vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 19:00:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(plugins): avoid release script imports in npm scan

Browse Source
This commit is contained in:
Vincent Koc
2026-05-02 16:44:54 -07:00
parent 85520f664d
commit 8409dbddd6
1 changed files with 43 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
src/plugins/npm-install-security-scan.release.test.ts
View File

@@ -1,10 +1,8 @@
import { execFileSync } from "node:child_process"; import { execFileSync } from "node:child_process";
import { copyFileSync, mkdirSync, mkdtempSync, rmSync } from "node:fs"; import { copyFileSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync } from "node:fs";
import { tmpdir } from "node:os"; import { tmpdir } from "node:os";
import { dirname, join, relative, resolve, sep } from "node:path"; import { dirname, join, relative, resolve, sep } from "node:path";
import { afterEach, describe, expect, it } from "vitest"; import { afterEach, describe, expect, it } from "vitest";
import { withAugmentedPluginNpmManifestForPackage } from "../../scripts/lib/plugin-npm-package-manifest.mjs";
import { collectPublishablePluginPackages } from "../../scripts/lib/plugin-npm-release.ts";
import { isScannable, scanDirectoryWithSummary } from "../security/skill-scanner.js"; import { isScannable, scanDirectoryWithSummary } from "../security/skill-scanner.js";
type NpmPackFile = { type NpmPackFile = {
@@ -15,6 +13,11 @@ type NpmPackResult = {
files?: unknown; files?: unknown;
}; };
type PublishablePluginPackage = {
packageDir: string;
packageName: string;
};
const tempDirs: string[] = []; const tempDirs: string[] = [];
afterEach(() => { afterEach(() => {
@@ -41,15 +44,13 @@ function parseNpmPackFiles(raw: string, packageName: string): string[] {
} }
function collectNpmPackedFiles(packageDir: string, packageName: string): string[] { function collectNpmPackedFiles(packageDir: string, packageName: string): string[] {
return withAugmentedPluginNpmManifestForPackage({ packageDir }, ({ packageDir: cwd }) => { const raw = execFileSync("npm", ["pack", "--dry-run", "--json", "--ignore-scripts"], {
const raw = execFileSync("npm", ["pack", "--dry-run", "--json", "--ignore-scripts"], { cwd: packageDir,
cwd, encoding: "utf8",
encoding: "utf8", maxBuffer: 128 * 1024 * 1024,
maxBuffer: 128 * 1024 * 1024, stdio: ["ignore", "pipe", "pipe"],
stdio: ["ignore", "pipe", "pipe"],
});
return parseNpmPackFiles(raw, packageName);
}); });
return parseNpmPackFiles(raw, packageName);
} }
function isScannerWalkedPackedPath(packedPath: string): boolean { function isScannerWalkedPackedPath(packedPath: string): boolean {
@@ -82,6 +83,37 @@ function stageScannerRelevantPackedFiles(
return stageDir; return stageDir;
} }
function collectPublishablePluginPackages(): PublishablePluginPackage[] {
return readdirSync("extensions", { withFileTypes: true })
.filter((entry) => entry.isDirectory())
.flatMap((entry) => {
const packageDir = join("extensions", entry.name);
const packageJsonPath = join(packageDir, "package.json");
let packageJson: {
name?: unknown;
openclaw?: { release?: { publishToNpm?: unknown } };
};
try {
packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8")) as typeof packageJson;
} catch {
return [];
}
if (packageJson.openclaw?.release?.publishToNpm !== true) {
return [];
}
if (typeof packageJson.name !== "string" || !packageJson.name.trim()) {
return [];
}
return [
{
packageDir,
packageName: packageJson.name,
},
];
})
.toSorted((left, right) => left.packageName.localeCompare(right.packageName));
}
describe("publishable plugin npm package install security scan", () => { describe("publishable plugin npm package install security scan", () => {
it("keeps npm-published plugin files clear of env-harvesting hits", async () => { it("keeps npm-published plugin files clear of env-harvesting hits", async () => {
const failures: string[] = []; const failures: string[] = [];