mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-05 17:00:21 +00:00
97 lines
2.8 KiB
TypeScript
97 lines
2.8 KiB
TypeScript
import { describe, expect, it, vi } from "vitest";
|
|
import { collectDiscordSecurityAuditFindings } from "../../extensions/discord/contract-api.js";
|
|
import type { ResolvedDiscordAccount } from "../../extensions/discord/src/accounts.js";
|
|
import type { OpenClawConfig } from "../config/config.js";
|
|
|
|
const { readChannelAllowFromStoreMock } = vi.hoisted(() => ({
|
|
readChannelAllowFromStoreMock: vi.fn(async () => [] as string[]),
|
|
}));
|
|
|
|
vi.mock("openclaw/plugin-sdk/conversation-runtime", () => ({
|
|
readChannelAllowFromStore: readChannelAllowFromStoreMock,
|
|
}));
|
|
|
|
function createAccount(
|
|
config: NonNullable<OpenClawConfig["channels"]>["discord"],
|
|
): ResolvedDiscordAccount {
|
|
return {
|
|
accountId: "default",
|
|
enabled: true,
|
|
token: "t",
|
|
tokenSource: "config",
|
|
config,
|
|
};
|
|
}
|
|
|
|
describe("security audit discord native command findings", () => {
|
|
it("evaluates Discord native command allowlist findings", async () => {
|
|
const cases = [
|
|
{
|
|
name: "flags missing guild user allowlists",
|
|
cfg: {
|
|
commands: { native: true },
|
|
channels: {
|
|
discord: {
|
|
enabled: true,
|
|
token: "t",
|
|
groupPolicy: "allowlist",
|
|
guilds: {
|
|
"123": {
|
|
channels: {
|
|
general: { enabled: true },
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
} as OpenClawConfig,
|
|
expectFinding: true,
|
|
},
|
|
{
|
|
name: "does not flag when dm.allowFrom includes a Discord snowflake id",
|
|
cfg: {
|
|
commands: { native: true },
|
|
channels: {
|
|
discord: {
|
|
enabled: true,
|
|
token: "t",
|
|
dm: { allowFrom: ["387380367612706819"] },
|
|
groupPolicy: "allowlist",
|
|
guilds: {
|
|
"123": {
|
|
channels: {
|
|
general: { enabled: true },
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
} as OpenClawConfig,
|
|
expectFinding: false,
|
|
},
|
|
] as const;
|
|
|
|
for (const testCase of cases) {
|
|
readChannelAllowFromStoreMock.mockResolvedValue([]);
|
|
const discord = testCase.cfg.channels?.discord;
|
|
if (!discord) {
|
|
throw new Error("discord config required");
|
|
}
|
|
const findings = await collectDiscordSecurityAuditFindings({
|
|
cfg: testCase.cfg as OpenClawConfig & { channels: { discord: typeof discord } },
|
|
account: createAccount(discord),
|
|
accountId: "default",
|
|
orderedAccountIds: ["default"],
|
|
hasExplicitAccountPath: false,
|
|
});
|
|
|
|
expect(
|
|
findings.some(
|
|
(finding) => finding.checkId === "channels.discord.commands.native.no_allowlists",
|
|
),
|
|
testCase.name,
|
|
).toBe(testCase.expectFinding);
|
|
}
|
|
});
|
|
});
|