github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 19:54:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): flag open-group runtime/fs exposure in audit

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 08:22:42 +01:00
parent 17c9d550e9
commit 049b8b14bc
5 changed files with 145 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
src/security/audit.test.ts
View File

@@ -2150,6 +2150,63 @@ description: test skill
);
});
it("flags open groupPolicy when runtime/filesystem tools are exposed without guards", async () => {
const cfg: OpenClawConfig = {
channels: { whatsapp: { groupPolicy: "open" } },
tools: { elevated: { enabled: false } },
};
const res = await audit(cfg);
expect(res.findings).toEqual(
expect.arrayContaining([
expect.objectContaining({
checkId: "security.exposure.open_groups_with_runtime_or_fs",
severity: "critical",
}),
]),
);
});
it("does not flag runtime/filesystem exposure for open groups when sandbox mode is all", async () => {
const cfg: OpenClawConfig = {
channels: { whatsapp: { groupPolicy: "open" } },
tools: {
elevated: { enabled: false },
profile: "coding",
},
agents: {
defaults: {
sandbox: { mode: "all" },
},
},
};
const res = await audit(cfg);
expect(
res.findings.some((f) => f.checkId === "security.exposure.open_groups_with_runtime_or_fs"),
).toBe(false);
});
it("does not flag runtime/filesystem exposure for open groups when runtime is denied and fs is workspace-only", async () => {
const cfg: OpenClawConfig = {
channels: { whatsapp: { groupPolicy: "open" } },
tools: {
elevated: { enabled: false },
profile: "coding",
deny: ["group:runtime"],
fs: { workspaceOnly: true },
},
};
const res = await audit(cfg);
expect(
res.findings.some((f) => f.checkId === "security.exposure.open_groups_with_runtime_or_fs"),
).toBe(false);
});
describe("maybeProbeGateway auth selection", () => {
let envSnapshot: ReturnType<typeof captureEnv>;