vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-13 09:40:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: tighten security audit source assertions

Browse Source
This commit is contained in:
Peter Steinberger
2026-05-09 23:06:28 +01:00
parent a92f7085d6
commit 5a16ec4f08
3 changed files with 50 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/security/audit-channel-source-config-discord.test.ts
View File

@@ -113,13 +113,12 @@ describe("security audit channel source-config fallback discord", () => {
],
});
expect(findings).toEqual(
expect.arrayContaining([
expect.objectContaining({
checkId: "channels.discord.commands.native.no_allowlists",
severity: "warn",
}),
]),
const finding = findings.find(
(entry) => entry.checkId === "channels.discord.commands.native.no_allowlists",
);
if (!finding) {
throw new Error("Expected Discord native command no-allowlists finding");
}
expect(finding.severity).toBe("warn");
});
});

13
src/security/audit-channel-source-config-slack.test.ts
View File

@@ -128,14 +128,13 @@ describe("security audit channel source-config fallback slack", () => {
plugins: [testCase.plugin(testCase.sourceConfig)],
});
expect(findings, testCase.name).toEqual(
expect.arrayContaining([
expect.objectContaining({
checkId: "channels.slack.commands.slash.no_allowlists",
severity: "warn",
}),
]),
const finding = findings.find(
(entry) => entry.checkId === "channels.slack.commands.slash.no_allowlists",
);
if (!finding) {
throw new Error(`Expected Slack no-allowlists finding for ${testCase.name}`);
}
expect(finding.severity, testCase.name).toBe("warn");
}
});
});

78
src/security/dangerous-config-flags.test.ts
View File

@@ -68,54 +68,52 @@ describe("collectEnabledInsecureOrDangerousFlags", () => {
});
it("collects dangerous sandbox, hook, browser, and fs flags", () => {
expect(
collectEnabledInsecureOrDangerousFlagsFromContracts(
asConfig({
agents: {
defaults: {
const flags = collectEnabledInsecureOrDangerousFlagsFromContracts(
asConfig({
agents: {
defaults: {
sandbox: {
docker: {
dangerouslyAllowReservedContainerTargets: true,
dangerouslyAllowContainerNamespaceJoin: true,
},
},
},
list: [
{
id: "worker",
sandbox: {
docker: {
dangerouslyAllowReservedContainerTargets: true,
dangerouslyAllowContainerNamespaceJoin: true,
dangerouslyAllowExternalBindSources: true,
},
},
},
list: [
{
id: "worker",
sandbox: {
docker: {
dangerouslyAllowExternalBindSources: true,
},
},
},
],
],
},
hooks: {
allowRequestSessionKey: true,
},
browser: {
ssrfPolicy: {
dangerouslyAllowPrivateNetwork: true,
},
hooks: {
allowRequestSessionKey: true,
},
tools: {
fs: {
workspaceOnly: false,
},
browser: {
ssrfPolicy: {
dangerouslyAllowPrivateNetwork: true,
},
},
tools: {
fs: {
workspaceOnly: false,
},
},
}),
),
).toEqual(
expect.arrayContaining([
"agents.defaults.sandbox.docker.dangerouslyAllowReservedContainerTargets=true",
"agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin=true",
'agents.list[id="worker"].sandbox.docker.dangerouslyAllowExternalBindSources=true',
"hooks.allowRequestSessionKey=true",
"browser.ssrfPolicy.dangerouslyAllowPrivateNetwork=true",
"tools.fs.workspaceOnly=false",
]),
},
}),
);
expect(flags).toStrictEqual([
"hooks.allowRequestSessionKey=true",
"browser.ssrfPolicy.dangerouslyAllowPrivateNetwork=true",
"tools.fs.workspaceOnly=false",
"agents.defaults.sandbox.docker.dangerouslyAllowReservedContainerTargets=true",
"agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin=true",
'agents.list[id="worker"].sandbox.docker.dangerouslyAllowExternalBindSources=true',
]);
});
it("uses stable agent ids for per-agent dangerous sandbox flags", () => {