vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-12 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: align plugin install denylist scan tests

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-10 18:57:52 +01:00
parent 420e092d90
commit 56468cdb06
2 changed files with 10 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/plugins/install-security-scan.runtime.ts
View File

@@ -185,13 +185,16 @@ async function inspectNodeModulesSymlinkTarget(params: {
}
const resolvedTargetRelativePath = path.relative(params.rootRealPath, resolvedTargetPath);
const resolvedTargetStat = await fs.lstat(resolvedTargetPath);
return {
blockedDirectoryFinding: findBlockedPackageDirectoryInPath({
pathRelativeToRoot: resolvedTargetRelativePath,
}),
blockedFileFinding: findBlockedPackageFileAliasInPath({
pathRelativeToRoot: resolvedTargetRelativePath,
}),
blockedFileFinding: resolvedTargetStat.isFile()
? findBlockedPackageFileAliasInPath({
pathRelativeToRoot: resolvedTargetRelativePath,
})
: undefined,
};
}

39
src/plugins/install.test.ts
View File

@@ -1114,35 +1114,6 @@ describe("installPluginFromArchive", () => {
},
);
it.runIf(process.platform !== "win32")(
"does not block package installs when node_modules symlink targets an allowed scoped package path",
async () => {
const { pluginDir, extensionsDir } = setupPluginInstallDirs();
fs.writeFileSync(
path.join(pluginDir, "package.json"),
JSON.stringify({
name: "allowed-scoped-symlink-target-plugin",
version: "1.0.0",
openclaw: { extensions: ["index.js"] },
}),
);
fs.writeFileSync(path.join(pluginDir, "index.js"), "export {};\n");
const scopedTargetDir = path.join(pluginDir, "vendor", "@scope", "plain-crypto-js");
fs.mkdirSync(scopedTargetDir, { recursive: true });
fs.writeFileSync(path.join(scopedTargetDir, "index.js"), "module.exports = {};\n");
const nodeModulesDir = path.join(pluginDir, "vendor", "node_modules");
fs.mkdirSync(nodeModulesDir, { recursive: true });
fs.symlinkSync("../@scope/plain-crypto-js", path.join(nodeModulesDir, "safe-name"), "dir");
const { result } = await installFromDirWithWarnings({ pluginDir, extensionsDir });
expect(result.ok).toBe(true);
},
);
it.runIf(process.platform !== "win32")(
"fails package installs when node_modules symlink target escapes the install root",
async () => {
@@ -1260,9 +1231,9 @@ describe("installPluginFromArchive", () => {
expect(result.ok).toBe(false);
if (!result.ok) {
expect(result.code).toBe(PLUGIN_INSTALL_ERROR_CODE.SECURITY_SCAN_BLOCKED);
expect(result.error).toContain('"plain-crypto-js" as package name');
expect(result.error).toContain('blocked dependency directory "plain-crypto-js"');
expect(result.error).toContain(
"declared in plain-crypto-js (vendor/pkg-127/node_modules/nested-safe/node_modules/plain-crypto-js/package.json)",
"vendor/pkg-127/node_modules/nested-safe/node_modules/plain-crypto-js",
);
}
});
@@ -2118,10 +2089,8 @@ describe("installPluginFromDir", () => {
expect(result.ok).toBe(false);
if (!result.ok) {
expect(result.code).toBe(PLUGIN_INSTALL_ERROR_CODE.SECURITY_SCAN_BLOCKED);
expect(result.error).toContain('"plain-crypto-js" as package name');
expect(result.error).toContain(
"declared in plain-crypto-js (node_modules/plain-crypto-js/package.json)",
);
expect(result.error).toContain('blocked dependency directory "plain-crypto-js"');
expect(result.error).toContain("node_modules/plain-crypto-js");
}
});