github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 12:41:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block grep safe-bin file-read bypass

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 11:18:19 +01:00
parent f81522af2e
commit c6ee14d60e
5 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/infra/exec-safe-bin-policy.test.ts Normal file
View File

@@ -0,0 +1,22 @@
import { describe, expect, it } from "vitest";
import { SAFE_BIN_PROFILES, validateSafeBinArgv } from "./exec-safe-bin-policy.js";
describe("exec safe bin policy grep", () => {
const grepProfile = SAFE_BIN_PROFILES.grep;
it("allows stdin-only grep when pattern comes from flags", () => {
expect(validateSafeBinArgv(["-e", "needle"], grepProfile)).toBe(true);
expect(validateSafeBinArgv(["--regexp=needle"], grepProfile)).toBe(true);
});
it("blocks grep positional pattern form to avoid filename ambiguity", () => {
expect(validateSafeBinArgv(["needle"], grepProfile)).toBe(false);
});
it("blocks file positionals when pattern comes from -e/--regexp", () => {
expect(validateSafeBinArgv(["-e", "SECRET", ".env"], grepProfile)).toBe(false);
expect(validateSafeBinArgv(["--regexp", "KEY", "config.py"], grepProfile)).toBe(false);
expect(validateSafeBinArgv(["--regexp=KEY", ".env"], grepProfile)).toBe(false);
expect(validateSafeBinArgv(["-e", "KEY", "--", ".env"], grepProfile)).toBe(false);
});
});