refactor: harden safe-bin trusted dir diagnostics

2026-05-09 11:07:41 +00:00 · 2026-02-24 23:29:12 +00:00
parent 5c2a483375
commit 4355e08262
10 changed files with 391 additions and 7 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -438,6 +438,50 @@ describe("security audit", () => {
    );
  });

+  it("warns for risky safeBinTrustedDirs entries", async () => {
+    const cfg: OpenClawConfig = {
+      tools: {
+        exec: {
+          safeBinTrustedDirs: ["/usr/local/bin", "/tmp/openclaw-safe-bins"],
+        },
+      },
+      agents: {
+        list: [
+          {
+            id: "ops",
+            tools: {
+              exec: {
+                safeBinTrustedDirs: ["./relative-bin-dir"],
+              },
+            },
+          },
+        ],
+      },
+    };
+
+    const res = await audit(cfg);
+    const finding = res.findings.find(
+      (f) => f.checkId === "tools.exec.safe_bin_trusted_dirs_risky",
+    );
+    expect(finding?.severity).toBe("warn");
+    expect(finding?.detail).toContain("/usr/local/bin");
+    expect(finding?.detail).toContain("/tmp/openclaw-safe-bins");
+    expect(finding?.detail).toContain("agents.list.ops.tools.exec");
+  });
+
+  it("does not warn for non-risky absolute safeBinTrustedDirs entries", async () => {
+    const cfg: OpenClawConfig = {
+      tools: {
+        exec: {
+          safeBinTrustedDirs: ["/usr/libexec"],
+        },
+      },
+    };
+
+    const res = await audit(cfg);
+    expectNoFinding(res, "tools.exec.safe_bin_trusted_dirs_risky");
+  });
+
  it("evaluates loopback control UI and logging exposure findings", async () => {
    const cases: Array<{
      name: string;