github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 00:28:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8c9f35cdb51692b650ddf05b259ccdd75cc9a83c
openclaw/src/agents/sandbox/sanitize-env-vars.test.ts
Peter Steinberger 5487c9adeb feat(security): add sandbox env sanitization helpers + tests
2026-02-18 02:18:02 +01:00

58 lines
1.7 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { sanitizeEnvVars } from "./sanitize-env-vars.js";
describe("sanitizeEnvVars", () => {
it("keeps normal env vars and blocks obvious credentials", () => {
const result = sanitizeEnvVars({
NODE_ENV: "test",
OPENAI_API_KEY: "sk-live-xxx",
FOO: "bar",
GITHUB_TOKEN: "gh-token",
});
expect(result.allowed).toEqual({
NODE_ENV: "test",
FOO: "bar",
});
expect(result.blocked).toEqual(expect.arrayContaining(["OPENAI_API_KEY", "GITHUB_TOKEN"]));
});
it("blocks credentials even when suffix pattern matches", () => {
const result = sanitizeEnvVars({
MY_TOKEN: "abc",
MY_SECRET: "def",
USER: "alice",
});
expect(result.allowed).toEqual({ USER: "alice" });
expect(result.blocked).toEqual(expect.arrayContaining(["MY_TOKEN", "MY_SECRET"]));
});
it("adds warnings for suspicious values", () => {
const base64Like =
"YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ==";
const result = sanitizeEnvVars({
USER: "alice",
SAFE_TEXT: base64Like,
NULL: "a\0b",
});
expect(result.allowed).toEqual({ USER: "alice", SAFE_TEXT: base64Like });
expect(result.blocked).toContain("NULL");
expect(result.warnings).toContain("SAFE_TEXT: Value looks like base64-encoded credential data");
});
it("supports strict mode with explicit allowlist", () => {
const result = sanitizeEnvVars(
{
NODE_ENV: "test",
FOO: "bar",
},
{ strictMode: true },
);
expect(result.allowed).toEqual({ NODE_ENV: "test" });
expect(result.blocked).toEqual(["FOO"]);
});
});
Reference in New Issue View Git Blame Copy Permalink