github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 01:33:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(perf): reduce security audit and guardrail overhead

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 11:41:33 +00:00
parent 316875582a
commit 735216f7e4
2 changed files with 55 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
src/security/audit.test.ts
View File

@@ -149,6 +149,8 @@ describe("security audit", () => {
let channelSecurityStateDir = ""; let channelSecurityStateDir = "";
let sharedCodeSafetyStateDir = ""; let sharedCodeSafetyStateDir = "";
let sharedCodeSafetyWorkspaceDir = ""; let sharedCodeSafetyWorkspaceDir = "";
let sharedExtensionsStateDir = "";
let sharedInstallMetadataStateDir = "";
const makeTmpDir = async (label: string) => { const makeTmpDir = async (label: string) => {
const dir = path.join(fixtureRoot, `case-${caseId++}-${label}`); const dir = path.join(fixtureRoot, `case-${caseId++}-${label}`);
@@ -216,6 +218,13 @@ description: test skill
const codeSafetyFixture = await createSharedCodeSafetyFixture(); const codeSafetyFixture = await createSharedCodeSafetyFixture();
sharedCodeSafetyStateDir = codeSafetyFixture.stateDir; sharedCodeSafetyStateDir = codeSafetyFixture.stateDir;
sharedCodeSafetyWorkspaceDir = codeSafetyFixture.workspaceDir; sharedCodeSafetyWorkspaceDir = codeSafetyFixture.workspaceDir;
sharedExtensionsStateDir = path.join(fixtureRoot, "shared-extensions-state");
await fs.mkdir(path.join(sharedExtensionsStateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
sharedInstallMetadataStateDir = path.join(fixtureRoot, "shared-install-metadata-state");
await fs.mkdir(sharedInstallMetadataStateDir, { recursive: true });
}); });
afterAll(async () => { afterAll(async () => {
@@ -2341,50 +2350,45 @@ description: test skill
await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8"); await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8");
await fs.chmod(configPath, 0o600); await fs.chmod(configPath, 0o600);
try { const cfg: OpenClawConfig = { logging: { redactSensitive: "off" } };
const cfg: OpenClawConfig = { logging: { redactSensitive: "off" } }; const user = "DESKTOP-TEST\\Tester";
const user = "DESKTOP-TEST\\Tester"; const execIcacls = isWindows
const execIcacls = isWindows ? async (_cmd: string, args: string[]) => {
? async (_cmd: string, args: string[]) => { const target = args[0];
const target = args[0]; if (target === includePath) {
if (target === includePath) {
return {
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
stderr: "",
};
}
return { return {
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`, stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
stderr: "", stderr: "",
}; };
} }
: undefined; return {
const res = await runSecurityAudit({ stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
config: cfg, stderr: "",
includeFilesystem: true, };
includeChannelSecurity: false, }
stateDir, : undefined;
configPath, const res = await runSecurityAudit({
platform: isWindows ? "win32" : undefined, config: cfg,
env: isWindows includeFilesystem: true,
? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" } includeChannelSecurity: false,
: undefined, stateDir,
execIcacls, configPath,
}); platform: isWindows ? "win32" : undefined,
env: isWindows
? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" }
: undefined,
execIcacls,
});
const expectedCheckId = isWindows const expectedCheckId = isWindows
? "fs.config_include.perms_writable" ? "fs.config_include.perms_writable"
: "fs.config_include.perms_world_readable"; : "fs.config_include.perms_world_readable";
expect(res.findings).toEqual( expect(res.findings).toEqual(
expect.arrayContaining([ expect.arrayContaining([
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }), expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
]), ]),
); );
} finally {
// Clean up temp directory with world-writable file
await fs.rm(tmp, { recursive: true, force: true });
}
}); });
it("flags extensions without plugins.allow", async () => { it("flags extensions without plugins.allow", async () => {
@@ -2396,12 +2400,7 @@ description: test skill
delete process.env.TELEGRAM_BOT_TOKEN; delete process.env.TELEGRAM_BOT_TOKEN;
delete process.env.SLACK_BOT_TOKEN; delete process.env.SLACK_BOT_TOKEN;
delete process.env.SLACK_APP_TOKEN; delete process.env.SLACK_APP_TOKEN;
const tmp = await makeTmpDir("extensions-no-allowlist"); const stateDir = sharedExtensionsStateDir;
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
try { try {
const cfg: OpenClawConfig = {}; const cfg: OpenClawConfig = {};
@@ -2443,10 +2442,6 @@ description: test skill
}); });
it("warns on unpinned npm install specs and missing integrity metadata", async () => { it("warns on unpinned npm install specs and missing integrity metadata", async () => {
const tmp = await makeTmpDir("install-metadata-warns");
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const cfg: OpenClawConfig = { const cfg: OpenClawConfig = {
plugins: { plugins: {
installs: { installs: {
@@ -2472,8 +2467,8 @@ description: test skill
config: cfg, config: cfg,
includeFilesystem: true, includeFilesystem: true,
includeChannelSecurity: false, includeChannelSecurity: false,
stateDir, stateDir: sharedInstallMetadataStateDir,
configPath: path.join(stateDir, "openclaw.json"), configPath: path.join(sharedInstallMetadataStateDir, "openclaw.json"),
}); });
expect(hasFinding(res, "plugins.installs_unpinned_npm_specs", "warn")).toBe(true); expect(hasFinding(res, "plugins.installs_unpinned_npm_specs", "warn")).toBe(true);
@@ -2483,10 +2478,6 @@ description: test skill
}); });
it("does not warn on pinned npm install specs with integrity metadata", async () => { it("does not warn on pinned npm install specs with integrity metadata", async () => {
const tmp = await makeTmpDir("install-metadata-clean");
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const cfg: OpenClawConfig = { const cfg: OpenClawConfig = {
plugins: { plugins: {
installs: { installs: {
@@ -2514,8 +2505,8 @@ description: test skill
config: cfg, config: cfg,
includeFilesystem: true, includeFilesystem: true,
includeChannelSecurity: false, includeChannelSecurity: false,
stateDir, stateDir: sharedInstallMetadataStateDir,
configPath: path.join(stateDir, "openclaw.json"), configPath: path.join(sharedInstallMetadataStateDir, "openclaw.json"),
}); });
expect(hasFinding(res, "plugins.installs_unpinned_npm_specs")).toBe(false); expect(hasFinding(res, "plugins.installs_unpinned_npm_specs")).toBe(false);
@@ -2580,12 +2571,7 @@ description: test skill
}); });
it("flags enabled extensions when tool policy can expose plugin tools", async () => { it("flags enabled extensions when tool policy can expose plugin tools", async () => {
const tmp = await makeTmpDir("plugins-reachable"); const stateDir = sharedExtensionsStateDir;
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
const cfg: OpenClawConfig = { const cfg: OpenClawConfig = {
plugins: { allow: ["some-plugin"] }, plugins: { allow: ["some-plugin"] },
@@ -2609,12 +2595,7 @@ description: test skill
}); });
it("does not flag plugin tool reachability when profile is restrictive", async () => { it("does not flag plugin tool reachability when profile is restrictive", async () => {
const tmp = await makeTmpDir("plugins-restrictive"); const stateDir = sharedExtensionsStateDir;
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
const cfg: OpenClawConfig = { const cfg: OpenClawConfig = {
plugins: { allow: ["some-plugin"] }, plugins: { allow: ["some-plugin"] },
@@ -2636,12 +2617,7 @@ description: test skill
it("flags unallowlisted extensions as critical when native skill commands are exposed", async () => { it("flags unallowlisted extensions as critical when native skill commands are exposed", async () => {
const prevDiscordToken = process.env.DISCORD_BOT_TOKEN; const prevDiscordToken = process.env.DISCORD_BOT_TOKEN;
delete process.env.DISCORD_BOT_TOKEN; delete process.env.DISCORD_BOT_TOKEN;
const tmp = await makeTmpDir("extensions-critical"); const stateDir = sharedExtensionsStateDir;
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
try { try {
const cfg: OpenClawConfig = { const cfg: OpenClawConfig = {

6
src/security/temp-path-guard.test.ts
View File

@@ -225,7 +225,11 @@ describe("temp path guard", () => {
if (hasDynamicTmpdirJoin(file.source)) { if (hasDynamicTmpdirJoin(file.source)) {
offenders.push(relativePath); offenders.push(relativePath);
} }
if (WEAK_RANDOM_SAME_LINE_PATTERN.test(file.source)) { if (
file.source.includes("Date.now") &&
file.source.includes("Math.random") &&
WEAK_RANDOM_SAME_LINE_PATTERN.test(file.source)
) {
weakRandomMatches.push(relativePath); weakRandomMatches.push(relativePath);
} }
} }