github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 04:31:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(docker): harden docker-setup mount validation

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 10:44:38 +01:00
parent 02123e591c
commit 7255c20ddc
3 changed files with 130 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
src/docker-setup.test.ts
View File

@@ -137,6 +137,60 @@ describe("docker-setup.sh", () => {
expect(log).toContain("--build-arg OPENCLAW_DOCKER_APT_PACKAGES=ffmpeg build-essential");
});
it("rejects injected multiline OPENCLAW_EXTRA_MOUNTS values", async () => {
if (!sandbox) {
throw new Error("sandbox missing");
}
const result = spawnSync("bash", [sandbox.scriptPath], {
cwd: sandbox.rootDir,
env: createEnv(sandbox, {
OPENCLAW_EXTRA_MOUNTS: "/tmp:/tmp\n evil-service:\n image: alpine",
}),
encoding: "utf8",
stdio: ["ignore", "ignore", "pipe"],
});
expect(result.status).not.toBe(0);
expect(result.stderr).toContain("OPENCLAW_EXTRA_MOUNTS cannot contain control characters");
});
it("rejects invalid OPENCLAW_EXTRA_MOUNTS mount format", async () => {
if (!sandbox) {
throw new Error("sandbox missing");
}
const result = spawnSync("bash", [sandbox.scriptPath], {
cwd: sandbox.rootDir,
env: createEnv(sandbox, {
OPENCLAW_EXTRA_MOUNTS: "bad mount spec",
}),
encoding: "utf8",
stdio: ["ignore", "ignore", "pipe"],
});
expect(result.status).not.toBe(0);
expect(result.stderr).toContain("Invalid mount format");
});
it("rejects invalid OPENCLAW_HOME_VOLUME names", async () => {
if (!sandbox) {
throw new Error("sandbox missing");
}
const result = spawnSync("bash", [sandbox.scriptPath], {
cwd: sandbox.rootDir,
env: createEnv(sandbox, {
OPENCLAW_HOME_VOLUME: "bad name",
}),
encoding: "utf8",
stdio: ["ignore", "ignore", "pipe"],
});
expect(result.status).not.toBe(0);
expect(result.stderr).toContain("OPENCLAW_HOME_VOLUME must match");
});
it("avoids associative arrays so the script remains Bash 3.2-compatible", async () => {
const script = await readFile(join(repoRoot, "docker-setup.sh"), "utf8");
expect(script).not.toMatch(/^\s*declare -A\b/m);