vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 23:10:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fc065b2693bfaeff795a88d080ff5cf30fe8addf
openclaw/test/fixtures/system-run-command-contract.json
Pavan Kumar Gondhi fc065b2693 Harden macOS shell wrapper allowlist parsing [AI] (#78518) 
* fix: harden shell wrapper allowlist parsing

* fix: harden shell wrapper approval binding

* docs: add changelog entry for PR merge

---------

Co-authored-by: Ishaan <ishaan@Ishaans-Mac-mini.local>
2026-05-08 10:18:41 +05:30

130 lines
4.4 KiB
JSON
Raw Blame History

{
"cases": [
{
"name": "direct argv infers display command",
"command": ["echo", "hi there"],
"expected": {
"valid": true,
"displayCommand": "echo \"hi there\""
}
},
{
"name": "direct argv rejects mismatched raw command",
"command": ["uname", "-a"],
"rawCommand": "echo hi",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
},
{
"name": "shell wrapper accepts shell payload raw command at ingress",
"command": ["/bin/sh", "-lc", "echo hi"],
"rawCommand": "echo hi",
"expected": {
"valid": true,
"displayCommand": "/bin/sh -lc \"echo hi\""
}
},
{
"name": "non-sh login shell wrapper requires full argv display binding",
"command": ["/bin/bash", "-lc", "/usr/bin/printf ok"],
"rawCommand": "/usr/bin/printf ok",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
},
{
"name": "shell wrapper positional argv carrier requires full argv display binding",
"command": ["/bin/sh", "-lc", "$0 \"$1\"", "/usr/bin/touch", "/tmp/marker"],
"rawCommand": "$0 \"$1\"",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
},
{
"name": "shell wrapper positional argv carrier accepts canonical full argv raw command",
"command": ["/bin/sh", "-lc", "$0 \"$1\"", "/usr/bin/touch", "/tmp/marker"],
"rawCommand": "/bin/sh -lc \"$0 \\\"$1\\\"\" /usr/bin/touch /tmp/marker",
"expected": {
"valid": true,
"displayCommand": "/bin/sh -lc \"$0 \\\"$1\\\"\" /usr/bin/touch /tmp/marker"
}
},
{
"name": "env wrapper shell payload accepted at ingress when prelude has no env modifiers",
"command": ["/usr/bin/env", "sh", "-lc", "echo hi"],
"rawCommand": "echo hi",
"expected": {
"valid": true,
"displayCommand": "/usr/bin/env sh -lc \"echo hi\""
}
},
{
"name": "env wrapper accepts canonical full argv raw command",
"command": ["/usr/bin/env", "bash", "-lc", "echo hi"],
"rawCommand": "/usr/bin/env bash -lc \"echo hi\"",
"expected": {
"valid": true,
"displayCommand": "/usr/bin/env bash -lc \"echo hi\""
}
},
{
"name": "env assignment prelude requires full argv display binding",
"command": ["/usr/bin/env", "BASH_ENV=/tmp/payload.sh", "bash", "-lc", "echo hi"],
"rawCommand": "echo hi",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
},
{
"name": "env assignment prelude accepts canonical full argv raw command",
"command": ["/usr/bin/env", "BASH_ENV=/tmp/payload.sh", "bash", "-lc", "echo hi"],
"rawCommand": "/usr/bin/env BASH_ENV=/tmp/payload.sh bash -lc \"echo hi\"",
"expected": {
"valid": true,
"displayCommand": "/usr/bin/env BASH_ENV=/tmp/payload.sh bash -lc \"echo hi\""
}
},
{
"name": "login shell wrapper requires full argv display binding",
"command": ["/bin/bash", "--login", "-c", "/usr/bin/printf ok"],
"rawCommand": "/usr/bin/printf ok",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
},
{
"name": "login shell wrapper accepts canonical full argv raw command",
"command": ["/bin/bash", "--login", "-c", "/usr/bin/printf ok"],
"rawCommand": "/bin/bash --login -c \"/usr/bin/printf ok\"",
"expected": {
"valid": true,
"displayCommand": "/bin/bash --login -c \"/usr/bin/printf ok\""
}
},
{
"name": "interactive shell wrapper requires full argv display binding",
"command": ["/bin/bash", "-i", "-c", "/usr/bin/printf ok"],
"rawCommand": "/usr/bin/printf ok",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
},
{
"name": "fish init-command wrapper requires full argv display binding",
"command": ["/usr/bin/fish", "--init-command=/tmp/payload.fish", "-c", "/usr/bin/printf ok"],
"rawCommand": "/usr/bin/printf ok",
"expected": {
"valid": false,
"errorContains": "rawCommand does not match command"
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink