mirror of https://github.com/openclaw/openclaw.git
71 lines
2.3 KiB
TypeScript
71 lines
2.3 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import { matchAllowlist, type ExecAllowlistEntry } from "./exec-approvals.js";
|
|
|
|
describe("exec allowlist matching", () => {
|
|
const baseResolution = {
|
|
rawExecutable: "rg",
|
|
resolvedPath: "/opt/homebrew/bin/rg",
|
|
executableName: "rg",
|
|
};
|
|
|
|
it("handles wildcard and path matching semantics", () => {
|
|
const cases: Array<{ entries: ExecAllowlistEntry[]; expectedPattern: string | null }> = [
|
|
{ entries: [{ pattern: "RG" }], expectedPattern: null },
|
|
{ entries: [{ pattern: "/opt/**/rg" }], expectedPattern: "/opt/**/rg" },
|
|
{ entries: [{ pattern: "/opt/*/rg" }], expectedPattern: null },
|
|
];
|
|
for (const { entries, expectedPattern } of cases) {
|
|
const match = matchAllowlist(entries, baseResolution);
|
|
expect(match?.pattern ?? null).toBe(expectedPattern);
|
|
}
|
|
});
|
|
|
|
it("matches bare wildcard patterns against arbitrary resolved executables", () => {
|
|
const cases = [
|
|
baseResolution,
|
|
{
|
|
rawExecutable: "python3",
|
|
resolvedPath: "/usr/bin/python3",
|
|
executableName: "python3",
|
|
},
|
|
] as const;
|
|
for (const resolution of cases) {
|
|
expect(matchAllowlist([{ pattern: "*" }], resolution)?.pattern).toBe("*");
|
|
}
|
|
});
|
|
|
|
it("matches absolute paths containing regex metacharacters literally", () => {
|
|
const plusPathCases = ["/usr/bin/g++", "/usr/bin/clang++"] as const;
|
|
for (const candidatePath of plusPathCases) {
|
|
const match = matchAllowlist([{ pattern: candidatePath }], {
|
|
rawExecutable: candidatePath,
|
|
resolvedPath: candidatePath,
|
|
executableName: candidatePath.split("/").at(-1) ?? candidatePath,
|
|
});
|
|
expect(match?.pattern).toBe(candidatePath);
|
|
}
|
|
|
|
const literalCases = [
|
|
{
|
|
pattern: "/usr/bin/*++",
|
|
resolution: {
|
|
rawExecutable: "/usr/bin/g++",
|
|
resolvedPath: "/usr/bin/g++",
|
|
executableName: "g++",
|
|
},
|
|
},
|
|
{
|
|
pattern: "/opt/builds/tool[1](stable)",
|
|
resolution: {
|
|
rawExecutable: "/opt/builds/tool[1](stable)",
|
|
resolvedPath: "/opt/builds/tool[1](stable)",
|
|
executableName: "tool[1](stable)",
|
|
},
|
|
},
|
|
] as const;
|
|
for (const { pattern, resolution } of literalCases) {
|
|
expect(matchAllowlist([{ pattern }], resolution)?.pattern).toBe(pattern);
|
|
}
|
|
});
|
|
});
|