fix(daemon): harden windows schtasks script quoting

2026-05-08 04:11:22 +00:00 · 2026-02-19 16:13:49 +01:00
parent 3a258e7ca8
commit 280c6b117b
3 changed files with 104 additions and 10 deletions
--- a/src/daemon/schtasks.install.test.ts
+++ b/src/daemon/schtasks.install.test.ts
@@ -29,7 +29,17 @@ describe("installScheduledTask", () => {
      const { scriptPath } = await installScheduledTask({
        env,
        stdout: new PassThrough(),
-        programArguments: ["node", "gateway.js", "--verbose"],
+        programArguments: [
+          "node",
+          "gateway.js",
+          "--display-name",
+          "safe&whoami",
+          "--percent",
+          "%TEMP%",
+          "--bang",
+          "!token!",
+        ],
+        workingDirectory: "C:\\temp\\poc&calc",
        environment: {
          OC_INJECT: "safe & whoami | calc",
          OC_CARET: "a^b",
@@ -40,6 +50,10 @@ describe("installScheduledTask", () => {
      });

      const script = await fs.readFile(scriptPath, "utf8");
+      expect(script).toContain('cd /d "C:\\temp\\poc&calc"');
+      expect(script).toContain(
+        'node gateway.js --display-name "safe&whoami" --percent "%%TEMP%%" --bang "^!token^!"',
+      );
      expect(script).toContain('set "OC_INJECT=safe & whoami | calc"');
      expect(script).toContain('set "OC_CARET=a^^b"');
      expect(script).toContain('set "OC_PERCENT=%%TEMP%%"');
@@ -48,6 +62,19 @@ describe("installScheduledTask", () => {
      expect(script).not.toContain("set OC_INJECT=");

      const parsed = await readScheduledTaskCommand(env);
+      expect(parsed).toMatchObject({
+        programArguments: [
+          "node",
+          "gateway.js",
+          "--display-name",
+          "safe&whoami",
+          "--percent",
+          "%TEMP%",
+          "--bang",
+          "!token!",
+        ],
+        workingDirectory: "C:\\temp\\poc&calc",
+      });
      expect(parsed?.environment).toMatchObject({
        OC_INJECT: "safe & whoami | calc",
        OC_CARET: "a^b",
@@ -63,4 +90,43 @@ describe("installScheduledTask", () => {
      await fs.rm(tmpDir, { recursive: true, force: true });
    }
  });
+
+  it("rejects line breaks in command arguments, env vars, and descriptions", async () => {
+    const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-schtasks-install-"));
+    const env = {
+      USERPROFILE: tmpDir,
+      OPENCLAW_PROFILE: "default",
+    };
+    try {
+      await expect(
+        installScheduledTask({
+          env,
+          stdout: new PassThrough(),
+          programArguments: ["node", "gateway.js", "bad\narg"],
+          environment: {},
+        }),
+      ).rejects.toThrow(/Command argument cannot contain CR or LF/);
+
+      await expect(
+        installScheduledTask({
+          env,
+          stdout: new PassThrough(),
+          programArguments: ["node", "gateway.js"],
+          environment: { BAD: "line1\r\nline2" },
+        }),
+      ).rejects.toThrow(/Environment variable value cannot contain CR or LF/);
+
+      await expect(
+        installScheduledTask({
+          env,
+          stdout: new PassThrough(),
+          description: "bad\ndescription",
+          programArguments: ["node", "gateway.js"],
+          environment: {},
+        }),
+      ).rejects.toThrow(/Task description cannot contain CR or LF/);
+    } finally {
+      await fs.rm(tmpDir, { recursive: true, force: true });
+    }
+  });
 });