nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

test: tighten safe bin policy coverage

This commit is contained in:
Peter Steinberger 2026-03-13 23:54:12 +00:00
parent 2e409da274
commit 699ac5ab12
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/infra/exec-safe-bin-policy.test.ts
View File

@ -53,6 +53,12 @@ describe("exec safe bin policy sort", () => {
expect(validateSafeBinArgv(["--ke=1,1"], sortProfile)).toBe(true);
});
it("rejects missing or path-like values for allowed flags", () => {
expect(validateSafeBinArgv(["--key"], sortProfile)).toBe(false);
expect(validateSafeBinArgv(["--key", "./fields.txt"], sortProfile)).toBe(false);
expect(validateSafeBinArgv(["-S", "C:\\temp\\buffer"], sortProfile)).toBe(false);
});
it("blocks sort --compress-program in safe-bin mode", () => {
expect(validateSafeBinArgv(["--compress-program=sh"], sortProfile)).toBe(false);
expect(validateSafeBinArgv(["--compress-program", "sh"], sortProfile)).toBe(false);
@ -78,6 +84,19 @@ describe("exec safe bin policy wc", () => {
});
});
describe("exec safe bin policy token hygiene", () => {
it("rejects path-like and glob positional tokens after the terminator", () => {
const grepProfile = SAFE_BIN_PROFILES.grep;
expect(validateSafeBinArgv(["-e", "needle", "--", "../secret.txt"], grepProfile)).toBe(false);
expect(validateSafeBinArgv(["-e", "needle", "--", "*.txt"], grepProfile)).toBe(false);
});
it("keeps stdin marker after the terminator non-positional", () => {
const grepProfile = SAFE_BIN_PROFILES.grep;
expect(validateSafeBinArgv(["-e", "needle", "--", "-"], grepProfile)).toBe(true);
});
});
describe("exec safe bin policy long-option metadata", () => {
it("precomputes long-option prefix mappings for compiled profiles", () => {
const sortProfile = SAFE_BIN_PROFILES.sort;