From 34d040644d098794bddff67f408025d1bb1730c8 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 9 May 2026 19:09:23 +0100 Subject: [PATCH] test: tighten sandbox create arg assertions --- src/agents/sandbox-create-args.test.ts | 126 ++++++++++--------------- 1 file changed, 51 insertions(+), 75 deletions(-) diff --git a/src/agents/sandbox-create-args.test.ts b/src/agents/sandbox-create-args.test.ts index 4f5fae4b9be..ec25ac95457 100644 --- a/src/agents/sandbox-create-args.test.ts +++ b/src/agents/sandbox-create-args.test.ts @@ -38,6 +38,26 @@ describe("buildSandboxCreateArgs", () => { ).toThrow(expectedMessage); } + function valuesForFlag(args: string[], flag: string): string[] { + const values: string[] = []; + for (let i = 0; i < args.length; i += 1) { + if (args[i] === flag) { + const value = args[i + 1]; + if (value) { + values.push(value); + } + } + } + return values; + } + + function expectFlagValues(args: string[], flag: string, expectedValues: string[]): void { + const values = valuesForFlag(args, flag); + for (const value of expectedValues) { + expect(values).toContain(value); + } + } + it("includes hardening and resource flags", () => { const cfg: SandboxDockerConfig = { image: "openclaw-sandbox:bookworm-slim", @@ -72,69 +92,32 @@ describe("buildSandboxCreateArgs", () => { labels: { "openclaw.sandboxBrowser": "1" }, }); - expect(args).toEqual( - expect.arrayContaining([ - "create", - "--name", - "openclaw-sbx-test", - "--label", - "openclaw.sandbox=1", - "--label", - "openclaw.sessionKey=main", - "--label", - "openclaw.createdAtMs=1700000000000", - "--label", - "openclaw.sandboxBrowser=1", - "--read-only", - "--tmpfs", - "/tmp", - "--network", - "none", - "--user", - "1000:1000", - "--cap-drop", - "ALL", - "--security-opt", - "no-new-privileges", - "--security-opt", - "seccomp=/tmp/seccomp.json", - "--security-opt", - "apparmor=openclaw-sandbox", - "--dns", - "1.1.1.1", - "--add-host", - "internal.service:10.0.0.5", - "--pids-limit", - "256", - "--memory", - "512m", - "--memory-swap", - "1024", - "--cpus", - "1.5", - ]), - ); - expect(args).toEqual( - expect.arrayContaining([ - "--env", - "LANG=C.UTF-8", - "--env", - `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`, - ]), - ); - - const ulimitValues: string[] = []; - for (let i = 0; i < args.length; i += 1) { - if (args[i] === "--ulimit") { - const value = args[i + 1]; - if (value) { - ulimitValues.push(value); - } - } - } - expect(ulimitValues).toEqual( - expect.arrayContaining(["nofile=1024:2048", "nproc=128", "core=0"]), - ); + expect(args[0]).toBe("create"); + expectFlagValues(args, "--name", ["openclaw-sbx-test"]); + expectFlagValues(args, "--label", [ + "openclaw.sandbox=1", + "openclaw.sessionKey=main", + "openclaw.createdAtMs=1700000000000", + "openclaw.sandboxBrowser=1", + ]); + expect(args).toContain("--read-only"); + expectFlagValues(args, "--tmpfs", ["/tmp"]); + expectFlagValues(args, "--network", ["none"]); + expectFlagValues(args, "--user", ["1000:1000"]); + expectFlagValues(args, "--cap-drop", ["ALL"]); + expectFlagValues(args, "--security-opt", [ + "no-new-privileges", + "seccomp=/tmp/seccomp.json", + "apparmor=openclaw-sandbox", + ]); + expectFlagValues(args, "--dns", ["1.1.1.1"]); + expectFlagValues(args, "--add-host", ["internal.service:10.0.0.5"]); + expectFlagValues(args, "--pids-limit", ["256"]); + expectFlagValues(args, "--memory", ["512m"]); + expectFlagValues(args, "--memory-swap", ["1024"]); + expectFlagValues(args, "--cpus", ["1.5"]); + expectFlagValues(args, "--env", ["LANG=C.UTF-8", `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`]); + expectFlagValues(args, "--ulimit", ["nofile=1024:2048", "nproc=128", "core=0"]); }); it("preserves the OpenClaw exec marker when strict env sanitization is enabled", () => { @@ -154,14 +137,7 @@ describe("buildSandboxCreateArgs", () => { }, }); - expect(args).toEqual( - expect.arrayContaining([ - "--env", - "NODE_ENV=test", - "--env", - `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`, - ]), - ); + expectFlagValues(args, "--env", ["NODE_ENV=test", `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`]); }); it("emits Docker GPU passthrough as a separate argument", () => { @@ -176,7 +152,7 @@ describe("buildSandboxCreateArgs", () => { createdAtMs: 1700000000000, }); - expect(args).toEqual(expect.arrayContaining(["--gpus", "device=GPU-123"])); + expectFlagValues(args, "--gpus", ["device=GPU-123"]); }); it("emits -v flags for safe custom binds", () => { @@ -308,7 +284,7 @@ describe("buildSandboxCreateArgs", () => { bindSourceRoots: ["/tmp/workspace", "/tmp/agent"], allowSourcesOutsideAllowedRoots: true, }); - expect(args).toEqual(expect.arrayContaining(["-v", "/opt/external:/data:rw"])); + expectFlagValues(args, "-v", ["/opt/external:/data:rw"]); }); it("blocks reserved /workspace target bind mounts by default", () => { @@ -325,7 +301,7 @@ describe("buildSandboxCreateArgs", () => { createdAtMs: 1700000000000, allowReservedContainerTargets: true, }); - expect(args).toEqual(expect.arrayContaining(["-v", "/tmp/override:/workspace:rw"])); + expectFlagValues(args, "-v", ["/tmp/override:/workspace:rw"]); }); it("allows container namespace join with explicit dangerous override", () => { @@ -339,6 +315,6 @@ describe("buildSandboxCreateArgs", () => { scopeKey: "main", createdAtMs: 1700000000000, }); - expect(args).toEqual(expect.arrayContaining(["--network", "container:peer"])); + expectFlagValues(args, "--network", ["container:peer"]); }); });