vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 06:10:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: tighten sandbox security assertions

Browse Source
This commit is contained in:
Peter Steinberger
2026-05-09 17:49:09 +01:00
parent 85ef6d248d
commit 5967218cdf
1 changed files with 18 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/agents/sandbox/validate-sandbox-security.test.ts
View File

@@ -16,16 +16,25 @@ function expectBindMountsToThrow(binds: string[], expected: RegExp, label: strin
expect(() => validateBindMounts(binds), label).toThrow(expected);
}
function expectBlockedTargetReason(
bind: string,
): Extract<NonNullable<ReturnType<typeof getBlockedBindReason>>, { kind: "targets" }> {
const reason = getBlockedBindReason(bind);
expect(reason?.kind).toBe("targets");
if (reason?.kind !== "targets") {
throw new Error(`expected blocked target reason for ${bind}`);
}
return reason;
}
describe("getBlockedBindReason", () => {
afterEach(() => {
vi.unstubAllEnvs();
});
it("blocks common Docker socket directories", () => {
expect(getBlockedBindReason("/run:/run")).toEqual(expect.objectContaining({ kind: "targets" }));
expect(getBlockedBindReason("/var/run:/var/run:ro")).toEqual(
expect.objectContaining({ kind: "targets" }),
);
expectBlockedTargetReason("/run:/run");
expectBlockedTargetReason("/var/run:/var/run:ro");
});
it("does not block /var by default", () => {
@@ -47,9 +56,7 @@ describe("getBlockedBindReason", () => {
] as const;
for (const source of cases) {
expect(getBlockedBindReason(`${source}:/mnt/test:ro`)).toEqual(
expect.objectContaining({ kind: "targets" }),
);
expectBlockedTargetReason(`${source}:/mnt/test:ro`);
}
});
@@ -57,12 +64,8 @@ describe("getBlockedBindReason", () => {
vi.stubEnv("HOME", "/home/tester");
vi.stubEnv("OPENCLAW_HOME", "/srv/openclaw-home");
expect(getBlockedBindReason("/home/tester/.gnupg/secring.gpg:/mnt/gnupg:ro")).toEqual(
expect.objectContaining({
kind: "targets",
blockedPath: "/home/tester/.gnupg",
}),
);
const reason = expectBlockedTargetReason("/home/tester/.gnupg/secring.gpg:/mnt/gnupg:ro");
expect(reason?.blockedPath).toBe("/home/tester/.gnupg");
});
it("blocks canonical OS-home aliases for credential paths", () => {
@@ -77,12 +80,8 @@ describe("getBlockedBindReason", () => {
symlinkSync(realHome, aliasHome);
vi.stubEnv("HOME", aliasHome);
expect(getBlockedBindReason(`${join(realHome, ".ssh", "config")}:/mnt/ssh:ro`)).toEqual(
expect.objectContaining({
kind: "targets",
blockedPath: normalizePathForSnapshot(join(realHome, ".ssh")),
}),
);
const reason = expectBlockedTargetReason(`${join(realHome, ".ssh", "config")}:/mnt/ssh:ro`);
expect(reason?.blockedPath).toBe(normalizePathForSnapshot(join(realHome, ".ssh")));
});
});