github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 18:04:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden exec allowlist wrapper resolution

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 09:51:51 +01:00
parent 48c0acc26f
commit 2b63592be5
7 changed files with 453 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/infra/exec-approvals.test.ts
View File

@@ -18,6 +18,7 @@ import {
normalizeSafeBins,
requiresExecApproval,
resolveCommandResolution,
resolveCommandResolutionFromArgv,
resolveAllowAlwaysPatterns,
resolveExecApprovals,
resolveExecApprovalsFromFile,
@@ -241,6 +242,30 @@ describe("exec approvals command resolution", () => {
}
}
});
it("unwraps env wrapper argv to resolve the effective executable", () => {
const dir = makeTempDir();
const binDir = path.join(dir, "bin");
fs.mkdirSync(binDir, { recursive: true });
const exeName = process.platform === "win32" ? "rg.exe" : "rg";
const exe = path.join(binDir, exeName);
fs.writeFileSync(exe, "");
fs.chmodSync(exe, 0o755);
const resolution = resolveCommandResolutionFromArgv(
["/usr/bin/env", "FOO=bar", "rg", "-n", "needle"],
undefined,
makePathEnv(binDir),
);
expect(resolution?.resolvedPath).toBe(exe);
expect(resolution?.executableName).toBe(exeName);
});
it("unwraps env wrapper with shell inner executable", () => {
const resolution = resolveCommandResolutionFromArgv(["/usr/bin/env", "bash", "-lc", "echo hi"]);
expect(resolution?.rawExecutable).toBe("bash");
expect(resolution?.executableName.toLowerCase()).toContain("bash");
});
});
describe("exec approvals shell parsing", () => {