vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 06:30:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: keep plugin audit check ids stable

Browse Source
This commit is contained in:
Shakker
2026-04-25 23:18:38 +01:00
parent c79399dc68
commit 56f4264f1b
3 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/gateway/security/audit-checks.md
View File

@@ -97,9 +97,9 @@ exhaustive):
| `tools.exec.safe_bin_trusted_dirs_risky` | warn | `safeBinTrustedDirs` includes mutable or risky directories | `tools.exec.safeBinTrustedDirs`, `agents.list[].tools.exec.safeBinTrustedDirs` | no |
| `skills.workspace.symlink_escape` | warn | Workspace `skills/**/SKILL.md` resolves outside workspace root (symlink-chain drift) | workspace `skills/**` filesystem state | no |
| `plugins.extensions_no_allowlist` | warn | Plugins are installed without an explicit plugin allowlist | `plugins.allowlist` | no |
| `plugins.index_unpinned_npm_specs` | warn | Plugin install records are not pinned to immutable npm specs | plugin install metadata | no |
| `plugins.index_missing_integrity` | warn | Plugin install records lack integrity metadata | plugin install metadata | no |
| `plugins.index_version_drift` | warn | Plugin install records drift from installed packages | plugin install metadata | no |
| `plugins.installs_unpinned_npm_specs` | warn | Plugin index records are not pinned to immutable npm specs | plugin install metadata | no |
| `plugins.installs_missing_integrity` | warn | Plugin index records lack integrity metadata | plugin install metadata | no |
| `plugins.installs_version_drift` | warn | Plugin index records drift from installed packages | plugin install metadata | no |
| `plugins.code_safety` | warn/critical | Plugin code scan found suspicious or dangerous patterns | plugin code / install source | no |
| `plugins.code_safety.entry_path` | warn | Plugin entry path points into hidden or `node_modules` locations | plugin manifest `entry` | no |
| `plugins.code_safety.entry_escape` | critical | Plugin entry escapes the plugin directory | plugin manifest `entry` | no |

10
src/security/audit-plugins-trust.test.ts
View File

@@ -189,8 +189,8 @@ describe("security audit install metadata findings", () => {
);
},
expectedPresent: [
"plugins.index_unpinned_npm_specs",
"plugins.index_missing_integrity",
"plugins.installs_unpinned_npm_specs",
"plugins.installs_missing_integrity",
"hooks.installs_unpinned_npm_specs",
"hooks.installs_missing_integrity",
],
@@ -224,8 +224,8 @@ describe("security audit install metadata findings", () => {
);
},
expectedAbsent: [
"plugins.index_unpinned_npm_specs",
"plugins.index_missing_integrity",
"plugins.installs_unpinned_npm_specs",
"plugins.installs_missing_integrity",
"hooks.installs_unpinned_npm_specs",
"hooks.installs_missing_integrity",
],
@@ -260,7 +260,7 @@ describe("security audit install metadata findings", () => {
stateDir,
);
},
expectedPresent: ["plugins.index_version_drift", "hooks.installs_version_drift"],
expectedPresent: ["plugins.installs_version_drift", "hooks.installs_version_drift"],
},
];

6
src/security/audit-plugins-trust.ts
View File

@@ -433,7 +433,7 @@ export async function collectPluginsTrustFindings(params: {
.map(([pluginId, record]) => `${pluginId} (${record.spec})`);
if (unpinned.length > 0) {
findings.push({
checkId: "plugins.index_unpinned_npm_specs",
checkId: "plugins.installs_unpinned_npm_specs",
severity: "warn",
title: "Plugin index includes unpinned npm specs",
detail: `Unpinned plugin index install records:\n${unpinned.map((entry) => `- ${entry}`).join("\n")}`,
@@ -449,7 +449,7 @@ export async function collectPluginsTrustFindings(params: {
.map(([pluginId]) => pluginId);
if (missingIntegrity.length > 0) {
findings.push({
checkId: "plugins.index_missing_integrity",
checkId: "plugins.installs_missing_integrity",
severity: "warn",
title: "Plugin index is missing integrity metadata",
detail: `Plugin index records missing integrity:\n${missingIntegrity.map((entry) => `- ${entry}`).join("\n")}`,
@@ -475,7 +475,7 @@ export async function collectPluginsTrustFindings(params: {
}
if (pluginVersionDrift.length > 0) {
findings.push({
checkId: "plugins.index_version_drift",
checkId: "plugins.installs_version_drift",
severity: "warn",
title: "Plugin index records drift from installed package versions",
detail: `Detected plugin install metadata drift:\n${pluginVersionDrift.map((entry) => `- ${entry}`).join("\n")}`,