vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-18 21:04:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: tighten file install warning assertion

Browse Source
This commit is contained in:
Shakker
2026-05-11 07:12:59 +01:00
parent 3a06e08157
commit 9131545065
1 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/plugins/install.path.test.ts
View File

@@ -226,6 +226,7 @@ describe("installPluginFromPath", () => {
const sourcePath = path.join(baseDir, "payload.js");
fs.writeFileSync(sourcePath, "eval('danger');\n", "utf-8");
const expectedFinding = `Dynamic code execution detected (${sourcePath}:1)`;
const { result, warnings } = await installFromFileWithWarnings({
filePath: sourcePath,
@@ -235,11 +236,13 @@ describe("installPluginFromPath", () => {
expect(result.ok).toBe(false);
if (!result.ok) {
expect(result.code).toBe(PLUGIN_INSTALL_ERROR_CODE.SECURITY_SCAN_BLOCKED);
expect(result.error).toContain('Plugin file "payload" installation blocked');
expect(result.error).toBe(
`Plugin file "payload" installation blocked: dangerous code patterns detected: ${expectedFinding}`,
);
}
expect(warnings).toEqual(
expect.arrayContaining([expect.stringContaining("dangerous code pattern")]),
);
expect(warnings).toEqual([
`WARNING: Plugin file "payload" contains dangerous code patterns: ${expectedFinding}`,
]);
});
it("allows plain file installs with dangerous code patterns when forced unsafe install is set", async () => {
@@ -249,6 +252,7 @@ describe("installPluginFromPath", () => {
const sourcePath = path.join(baseDir, "payload.js");
fs.writeFileSync(sourcePath, "eval('danger');\n", "utf-8");
const expectedFinding = `Dynamic code execution detected (${sourcePath}:1)`;
const { result, warnings } = await installFromFileWithWarnings({
filePath: sourcePath,
@@ -257,13 +261,10 @@ describe("installPluginFromPath", () => {
});
expect(result.ok).toBe(true);
expect(
warnings.some((warning) =>
warning.includes(
"forced despite dangerous code patterns via --dangerously-force-unsafe-install",
),
),
).toBe(true);
expect(warnings).toEqual([
`WARNING: Plugin file "payload" contains dangerous code patterns: ${expectedFinding}`,
`WARNING: Plugin file "payload" installation forced despite dangerous code patterns via --dangerously-force-unsafe-install: ${expectedFinding}`,
]);
});
it("blocks hardlink alias overwrites when installing a plain file plugin", async () => {