Security: expand audit checks for mDNS and real-IP fallback

2026-05-09 12:07:40 +00:00 · 2026-02-22 02:38:58 -07:00
parent b13fc7eccd
commit bc78b343ba
4 changed files with 155 additions and 25 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -973,6 +973,102 @@ describe("security audit", () => {
    expect(finding?.detail).toContain("tools.exec.applyPatch.workspaceOnly=false");
  });

+  it("scores X-Real-IP fallback risk by gateway exposure", async () => {
+    const cases: Array<{
+      name: string;
+      cfg: OpenClawConfig;
+      expectedSeverity: "warn" | "critical";
+    }> = [
+      {
+        name: "loopback gateway",
+        cfg: {
+          gateway: {
+            bind: "loopback",
+            allowRealIpFallback: true,
+            trustedProxies: ["127.0.0.1"],
+            auth: {
+              mode: "token",
+              token: "very-long-token-1234567890",
+            },
+          },
+        },
+        expectedSeverity: "warn",
+      },
+      {
+        name: "lan gateway",
+        cfg: {
+          gateway: {
+            bind: "lan",
+            allowRealIpFallback: true,
+            trustedProxies: ["10.0.0.1"],
+            auth: {
+              mode: "token",
+              token: "very-long-token-1234567890",
+            },
+          },
+        },
+        expectedSeverity: "critical",
+      },
+    ];
+
+    for (const testCase of cases) {
+      const res = await audit(testCase.cfg);
+      expect(
+        hasFinding(res, "gateway.real_ip_fallback_enabled", testCase.expectedSeverity),
+        testCase.name,
+      ).toBe(true);
+    }
+  });
+
+  it("scores mDNS full mode risk by gateway bind mode", async () => {
+    const cases: Array<{
+      name: string;
+      cfg: OpenClawConfig;
+      expectedSeverity: "warn" | "critical";
+    }> = [
+      {
+        name: "loopback gateway with full mDNS",
+        cfg: {
+          gateway: {
+            bind: "loopback",
+            auth: {
+              mode: "token",
+              token: "very-long-token-1234567890",
+            },
+          },
+          discovery: {
+            mdns: { mode: "full" },
+          },
+        },
+        expectedSeverity: "warn",
+      },
+      {
+        name: "lan gateway with full mDNS",
+        cfg: {
+          gateway: {
+            bind: "lan",
+            auth: {
+              mode: "token",
+              token: "very-long-token-1234567890",
+            },
+          },
+          discovery: {
+            mdns: { mode: "full" },
+          },
+        },
+        expectedSeverity: "critical",
+      },
+    ];
+
+    for (const testCase of cases) {
+      const res = await audit(testCase.cfg);
+      expect(
+        hasFinding(res, "discovery.mdns_full_mode", testCase.expectedSeverity),
+        testCase.name,
+      ).toBe(true);
+    }
+  });
+
  it("evaluates trusted-proxy auth guardrails", async () => {
    const cases: Array<{
      name: string;