openclaw/reporting-governance-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: harden profile artifact path boundaries

Browse Source
This commit is contained in:
Eve
2026-05-08 10:48:41 +08:00
parent 8c7aca145e
commit 173de01bdb
4 changed files with 114 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
plugins/reporting-governance/src/adapters/orchestrator.mjs
View File

@@ -1,7 +1,7 @@
import path from 'node:path';
import { ensureSuccess, parseJsonStdout, runNodeScript } from './_script-runner.mjs';
import { createRuntimeBinding, resolveScriptPath } from './runtime-binding.mjs';
import { loadDeploymentProfileArtifact, createDeploymentBindingContract } from '../storage/profile-artifact.mjs';
import { loadDeploymentProfileArtifact, createDeploymentBindingContract, assertUseTimePathWithinRepoRoot } from '../storage/profile-artifact.mjs';
export function runOrchestratorAdapter({
scriptPath = null,
@@ -44,13 +44,25 @@ export function runOrchestratorAdapter({
const resolvedDispatcherScript = path.resolve(dispatcherScript ?? resolveScriptPath('dispatcher', { runtimeBinding: binding }));
const resolvedSupervisorScript = path.resolve(supervisorScript ?? resolveScriptPath('bridgeSupervisor', { runtimeBinding: binding }));
const resolvedQueueDir = queueDir
? path.resolve(queueDir)
: deploymentBinding?.artifactRoots?.queueItems
? assertUseTimePathWithinRepoRoot(deploymentBinding.artifactRoots.queueItems, 'orchestrator adapter queueDir', { repoRootOverride, allowMissingLeaf: true })
: null;
const resolvedSpoolDir = spoolDir
? path.resolve(spoolDir)
: null;
const resolvedReceiptDir = receiptDir
? path.resolve(receiptDir)
: null;
const args = [];
if (state) args.push('--state', path.resolve(state));
if (evidenceDir) args.push('--evidence-dir', path.resolve(evidenceDir));
if (eventDir) args.push('--event-dir', path.resolve(eventDir));
if (queueDir) args.push('--queue-dir', path.resolve(queueDir));
if (spoolDir) args.push('--spool-dir', path.resolve(spoolDir));
if (receiptDir) args.push('--receipt-dir', path.resolve(receiptDir));
if (resolvedQueueDir) args.push('--queue-dir', resolvedQueueDir);
if (resolvedSpoolDir) args.push('--spool-dir', resolvedSpoolDir);
if (resolvedReceiptDir) args.push('--receipt-dir', resolvedReceiptDir);
if (resolvedWatchdogScript) args.push('--watchdog-script', resolvedWatchdogScript);
if (resolvedDispatcherScript) args.push('--dispatcher-script', resolvedDispatcherScript);
if (resolvedSupervisorScript) args.push('--supervisor-script', resolvedSupervisorScript);

7
plugins/reporting-governance/src/storage/profile-artifact.mjs
View File

@@ -53,6 +53,13 @@ function assertPathWithinRealRoot(candidatePath, label, { root, allowMissingLeaf
}
}
export function assertUseTimePathWithinRepoRoot(candidatePath, label, { repoRootOverride, allowMissingLeaf = false } = {}) {
const root = path.resolve(repoRootOverride ?? repoRoot);
const resolvedPath = path.resolve(candidatePath);
assertPathWithinRealRoot(resolvedPath, label, { root, allowMissingLeaf });
return resolvedPath;
}
function assertRelativePathWithinRoot(relativePath, label, { root, allowMissingLeaf = false }) {
const normalizedPath = assertNonEmptyString(relativePath, label);
if (path.isAbsolute(normalizedPath)) {