From 97c481120f0a32c92a29ea8c002e3bcd09c652ee Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Tue, 17 Mar 2026 09:14:43 +0000 Subject: [PATCH] test: merge audit extension allowlist severity cases --- src/security/audit.test.ts | 89 +++++++++++++------------------------- 1 file changed, 30 insertions(+), 59 deletions(-) diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts index 16b4ba6bc61..614002096c7 100644 --- a/src/security/audit.test.ts +++ b/src/security/audit.test.ts @@ -3054,57 +3054,6 @@ description: test skill ); }); - it("flags extensions without plugins.allow", async () => { - const prevDiscordToken = process.env.DISCORD_BOT_TOKEN; - const prevTelegramToken = process.env.TELEGRAM_BOT_TOKEN; - const prevSlackBotToken = process.env.SLACK_BOT_TOKEN; - const prevSlackAppToken = process.env.SLACK_APP_TOKEN; - delete process.env.DISCORD_BOT_TOKEN; - delete process.env.TELEGRAM_BOT_TOKEN; - delete process.env.SLACK_BOT_TOKEN; - delete process.env.SLACK_APP_TOKEN; - const stateDir = sharedExtensionsStateDir; - - try { - const cfg: OpenClawConfig = {}; - const res = await runSecurityAudit({ - config: cfg, - includeFilesystem: true, - includeChannelSecurity: false, - stateDir, - configPath: path.join(stateDir, "openclaw.json"), - execDockerRawFn: execDockerRawUnavailable, - }); - - expect(res.findings).toEqual( - expect.arrayContaining([ - expect.objectContaining({ checkId: "plugins.extensions_no_allowlist", severity: "warn" }), - ]), - ); - } finally { - if (prevDiscordToken == null) { - delete process.env.DISCORD_BOT_TOKEN; - } else { - process.env.DISCORD_BOT_TOKEN = prevDiscordToken; - } - if (prevTelegramToken == null) { - delete process.env.TELEGRAM_BOT_TOKEN; - } else { - process.env.TELEGRAM_BOT_TOKEN = prevTelegramToken; - } - if (prevSlackBotToken == null) { - delete process.env.SLACK_BOT_TOKEN; - } else { - process.env.SLACK_BOT_TOKEN = prevSlackBotToken; - } - if (prevSlackAppToken == null) { - delete process.env.SLACK_APP_TOKEN; - } else { - process.env.SLACK_APP_TOKEN = prevSlackAppToken; - } - } - }); - it.each([ { name: "warns on unpinned npm install specs and missing integrity metadata", @@ -3227,6 +3176,20 @@ description: test skill it("evaluates extension tool reachability findings", async () => { const cases = [ + { + name: "flags extensions without plugins.allow", + cfg: {} satisfies OpenClawConfig, + assert: (res: SecurityAuditReport) => { + expect(res.findings).toEqual( + expect.arrayContaining([ + expect.objectContaining({ + checkId: "plugins.extensions_no_allowlist", + severity: "warn", + }), + ]), + ); + }, + }, { name: "flags enabled extensions when tool policy can expose plugin tools", cfg: { @@ -3300,14 +3263,22 @@ description: test skill }, ] as const; - await withEnvAsync({ DISCORD_BOT_TOKEN: undefined }, async () => { - await Promise.all( - cases.map(async (testCase) => { - const res = await runSharedExtensionsAudit(testCase.cfg); - testCase.assert(res); - }), - ); - }); + await withEnvAsync( + { + DISCORD_BOT_TOKEN: undefined, + TELEGRAM_BOT_TOKEN: undefined, + SLACK_BOT_TOKEN: undefined, + SLACK_APP_TOKEN: undefined, + }, + async () => { + await Promise.all( + cases.map(async (testCase) => { + const res = await runSharedExtensionsAudit(testCase.cfg); + testCase.assert(res); + }), + ); + }, + ); }); it("does not scan plugin code safety findings when deep audit is disabled", async () => {