openclaw/reporting-governance-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: harden profile artifact path boundaries

Browse Source
This commit is contained in:
Eve
2026-05-08 10:48:41 +08:00
parent 8c7aca145e
commit 173de01bdb
4 changed files with 114 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
plugins/reporting-governance/test/profile-artifact.test.mjs
View File

@@ -8,6 +8,7 @@ import {
loadDeploymentProfileArtifact,
createDeploymentBindingContract,
validateDeploymentProfileArtifact,
assertUseTimePathWithinRepoRoot,
} from '../src/storage/profile-artifact.mjs';
import { createRuntimeBinding } from '../src/adapters/index.mjs';
@@ -259,3 +260,66 @@ test('deployment profile artifact validation rejects artifact_roots symlink esca
/spec\.bindings\.artifact_roots\.queueItems must stay within repo root: symlink resolution escapes realpath boundary/
);
});
test('deployment profile artifact validation rejects entrypoint and scripts symlink escapes after realpath resolution', async (t) => {
const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-profile-artifact-scripts-'));
t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
const fakeRepoRoot = path.join(sandbox, 'repo');
const outsideRoot = path.join(sandbox, 'outside');
fs.mkdirSync(fakeRepoRoot, { recursive: true });
fs.mkdirSync(outsideRoot, { recursive: true });
fs.symlinkSync(outsideRoot, path.join(fakeRepoRoot, 'scripts-link'), 'dir');
fs.writeFileSync(path.join(fakeRepoRoot, 'safe-watchdog.mjs'), `export default true;\n`);
fs.writeFileSync(path.join(outsideRoot, 'entry.mjs'), `export default true;\n`);
fs.writeFileSync(path.join(fakeRepoRoot, 'entry.mjs'), `export default true;\n`);
fs.writeFileSync(path.join(outsideRoot, 'watchdog.mjs'), `export default true;\n`);
assert.throws(
() => validateDeploymentProfileArtifact(createArtifact({
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
entrypoint: 'scripts-link/entry.mjs',
scripts: { watchdog: 'safe-watchdog.mjs' },
artifact_roots: { queueItems: 'state/operator-notify-queue' },
},
},
}), { repoRootOverride: fakeRepoRoot }),
/spec\.bindings\.entrypoint must stay within repo root: symlink resolution escapes realpath boundary/
);
assert.throws(
() => validateDeploymentProfileArtifact(createArtifact({
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
entrypoint: 'entry.mjs',
scripts: { watchdog: 'scripts-link/watchdog.mjs' },
artifact_roots: { queueItems: 'state/operator-notify-queue' },
},
},
}), { repoRootOverride: fakeRepoRoot }),
/spec\.bindings\.scripts\.watchdog must stay within repo root: symlink resolution escapes realpath boundary/
);
});
test('use-time repo-root boundary check rejects symlink escapes for missing artifact leaf', async (t) => {
const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-use-time-boundary-'));
t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
const fakeRepoRoot = path.join(sandbox, 'repo');
const outsideRoot = path.join(sandbox, 'outside');
fs.mkdirSync(fakeRepoRoot, { recursive: true });
fs.mkdirSync(outsideRoot, { recursive: true });
fs.symlinkSync(outsideRoot, path.join(fakeRepoRoot, 'queue-link'), 'dir');
assert.throws(
() => assertUseTimePathWithinRepoRoot(path.join(fakeRepoRoot, 'queue-link', 'pending'), 'orchestrator adapter queueDir', {
repoRootOverride: fakeRepoRoot,
allowMissingLeaf: true,
}),
/orchestrator adapter queueDir must stay within repo root: symlink resolution escapes realpath boundary/
);
});