github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 17:38:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: block safeBins sort --compress-program bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 19:13:53 +01:00
parent bdfb97afad
commit 57fbbaebca
6 changed files with 54 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/infra/exec-safe-bin-policy.test.ts
View File

@@ -20,3 +20,17 @@ describe("exec safe bin policy grep", () => {
expect(validateSafeBinArgv(["-e", "KEY", "--", ".env"], grepProfile)).toBe(false);
});
});
describe("exec safe bin policy sort", () => {
const sortProfile = SAFE_BIN_PROFILES.sort;
it("allows stdin-only sort flags", () => {
expect(validateSafeBinArgv(["-S", "1M"], sortProfile)).toBe(true);
expect(validateSafeBinArgv(["--key=1,1"], sortProfile)).toBe(true);
});
it("blocks sort --compress-program in safe-bin mode", () => {
expect(validateSafeBinArgv(["--compress-program=sh"], sortProfile)).toBe(false);
expect(validateSafeBinArgv(["--compress-program", "sh"], sortProfile)).toBe(false);
});
});