github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 07:41:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: block safeBins sort --compress-program bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 19:13:53 +01:00
parent bdfb97afad
commit 57fbbaebca
6 changed files with 54 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/agents/pi-tools.safe-bins.e2e.test.ts
View File

@@ -222,6 +222,24 @@ describe("createOpenClawCodingTools safeBins", () => {
}
});
it("blocks sort --compress-program from bypassing safeBins", async () => {
if (process.platform === "win32") {
return;
}
const { tmpDir, execTool } = await createSafeBinsExecTool({
tmpPrefix: "openclaw-safe-bins-sort-compress-",
safeBins: ["sort"],
});
await expect(
execTool.execute("call1", {
command: "sort --compress-program=sh",
workdir: tmpDir,
}),
).rejects.toThrow("exec denied: allowlist miss");
});
it("blocks shell redirection metacharacters in safeBins mode", async () => {
if (process.platform === "win32") {
return;