github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 12:07:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): warn on likely multi-user trust-model mismatch

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 14:03:04 +00:00
parent 32d7756d8c
commit 4d124e4a9b
7 changed files with 236 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/security/audit.test.ts
View File

@@ -178,12 +178,14 @@ describe("security audit", () => {
};
const res = await audit(cfg);
const summary = res.findings.find((f) => f.checkId === "summary.attack_surface");
expect(res.findings).toEqual(
expect.arrayContaining([
expect.objectContaining({ checkId: "summary.attack_surface", severity: "info" }),
]),
);
expect(summary?.detail).toContain("trust model: personal assistant");
});
it("flags non-loopback bind without auth as critical", async () => {
@@ -2696,6 +2698,51 @@ description: test skill
).toBe(false);
});
it("warns when config heuristics suggest a likely multi-user setup", async () => {
const cfg: OpenClawConfig = {
channels: {
discord: {
groupPolicy: "allowlist",
guilds: {
"1234567890": {
channels: {
"7777777777": { allow: true },
},
},
},
},
},
tools: { elevated: { enabled: false } },
};
const res = await audit(cfg);
const finding = res.findings.find(
(f) => f.checkId === "security.trust_model.multi_user_heuristic",
);
expect(finding?.severity).toBe("warn");
expect(finding?.detail).toContain(
'channels.discord.groupPolicy="allowlist" with configured group targets',
);
expect(finding?.detail).toContain("personal-assistant");
expect(finding?.remediation).toContain('agents.defaults.sandbox.mode="all"');
});
it("does not warn for multi-user heuristic when no shared-user signals are configured", async () => {
const cfg: OpenClawConfig = {
channels: {
discord: {
groupPolicy: "allowlist",
},
},
tools: { elevated: { enabled: false } },
};
const res = await audit(cfg);
expectNoFinding(res, "security.trust_model.multi_user_heuristic");
});
describe("maybeProbeGateway auth selection", () => {
const makeProbeCapture = () => {
let capturedAuth: { token?: string; password?: string } | undefined;