mirror of https://github.com/openclaw/openclaw.git
refactor: narrow audit browser enablement check
This commit is contained in:
Shakker
Shakker
parent
35541377d1
commit
9a88a933cf
|
|
@ -57,19 +57,32 @@ describe("safeEqualSecret", () => {
|
|||
});
|
||||
|
||||
describe("collectSmallModelRiskFindings", () => {
|
||||
const baseCfg = {
|
||||
const browserOffCfg = {
|
||||
agents: { defaults: { model: { primary: "ollama/mistral-8b" } } },
|
||||
browser: { enabled: false },
|
||||
tools: { web: { fetch: { enabled: false } } },
|
||||
} satisfies OpenClawConfig;
|
||||
const browserDefaultCfg = {
|
||||
agents: { defaults: { model: { primary: "ollama/mistral-8b" } } },
|
||||
tools: { web: { fetch: { enabled: false } } },
|
||||
} satisfies OpenClawConfig;
|
||||
|
||||
it.each([
|
||||
{
|
||||
name: "small model without sandbox all stays critical even when browser/web tools are off",
|
||||
cfg: baseCfg,
|
||||
cfg: browserOffCfg,
|
||||
env: {},
|
||||
detailIncludes: ["web=[off]", "No web/browser tools detected"],
|
||||
detailExcludes: ["web=[browser]"],
|
||||
},
|
||||
])("$name", ({ cfg, env }) => {
|
||||
{
|
||||
name: "treats browser as enabled by default when browser config is omitted",
|
||||
cfg: browserDefaultCfg,
|
||||
env: {},
|
||||
detailIncludes: ["web=[browser]"],
|
||||
detailExcludes: ["No web/browser tools detected"],
|
||||
},
|
||||
])("$name", ({ cfg, env, detailIncludes, detailExcludes }) => {
|
||||
const [finding] = collectSmallModelRiskFindings({
|
||||
cfg,
|
||||
env,
|
||||
|
|
@ -78,7 +91,11 @@ describe("collectSmallModelRiskFindings", () => {
|
|||
expect(finding?.checkId).toBe("models.small_params");
|
||||
expect(finding?.severity).toBe("critical");
|
||||
expect(finding?.detail).toContain("ollama/mistral-8b");
|
||||
expect(finding?.detail).toContain("web=[off]");
|
||||
expect(finding?.detail).toContain("No web/browser tools detected");
|
||||
for (const snippet of detailIncludes) {
|
||||
expect(finding?.detail).toContain(snippet);
|
||||
}
|
||||
for (const snippet of detailExcludes) {
|
||||
expect(finding?.detail).not.toContain(snippet);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ import {
|
|||
DEFAULT_DANGEROUS_NODE_COMMANDS,
|
||||
resolveNodeCommandAllowlist,
|
||||
} from "../gateway/node-command-policy.js";
|
||||
import { resolveBrowserConfig } from "../plugin-sdk/browser-config.js";
|
||||
import { hasBundledWebSearchCredential } from "../plugins/bundled-web-search-registry.js";
|
||||
import { inferParamBFromIdOrName } from "../shared/model-param-b.js";
|
||||
import { pickSandboxToolPolicy } from "./audit-tool-policy.js";
|
||||
|
|
@ -350,11 +349,9 @@ function isWebFetchEnabled(cfg: OpenClawConfig): boolean {
|
|||
}
|
||||
|
||||
function isBrowserEnabled(cfg: OpenClawConfig): boolean {
|
||||
try {
|
||||
return resolveBrowserConfig(cfg.browser, cfg).enabled;
|
||||
} catch {
|
||||
return true;
|
||||
}
|
||||
// The audit only needs the enablement policy, not full browser runtime
|
||||
// resolution. Browser defaults to enabled unless it is explicitly disabled.
|
||||
return cfg.browser?.enabled !== false;
|
||||
}
|
||||
|
||||
function listGroupPolicyOpen(cfg: OpenClawConfig): string[] {
|
||||
|
|
|
|||
Loading…
Reference in New Issue