRoot, "pkg");
fs.mkdirSync(pkgDir, { recursive: true });
const outsideHookDir = path.join(root, "outside");
fs.mkdirSync(outsideHookDir, { recursive: true });
fs.writeFileSync(path.join(outsideHookDir, "HOOK.md"), "---\nname: outside\n---\n");
fs.writeFileSync(path.join(outsideHookDir, "handler.js"), "export default async () => {};\n");
fs.writeFileSync(
path.join(pkgDir, "package.json"),
JSON.stringify(
{
name: "pkg",
[MANIFEST_KEY]: {
hooks: ["../outside"],
},
},
null,
2,
),
);
const entries = loadHookEntriesFromDir({ dir: hooksRoot, source: "openclaw-workspace" });
expect(entries.some((e) => e.hook.name === "outside")).toBe(false);
});
it("accepts package.json hook paths within package directory", () => {
const root = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-hooks-workspace-ok-"));
const hooksRoot = path.join(root, "hooks");
fs.mkdirSync(hooksRoot, { recursive: true });
const pkgDir = path.join(hooksRoot, "pkg");
const nested = path.join(pkgDir, "nested");
fs.mkdirSync(nested, { recursive: true });
fs.writeFileSync(path.join(nested, "HOOK.md"), "---\nname: nested\n---\n");
fs.writeFileSync(path.join(nested, "handler.js"), "export default async () => {};\n");
fs.writeFileSync(
path.join(pkgDir, "package.json"),
JSON.stringify(
{
name: "pkg",
[MANIFEST_KEY]: {
hooks: ["./nested"],
},
},
null,
2,
),
);
const entries = loadHookEntriesFromDir({ dir: hooksRoot, source: "openclaw-workspace" });
expect(entries.some((e) => e.hook.name === "nested")).toBe(true);
});
});