vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 00:50:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: add env -S allowlist bypass regressions

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 02:27:22 +00:00
parent 6634030be3
commit 3f923e8313
4 changed files with 50 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/node-host/invoke-system-run.test.ts
View File

@@ -150,7 +150,6 @@ describe("handleSystemRunInvoke mac app exec host routing", () => {
}),
);
});
it("denies ./sh wrapper spoof in allowlist on-miss mode before execution", async () => {
const marker = path.join(os.tmpdir(), `openclaw-wrapper-spoof-${process.pid}-${Date.now()}`);
const runCommand = vi.fn(async () => {
@@ -213,4 +212,21 @@ describe("handleSystemRunInvoke mac app exec host routing", () => {
// no-op
}
});
it("denies env -S shell payloads in allowlist mode", async () => {
const { runCommand, sendInvokeResult } = await runSystemInvoke({
preferMacAppExecHost: false,
security: "allowlist",
command: ["env", "-S", 'sh -c "echo pwned"'],
});
expect(runCommand).not.toHaveBeenCalled();
expect(sendInvokeResult).toHaveBeenCalledWith(
expect.objectContaining({
ok: false,
error: expect.objectContaining({
message: expect.stringContaining("allowlist miss"),
}),
}),
);
});
});