mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-18 14:14:45 +00:00
66 lines
1.6 KiB
TypeScript
66 lines
1.6 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import type { OpenClawConfig } from "../config/config.js";
|
|
import { collectExecRuntimeFindings } from "./audit.js";
|
|
|
|
function hasFinding(
|
|
checkId:
|
|
| "tools.exec.host_sandbox_no_sandbox_defaults"
|
|
| "tools.exec.host_sandbox_no_sandbox_agents",
|
|
findings: ReturnType<typeof collectExecRuntimeFindings>,
|
|
) {
|
|
return findings.some((finding) => finding.checkId === checkId && finding.severity === "warn");
|
|
}
|
|
|
|
describe("security audit exec sandbox host findings", () => {
|
|
it.each([
|
|
{
|
|
name: "defaults host is sandbox",
|
|
cfg: {
|
|
tools: {
|
|
exec: {
|
|
host: "sandbox",
|
|
},
|
|
},
|
|
agents: {
|
|
defaults: {
|
|
sandbox: {
|
|
mode: "off",
|
|
},
|
|
},
|
|
},
|
|
} satisfies OpenClawConfig,
|
|
checkId: "tools.exec.host_sandbox_no_sandbox_defaults" as const,
|
|
},
|
|
{
|
|
name: "agent override host is sandbox",
|
|
cfg: {
|
|
tools: {
|
|
exec: {
|
|
host: "gateway",
|
|
},
|
|
},
|
|
agents: {
|
|
defaults: {
|
|
sandbox: {
|
|
mode: "off",
|
|
},
|
|
},
|
|
list: [
|
|
{
|
|
id: "ops",
|
|
tools: {
|
|
exec: {
|
|
host: "sandbox",
|
|
},
|
|
},
|
|
},
|
|
],
|
|
},
|
|
} satisfies OpenClawConfig,
|
|
checkId: "tools.exec.host_sandbox_no_sandbox_agents" as const,
|
|
},
|
|
])("$name", ({ cfg, checkId }) => {
|
|
expect(hasFinding(checkId, collectExecRuntimeFindings(cfg))).toBe(true);
|
|
});
|
|
});
|