openclaw/reporting-governance-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reporting-governance: enforce profile binding path boundary

Browse Source
This commit is contained in:
Eve
2026-05-08 10:22:41 +08:00
parent 3223feba93
commit 4f816a93a5
2 changed files with 124 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
plugins/reporting-governance/test/profile-artifact.test.mjs
View File

@@ -104,3 +104,101 @@ test('deployment profile artifact validation fails closed on boundary drift', ()
/spec\.bindings\.scripts must be an object record/
);
});
test('deployment profile artifact validation rejects absolute binding paths', () => {
assert.throws(
() => validateDeploymentProfileArtifact({
kind: 'DeploymentProfileArtifact',
apiVersion: 'reporting-governance/v1alpha1',
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
entrypoint: '/abs/path',
scripts: { watchdog: 'scripts/long_task_watchdog.mjs' },
artifact_roots: { queueItems: 'state/operator-notify-queue' },
},
},
}),
/spec\.bindings\.entrypoint must stay within repo root: absolute paths are not allowed/
);
assert.throws(
() => validateDeploymentProfileArtifact({
kind: 'DeploymentProfileArtifact',
apiVersion: 'reporting-governance/v1alpha1',
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
entrypoint: 'scripts/watchdog_auto_notify_orchestrator.mjs',
scripts: { watchdog: '/abs/path' },
artifact_roots: { queueItems: 'state/operator-notify-queue' },
},
},
}),
/spec\.bindings\.scripts\.watchdog must stay within repo root: absolute paths are not allowed/
);
});
test('deployment profile artifact validation rejects escape paths after resolution', () => {
assert.throws(
() => validateDeploymentProfileArtifact({
kind: 'DeploymentProfileArtifact',
apiVersion: 'reporting-governance/v1alpha1',
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
entrypoint: '../../escape',
scripts: { watchdog: 'scripts/long_task_watchdog.mjs' },
artifact_roots: { queueItems: 'state/operator-notify-queue' },
},
},
}),
/spec\.bindings\.entrypoint must stay within repo root: path escapes root boundary/
);
assert.throws(
() => createDeploymentBindingContract({
artifact: {
kind: 'DeploymentProfileArtifact',
apiVersion: 'reporting-governance/v1alpha1',
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
entrypoint: 'scripts/watchdog_auto_notify_orchestrator.mjs',
scripts: { watchdog: '../../escape' },
artifact_roots: { queueItems: 'state/operator-notify-queue' },
},
},
},
repoRootOverride: repoRoot,
}),
/spec\.bindings\.scripts\.watchdog must stay within repo root: path escapes root boundary/
);
});
test('deployment binding contract allows normalized in-root paths that contain dot segments', () => {
const binding = createDeploymentBindingContract({
artifact: {
kind: 'DeploymentProfileArtifact',
apiVersion: 'reporting-governance/v1alpha1',
spec: {
package: { pluginVersion: '0.1.0-mainline' },
bindings: {
runtime: 'openclaw',
entrypoint: 'scripts/../scripts/watchdog_auto_notify_orchestrator.mjs',
scripts: {
watchdog: 'scripts/./long_task_watchdog.mjs',
},
artifact_roots: {
queueItems: 'state/../state/operator-notify-queue',
},
},
},
},
repoRootOverride: repoRoot,
});
assert.equal(binding.entrypoint, path.resolve(repoRoot, 'scripts/watchdog_auto_notify_orchestrator.mjs'));
assert.equal(binding.scripts.watchdog, path.resolve(repoRoot, 'scripts/long_task_watchdog.mjs'));
assert.equal(binding.artifactRoots.queueItems, path.resolve(repoRoot, 'state/operator-notify-queue'));
});