negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): harden approval-bound node exec cwd handling

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 04:13:59 +01:00
parent 8f8e2b13b4
commit f789f880c9
5 changed files with 191 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/cli/nodes-cli.coverage.test.ts
View File

@@ -83,6 +83,11 @@ describe("nodes-cli coverage", () => {
const getNodeInvokeCall = () =>
callGateway.mock.calls.find((call) => call[0]?.method === "node.invoke")?.[0] as NodeInvokeCall;
const getApprovalRequestCall = () =>
callGateway.mock.calls.find((call) => call[0]?.method === "exec.approval.request")?.[0] as {
params?: Record<string, unknown>;
};
const createNodesProgram = () => {
const program = new Command();
program.exitOverride();
@@ -140,6 +145,8 @@ describe("nodes-cli coverage", () => {
runId: expect.any(String),
});
expect(invoke?.params?.timeoutMs).toBe(5000);
const approval = getApprovalRequestCall();
expect(approval?.params?.["commandArgv"]).toEqual(["echo", "hi"]);
});
it("invokes system.run with raw command", async () => {
@@ -165,6 +172,8 @@ describe("nodes-cli coverage", () => {
approvalDecision: "allow-once",
runId: expect.any(String),
});
const approval = getApprovalRequestCall();
expect(approval?.params?.["commandArgv"]).toEqual(["/bin/sh", "-lc", "echo hi"]);
});
it("invokes system.notify with provided fields", async () => {