github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 06:27:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: harden safe-bin trusted dir diagnostics

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:29:12 +00:00
parent 5c2a483375
commit 4355e08262
10 changed files with 391 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/infra/exec-safe-bin-trust.test.ts
View File

@@ -1,3 +1,5 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import { withEnv } from "../test-utils/env.js";
@@ -5,6 +7,7 @@ import {
buildTrustedSafeBinDirs,
getTrustedSafeBinDirs,
isTrustedSafeBinPath,
listWritableExplicitTrustedSafeBinDirs,
} from "./exec-safe-bin-trust.js";
describe("exec safe bin trust", () => {
@@ -69,4 +72,25 @@ describe("exec safe bin trust", () => {
expect(refreshed.has(path.resolve(injected))).toBe(false);
});
});
it("flags explicitly trusted dirs that are group/world writable", async () => {
if (process.platform === "win32") {
return;
}
const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-safe-bin-trust-"));
try {
await fs.chmod(dir, 0o777);
const hits = listWritableExplicitTrustedSafeBinDirs([dir]);
expect(hits).toEqual([
{
dir: path.resolve(dir),
groupWritable: true,
worldWritable: true,
},
]);
} finally {
await fs.chmod(dir, 0o755).catch(() => undefined);
await fs.rm(dir, { recursive: true, force: true }).catch(() => undefined);
}
});
});