perf(test): share workspace fixture in skills download safety suite

src/agents/skills-install.download.test.ts

@@ -3,11 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { createTempHomeEnv } from "../test-utils/temp-home.js";
-import {
+import { setTempStateDir, writeDownloadSkill } from "./skills-install.download-test-utils.js";
-  setTempStateDir,
-  withTempWorkspace,
-  writeDownloadSkill,
-} from "./skills-install.download-test-utils.js";
 import { installSkill } from "./skills-install.js";
 
 const runCommandWithTimeoutMock = vi.fn();
@@ -146,6 +142,29 @@ async function writeTarBz2Skill(params: {
   });
 }
 
+let workspaceDir = "";
+let stateDir = "";
+let restoreTempHome: (() => Promise<void>) | null = null;
+
+beforeAll(async () => {
+  const tempHome = await createTempHomeEnv("openclaw-skills-install-home-");
+  restoreTempHome = () => tempHome.restore();
+  workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
+  stateDir = setTempStateDir(workspaceDir);
+});
+
+afterAll(async () => {
+  if (workspaceDir) {
+    await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
+    workspaceDir = "";
+    stateDir = "";
+  }
+  if (restoreTempHome) {
+    await restoreTempHome();
+    restoreTempHome = null;
+  }
+});
+
 beforeEach(() => {
   runCommandWithTimeoutMock.mockClear();
   scanDirectoryWithSummaryMock.mockClear();
@@ -161,146 +180,113 @@ beforeEach(() => {
 
 describe("installSkill download extraction safety", () => {
   it("rejects zip slip traversal", async () => {
-    await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
+    const targetDir = path.join(stateDir, "tools", "zip-slip", "target");
-      const targetDir = path.join(stateDir, "tools", "zip-slip", "target");
+    const outsideWriteDir = path.join(workspaceDir, "outside-write");
-      const outsideWriteDir = path.join(workspaceDir, "outside-write");
+    const outsideWritePath = path.join(outsideWriteDir, "pwned.txt");
-      const outsideWritePath = path.join(outsideWriteDir, "pwned.txt");
+    const url = "https://example.invalid/evil.zip";
-      const url = "https://example.invalid/evil.zip";
 
-      mockArchiveResponse(new Uint8Array(ZIP_SLIP_BUFFER));
+    mockArchiveResponse(new Uint8Array(ZIP_SLIP_BUFFER));
 
-      await writeDownloadSkill({
+    await writeDownloadSkill({
-        workspaceDir,
+      workspaceDir,
-        name: "zip-slip",
+      name: "zip-slip",
-        installId: "dl",
+      installId: "dl",
-        url,
+      url,
-        archive: "zip",
+      archive: "zip",
-        targetDir,
+      targetDir,
-      });
-
-      const result = await installSkill({ workspaceDir, skillName: "zip-slip", installId: "dl" });
-      expect(result.ok).toBe(false);
-      expect(await fileExists(outsideWritePath)).toBe(false);
     });
+
+    const result = await installSkill({ workspaceDir, skillName: "zip-slip", installId: "dl" });
+    expect(result.ok).toBe(false);
+    expect(await fileExists(outsideWritePath)).toBe(false);
   });
 
   it("rejects tar.gz traversal", async () => {
-    await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
+    const targetDir = path.join(stateDir, "tools", "tar-slip", "target");
-      const targetDir = path.join(stateDir, "tools", "tar-slip", "target");
+    const outsideWritePath = path.join(workspaceDir, "outside-write", "pwned.txt");
-      const outsideWritePath = path.join(workspaceDir, "outside-write", "pwned.txt");
+    const url = "https://example.invalid/evil";
-      const url = "https://example.invalid/evil";
+    mockArchiveResponse(new Uint8Array(TAR_GZ_TRAVERSAL_BUFFER));
-      mockArchiveResponse(new Uint8Array(TAR_GZ_TRAVERSAL_BUFFER));
 
-      await writeDownloadSkill({
+    await writeDownloadSkill({
-        workspaceDir,
+      workspaceDir,
-        name: "tar-slip",
+      name: "tar-slip",
-        installId: "dl",
+      installId: "dl",
-        url,
+      url,
-        archive: "tar.gz",
+      archive: "tar.gz",
-        targetDir,
+      targetDir,
-      });
-
-      const result = await installSkill({ workspaceDir, skillName: "tar-slip", installId: "dl" });
-      expect(result.ok).toBe(false);
-      expect(await fileExists(outsideWritePath)).toBe(false);
     });
+
+    const result = await installSkill({ workspaceDir, skillName: "tar-slip", installId: "dl" });
+    expect(result.ok).toBe(false);
+    expect(await fileExists(outsideWritePath)).toBe(false);
   });
 
   it("extracts zip with stripComponents safely", async () => {
-    await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
+    const targetDir = path.join(stateDir, "tools", "zip-good", "target");
-      const targetDir = path.join(stateDir, "tools", "zip-good", "target");
+    const url = "https://example.invalid/good.zip";
-      const url = "https://example.invalid/good.zip";
 
-      mockArchiveResponse(new Uint8Array(STRIP_COMPONENTS_ZIP_BUFFER));
+    mockArchiveResponse(new Uint8Array(STRIP_COMPONENTS_ZIP_BUFFER));
 
-      await writeDownloadSkill({
+    await writeDownloadSkill({
-        workspaceDir,
+      workspaceDir,
-        name: "zip-good",
+      name: "zip-good",
-        installId: "dl",
+      installId: "dl",
-        url,
+      url,
-        archive: "zip",
+      archive: "zip",
-        stripComponents: 1,
+      stripComponents: 1,
-        targetDir,
+      targetDir,
-      });
-
-      const result = await installSkill({ workspaceDir, skillName: "zip-good", installId: "dl" });
-      expect(result.ok).toBe(true);
-      expect(await fs.readFile(path.join(targetDir, "hello.txt"), "utf-8")).toBe("hi");
     });
+
+    const result = await installSkill({ workspaceDir, skillName: "zip-good", installId: "dl" });
+    expect(result.ok).toBe(true);
+    expect(await fs.readFile(path.join(targetDir, "hello.txt"), "utf-8")).toBe("hi");
   });
 
   it("rejects targetDir escapes outside the per-skill tools root", async () => {
-    await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
+    for (const testCase of [
-      for (const testCase of [
+      { name: "targetdir-escape", targetDir: path.join(workspaceDir, "outside") },
-        { name: "targetdir-escape", targetDir: path.join(workspaceDir, "outside") },
+      { name: "relative-traversal", targetDir: "../outside" },
-        { name: "relative-traversal", targetDir: "../outside" },
+    ]) {
-      ]) {
+      mockArchiveResponse(new Uint8Array(SAFE_ZIP_BUFFER));
-        mockArchiveResponse(new Uint8Array(SAFE_ZIP_BUFFER));
+      await writeDownloadSkill({
-        await writeDownloadSkill({
+        workspaceDir,
-          workspaceDir,
+        name: testCase.name,
-          name: testCase.name,
+        installId: "dl",
-          installId: "dl",
+        url: "https://example.invalid/good.zip",
-          url: "https://example.invalid/good.zip",
+        archive: "zip",
-          archive: "zip",
+        targetDir: testCase.targetDir,
-          targetDir: testCase.targetDir,
+      });
-        });
+      const beforeFetchCalls = fetchWithSsrFGuardMock.mock.calls.length;
-        const beforeFetchCalls = fetchWithSsrFGuardMock.mock.calls.length;
+      const result = await installSkill({
-        const result = await installSkill({
+        workspaceDir,
-          workspaceDir,
+        skillName: testCase.name,
-          skillName: testCase.name,
+        installId: "dl",
-          installId: "dl",
+      });
-        });
+      expect(result.ok).toBe(false);
-        expect(result.ok).toBe(false);
+      expect(result.stderr).toContain("Refusing to install outside the skill tools directory");
-        expect(result.stderr).toContain("Refusing to install outside the skill tools directory");
+      expect(fetchWithSsrFGuardMock.mock.calls.length).toBe(beforeFetchCalls);
-        expect(fetchWithSsrFGuardMock.mock.calls.length).toBe(beforeFetchCalls);
+    }
-      }
 
-      expect(stateDir.length).toBeGreaterThan(0);
+    expect(stateDir.length).toBeGreaterThan(0);
-    });
   });
 
   it("allows relative targetDir inside the per-skill tools root", async () => {
-    await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
+    const result = await installZipDownloadSkill({
-      const result = await installZipDownloadSkill({
+      workspaceDir,
-        workspaceDir,
+      name: "relative-targetdir",
-        name: "relative-targetdir",
+      targetDir: "runtime",
-        targetDir: "runtime",
-      });
-      expect(result.ok).toBe(true);
-      expect(
-        await fs.readFile(
-          path.join(stateDir, "tools", "relative-targetdir", "runtime", "hello.txt"),
-          "utf-8",
-        ),
-      ).toBe("hi");
     });
+    expect(result.ok).toBe(true);
+    expect(
+      await fs.readFile(
+        path.join(stateDir, "tools", "relative-targetdir", "runtime", "hello.txt"),
+        "utf-8",
+      ),
+    ).toBe("hi");
   });
 });
 
 describe("installSkill download extraction safety (tar.bz2)", () => {
-  let workspaceDir = "";
-  let stateDir = "";
-  let restoreTempHome: (() => Promise<void>) | null = null;
-
-  beforeAll(async () => {
-    const tempHome = await createTempHomeEnv("openclaw-skills-install-home-");
-    restoreTempHome = () => tempHome.restore();
-    workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
-    stateDir = setTempStateDir(workspaceDir);
-  });
-
-  afterAll(async () => {
-    if (workspaceDir) {
-      await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
-      workspaceDir = "";
-      stateDir = "";
-    }
-    if (restoreTempHome) {
-      await restoreTempHome();
-      restoreTempHome = null;
-    }
-  });
-
   it("rejects tar.bz2 traversal before extraction", async () => {
     const url = "https://example.invalid/evil.tbz2";