github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-14 04:18:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enforce sandbox workspace mount mode (#32227) (thanks @guanyu-zhang)

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 22:58:02 +00:00
parent 7cbcbbc642
commit 02eeb08e04
3 changed files with 85 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/agents/sandbox/browser.create.test.ts
View File

@@ -184,4 +184,43 @@ describe("ensureSandboxBrowser create args", () => {
);
expect(result?.noVncUrl).toBeUndefined();
});
it("mounts the main workspace read-only when workspaceAccess is none", async () => {
const cfg = buildConfig(false);
cfg.workspaceAccess = "none";
await ensureSandboxBrowser({
scopeKey: "session:test",
workspaceDir: "/tmp/workspace",
agentWorkspaceDir: "/tmp/workspace",
cfg,
});
const createArgs = dockerMocks.execDocker.mock.calls.find(
(call: unknown[]) => Array.isArray(call[0]) && call[0][0] === "create",
)?.[0] as string[] | undefined;
expect(createArgs).toBeDefined();
expect(createArgs).toContain("/tmp/workspace:/workspace:ro");
});
it("keeps the main workspace writable when workspaceAccess is rw", async () => {
const cfg = buildConfig(false);
cfg.workspaceAccess = "rw";
await ensureSandboxBrowser({
scopeKey: "session:test",
workspaceDir: "/tmp/workspace",
agentWorkspaceDir: "/tmp/workspace",
cfg,
});
const createArgs = dockerMocks.execDocker.mock.calls.find(
(call: unknown[]) => Array.isArray(call[0]) && call[0][0] === "create",
)?.[0] as string[] | undefined;
expect(createArgs).toBeDefined();
expect(createArgs).toContain("/tmp/workspace:/workspace");
expect(createArgs).not.toContain("/tmp/workspace:/workspace:ro");
});
});