mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-08 07:31:24 +00:00
test: merge duplicate targetDir escape cases
This commit is contained in:
Peter Steinberger
@@ -223,30 +223,31 @@ describe("installSkill download extraction safety", () => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it("rejects targetDir outside the per-skill tools root", async () => {
|
it("rejects targetDir escapes outside the per-skill tools root", async () => {
|
||||||
await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
|
await withTempWorkspace(async ({ workspaceDir, stateDir }) => {
|
||||||
const targetDir = path.join(workspaceDir, "outside");
|
for (const testCase of [
|
||||||
const url = "https://example.invalid/good.zip";
|
{ name: "targetdir-escape", targetDir: path.join(workspaceDir, "outside") },
|
||||||
|
{ name: "relative-traversal", targetDir: "../outside" },
|
||||||
mockArchiveResponse(new Uint8Array(SAFE_ZIP_BUFFER));
|
]) {
|
||||||
|
mockArchiveResponse(new Uint8Array(SAFE_ZIP_BUFFER));
|
||||||
await writeDownloadSkill({
|
await writeDownloadSkill({
|
||||||
workspaceDir,
|
workspaceDir,
|
||||||
name: "targetdir-escape",
|
name: testCase.name,
|
||||||
installId: "dl",
|
installId: "dl",
|
||||||
url,
|
url: "https://example.invalid/good.zip",
|
||||||
archive: "zip",
|
archive: "zip",
|
||||||
targetDir,
|
targetDir: testCase.targetDir,
|
||||||
});
|
});
|
||||||
|
const beforeFetchCalls = fetchWithSsrFGuardMock.mock.calls.length;
|
||||||
const result = await installSkill({
|
const result = await installSkill({
|
||||||
workspaceDir,
|
workspaceDir,
|
||||||
skillName: "targetdir-escape",
|
skillName: testCase.name,
|
||||||
installId: "dl",
|
installId: "dl",
|
||||||
});
|
});
|
||||||
expect(result.ok).toBe(false);
|
expect(result.ok).toBe(false);
|
||||||
expect(result.stderr).toContain("Refusing to install outside the skill tools directory");
|
expect(result.stderr).toContain("Refusing to install outside the skill tools directory");
|
||||||
expect(fetchWithSsrFGuardMock.mock.calls.length).toBe(0);
|
expect(fetchWithSsrFGuardMock.mock.calls.length).toBe(beforeFetchCalls);
|
||||||
|
}
|
||||||
|
|
||||||
expect(stateDir.length).toBeGreaterThan(0);
|
expect(stateDir.length).toBeGreaterThan(0);
|
||||||
});
|
});
|
||||||
@@ -268,19 +269,6 @@ describe("installSkill download extraction safety", () => {
|
|||||||
).toBe("hi");
|
).toBe("hi");
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it("rejects relative targetDir traversal", async () => {
|
|
||||||
await withTempWorkspace(async ({ workspaceDir }) => {
|
|
||||||
const result = await installZipDownloadSkill({
|
|
||||||
workspaceDir,
|
|
||||||
name: "relative-traversal",
|
|
||||||
targetDir: "../outside",
|
|
||||||
});
|
|
||||||
expect(result.ok).toBe(false);
|
|
||||||
expect(result.stderr).toContain("Refusing to install outside the skill tools directory");
|
|
||||||
expect(fetchWithSsrFGuardMock.mock.calls.length).toBe(0);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("installSkill download extraction safety (tar.bz2)", () => {
|
describe("installSkill download extraction safety (tar.bz2)", () => {
|
||||||
|
|||||||
Reference in New Issue
Block a user