vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-27 09:52:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden exec approval boundaries

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-22 09:35:16 -07:00
parent e99d44525a
commit a94ec3b79b
29 changed files with 835 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/infra/exec-inline-eval.test.ts Normal file
View File

@@ -0,0 +1,33 @@
import { describe, expect, it } from "vitest";
import {
describeInterpreterInlineEval,
detectInterpreterInlineEvalArgv,
isInterpreterLikeAllowlistPattern,
} from "./exec-inline-eval.js";
describe("exec inline eval detection", () => {
it("detects common interpreter eval flags", () => {
const cases = [
{ argv: ["python3", "-c", "print('hi')"], expected: "python3 -c" },
{ argv: ["/usr/bin/node", "--eval", "console.log('hi')"], expected: "node --eval" },
{ argv: ["perl", "-E", "say 1"], expected: "perl -e" },
{ argv: ["osascript", "-e", "beep"], expected: "osascript -e" },
];
for (const testCase of cases) {
const hit = detectInterpreterInlineEvalArgv(testCase.argv);
expect(hit).not.toBeNull();
expect(describeInterpreterInlineEval(hit!)).toBe(testCase.expected);
}
});
it("ignores normal script execution", () => {
expect(detectInterpreterInlineEvalArgv(["python3", "script.py"])).toBeNull();
expect(detectInterpreterInlineEvalArgv(["node", "script.js"])).toBeNull();
});
it("matches interpreter-like allowlist patterns", () => {
expect(isInterpreterLikeAllowlistPattern("/usr/bin/python3")).toBe(true);
expect(isInterpreterLikeAllowlistPattern("**/node")).toBe(true);
expect(isInterpreterLikeAllowlistPattern("/usr/bin/rg")).toBe(false);
});
});