vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-28 06:16:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ffa6cd888fba77aee2b6cc7ede810c6dd35bbb87
openclaw/src/node-host/invoke-system-run-allowlist.test.ts
Pavan Kumar Gondhi e98760a1bf Recheck rebuilt system.run argv [AI] (#84090) 
* fix: recheck rebuilt system run argv

* docs: add changelog entry for PR merge
2026-05-20 12:30:26 +05:30

109 lines
3.1 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { analyzeShellCommand } from "../infra/exec-approvals-analysis.js";
import { resolveExecApprovalsFromFile } from "../infra/exec-approvals.js";
import { resolveExecSafeBinRuntimePolicy } from "../infra/exec-safe-bin-runtime-policy.js";
import { resolveSystemRunExecArgv } from "./invoke-system-run-allowlist.js";
function resolveAllowlistApprovals() {
return resolveExecApprovalsFromFile({
file: {
version: 1,
defaults: {
security: "allowlist",
ask: "off",
askFallback: "deny",
},
},
});
}
describe("resolveSystemRunExecArgv", () => {
it.runIf(process.platform !== "win32")(
"keeps rebuilt shell argv behind a final allowlist check",
() => {
const env = { PATH: "/usr/bin:/bin" };
const analysis = analyzeShellCommand({
command: "head -c 16",
env,
platform: process.platform,
});
expect(analysis.ok).toBe(true);
if (!analysis.ok) {
return;
}
const result = resolveSystemRunExecArgv({
plannedAllowlistArgv: undefined,
argv: ["/bin/sh", "-lc", "head -c 16"],
security: "allowlist",
approvals: resolveAllowlistApprovals(),
safeBins: new Set(),
safeBinProfiles: {},
trustedSafeBinDirs: new Set(),
skillBins: [],
autoAllowSkills: false,
isWindows: false,
policy: {
approvedByAsk: false,
analysisOk: true,
allowlistSatisfied: true,
},
shellCommand: "head -c 16",
segments: analysis.segments,
segmentSatisfiedBy: ["safeBins"],
cwd: undefined,
env,
});
expect(result).toBeNull();
},
);
it.runIf(process.platform !== "win32")(
"returns rebuilt shell argv when the final allowlist check passes",
() => {
const env = { PATH: "/usr/bin:/bin" };
const analysis = analyzeShellCommand({
command: "head -c 16",
env,
platform: process.platform,
});
expect(analysis.ok).toBe(true);
if (!analysis.ok) {
return;
}
const safeBinPolicy = resolveExecSafeBinRuntimePolicy({
global: { safeBins: ["head"] },
});
const result = resolveSystemRunExecArgv({
plannedAllowlistArgv: undefined,
argv: ["/bin/sh", "-lc", "head -c 16"],
security: "allowlist",
approvals: resolveAllowlistApprovals(),
safeBins: safeBinPolicy.safeBins,
safeBinProfiles: safeBinPolicy.safeBinProfiles,
trustedSafeBinDirs: safeBinPolicy.trustedSafeBinDirs,
skillBins: [],
autoAllowSkills: false,
isWindows: false,
policy: {
approvedByAsk: false,
analysisOk: true,
allowlistSatisfied: true,
},
shellCommand: "head -c 16",
segments: analysis.segments,
segmentSatisfiedBy: ["safeBins"],
cwd: undefined,
env,
});
expect(result).not.toBeNull();
expect(result?.[0]).toBe("/bin/sh");
expect(result?.[2]).toContain("head");
expect(result?.[2]).not.toBe("head -c 16");
},
);
});
Reference in New Issue View Git Blame Copy Permalink