github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 23:38:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): restrict default safe-bin trusted dirs

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:12:52 +00:00
parent 2d159e5e87
commit b67e600bff
6 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/infra/exec-safe-bin-trust.test.ts
View File

@@ -8,6 +8,15 @@ import {
} from "./exec-safe-bin-trust.js";
describe("exec safe bin trust", () => {
it("keeps default trusted dirs limited to immutable system paths", () => {
const dirs = getTrustedSafeBinDirs({ refresh: true });
expect(dirs.has(path.resolve("/bin"))).toBe(true);
expect(dirs.has(path.resolve("/usr/bin"))).toBe(true);
expect(dirs.has(path.resolve("/usr/local/bin"))).toBe(false);
expect(dirs.has(path.resolve("/opt/homebrew/bin"))).toBe(false);
});
it("builds trusted dirs from defaults and explicit extra dirs", () => {
const dirs = buildTrustedSafeBinDirs({
baseDirs: ["/usr/bin"],