github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 04:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(config): dedupe traversal include assertions

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 23:14:59 +00:00
parent c4aac407dc
commit 71c17da2ba
1 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/config/includes.test.ts
View File

@@ -388,6 +388,18 @@ describe("real-world config patterns", () => {
}); });
}); });
describe("security: path traversal protection (CWE-22)", () => { describe("security: path traversal protection (CWE-22)", () => {
function expectRejectedTraversalPaths(
cases: ReadonlyArray<{ includePath: string; expectEscapesMessage: boolean }>,
) {
for (const testCase of cases) {
const obj = { $include: testCase.includePath };
expect(() => resolve(obj, {}), testCase.includePath).toThrow(ConfigIncludeError);
if (testCase.expectEscapesMessage) {
expect(() => resolve(obj, {}), testCase.includePath).toThrow(/escapes config directory/);
}
}
}
describe("absolute path attacks", () => { describe("absolute path attacks", () => {
it("rejects absolute path attack variants", () => { it("rejects absolute path attack variants", () => {
const cases = [ const cases = [
@@ -397,13 +409,7 @@ describe("security: path traversal protection (CWE-22)", () => {
{ includePath: "/tmp/malicious.json", expectEscapesMessage: false }, { includePath: "/tmp/malicious.json", expectEscapesMessage: false },
{ includePath: "/", expectEscapesMessage: false }, { includePath: "/", expectEscapesMessage: false },
] as const; ] as const;
for (const testCase of cases) { expectRejectedTraversalPaths(cases);
const obj = { $include: testCase.includePath };
expectResolveIncludeError(() => resolve(obj, {}));
if (testCase.expectEscapesMessage) {
expectResolveIncludeError(() => resolve(obj, {}), /escapes config directory/);
}
}
}); });
}); });
@@ -416,13 +422,7 @@ describe("security: path traversal protection (CWE-22)", () => {
{ includePath: "../sibling-dir/secret.json", expectEscapesMessage: false }, { includePath: "../sibling-dir/secret.json", expectEscapesMessage: false },
{ includePath: "/config/../../../etc/passwd", expectEscapesMessage: false }, { includePath: "/config/../../../etc/passwd", expectEscapesMessage: false },
] as const; ] as const;
for (const testCase of cases) { expectRejectedTraversalPaths(cases);
const obj = { $include: testCase.includePath };
expectResolveIncludeError(() => resolve(obj, {}));
if (testCase.expectEscapesMessage) {
expectResolveIncludeError(() => resolve(obj, {}), /escapes config directory/);
}
}
}); });
}); });