nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: tighten safe bin runtime policy coverage

This commit is contained in:
Peter Steinberger 2026-03-13 23:55:07 +00:00
parent 699ac5ab12
commit 71a3dd80e7
2 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/infra/exec-safe-bin-runtime-policy.test.ts
View File

@ -13,8 +13,10 @@ describe("exec safe-bin runtime policy", () => {
const interpreterCases: Array<{ bin: string; expected: boolean }> = [
{ bin: "python3", expected: true },
{ bin: "python3.12", expected: true },
{ bin: " C:\\Tools\\Python3.EXE ", expected: true },
{ bin: "node", expected: true },
{ bin: "node20", expected: true },
{ bin: "/usr/local/bin/node20", expected: true },
{ bin: "ruby3.2", expected: true },
{ bin: "bash", expected: true },
{ bin: "busybox", expected: true },
@ -30,10 +32,9 @@ describe("exec safe-bin runtime policy", () => {
}
it("lists interpreter-like bins from a mixed set", () => {
expect(listInterpreterLikeSafeBins(["jq", "python3", "myfilter", "node"])).toEqual([
"node",
"python3",
]);
expect(
listInterpreterLikeSafeBins(["jq", " C:\\Tools\\Python3.EXE ", "myfilter", "/usr/bin/node"]),
).toEqual(["node", "python3"]);
});
it("merges and normalizes safe-bin profile fixtures", () => {
@ -76,6 +77,19 @@ describe("exec safe-bin runtime policy", () => {
expect(policy.unprofiledInterpreterSafeBins).toEqual(["python3"]);
});
it("prefers local safe bins over global ones when both are configured", () => {
const policy = resolveExecSafeBinRuntimePolicy({
global: {
safeBins: ["python3", "jq"],
},
local: {
safeBins: ["sort"],
},
});
expect([...policy.safeBins]).toEqual(["sort"]);
});
it("merges explicit safe-bin trusted dirs from global and local config", () => {
const customDir = path.join(path.sep, "custom", "bin");
const agentDir = path.join(path.sep, "agent", "bin");

3
src/infra/exec-safe-bin-runtime-policy.ts
View File

@ -65,7 +65,8 @@ function normalizeSafeBinName(raw: string): string {
return "";
}
const tail = trimmed.split(/[\\/]/).at(-1);
return tail ?? trimmed;
const normalized = tail ?? trimmed;
return normalized.replace(/\.(?:exe|cmd|bat|com)$/i, "");
}
export function isInterpreterLikeSafeBin(raw: string): boolean {