admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

test(perf): reduce security audit and guardrail overhead

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 11:41:33 +00:00
parent 316875582a
commit 735216f7e4
2 changed files with 55 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
src/security/audit.test.ts
View File

@@ -149,6 +149,8 @@ describe("security audit", () => {
let channelSecurityStateDir = "";
let sharedCodeSafetyStateDir = "";
let sharedCodeSafetyWorkspaceDir = "";
let sharedExtensionsStateDir = "";
let sharedInstallMetadataStateDir = "";
const makeTmpDir = async (label: string) => {
const dir = path.join(fixtureRoot, `case-${caseId++}-${label}`);
@@ -216,6 +218,13 @@ description: test skill
const codeSafetyFixture = await createSharedCodeSafetyFixture();
sharedCodeSafetyStateDir = codeSafetyFixture.stateDir;
sharedCodeSafetyWorkspaceDir = codeSafetyFixture.workspaceDir;
sharedExtensionsStateDir = path.join(fixtureRoot, "shared-extensions-state");
await fs.mkdir(path.join(sharedExtensionsStateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
sharedInstallMetadataStateDir = path.join(fixtureRoot, "shared-install-metadata-state");
await fs.mkdir(sharedInstallMetadataStateDir, { recursive: true });
});
afterAll(async () => {
@@ -2341,50 +2350,45 @@ description: test skill
await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8");
await fs.chmod(configPath, 0o600);
try {
const cfg: OpenClawConfig = { logging: { redactSensitive: "off" } };
const user = "DESKTOP-TEST\\Tester";
const execIcacls = isWindows
? async (_cmd: string, args: string[]) => {
const target = args[0];
if (target === includePath) {
return {
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
stderr: "",
};
}
const cfg: OpenClawConfig = { logging: { redactSensitive: "off" } };
const user = "DESKTOP-TEST\\Tester";
const execIcacls = isWindows
? async (_cmd: string, args: string[]) => {
const target = args[0];
if (target === includePath) {
return {
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
stderr: "",
};
}
: undefined;
const res = await runSecurityAudit({
config: cfg,
includeFilesystem: true,
includeChannelSecurity: false,
stateDir,
configPath,
platform: isWindows ? "win32" : undefined,
env: isWindows
? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" }
: undefined,
execIcacls,
});
return {
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
stderr: "",
};
}
: undefined;
const res = await runSecurityAudit({
config: cfg,
includeFilesystem: true,
includeChannelSecurity: false,
stateDir,
configPath,
platform: isWindows ? "win32" : undefined,
env: isWindows
? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" }
: undefined,
execIcacls,
});
const expectedCheckId = isWindows
? "fs.config_include.perms_writable"
: "fs.config_include.perms_world_readable";
const expectedCheckId = isWindows
? "fs.config_include.perms_writable"
: "fs.config_include.perms_world_readable";
expect(res.findings).toEqual(
expect.arrayContaining([
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
]),
);
} finally {
// Clean up temp directory with world-writable file
await fs.rm(tmp, { recursive: true, force: true });
}
expect(res.findings).toEqual(
expect.arrayContaining([
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
]),
);
});
it("flags extensions without plugins.allow", async () => {
@@ -2396,12 +2400,7 @@ description: test skill
delete process.env.TELEGRAM_BOT_TOKEN;
delete process.env.SLACK_BOT_TOKEN;
delete process.env.SLACK_APP_TOKEN;
const tmp = await makeTmpDir("extensions-no-allowlist");
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
const stateDir = sharedExtensionsStateDir;
try {
const cfg: OpenClawConfig = {};
@@ -2443,10 +2442,6 @@ description: test skill
});
it("warns on unpinned npm install specs and missing integrity metadata", async () => {
const tmp = await makeTmpDir("install-metadata-warns");
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const cfg: OpenClawConfig = {
plugins: {
installs: {
@@ -2472,8 +2467,8 @@ description: test skill
config: cfg,
includeFilesystem: true,
includeChannelSecurity: false,
stateDir,
configPath: path.join(stateDir, "openclaw.json"),
stateDir: sharedInstallMetadataStateDir,
configPath: path.join(sharedInstallMetadataStateDir, "openclaw.json"),
});
expect(hasFinding(res, "plugins.installs_unpinned_npm_specs", "warn")).toBe(true);
@@ -2483,10 +2478,6 @@ description: test skill
});
it("does not warn on pinned npm install specs with integrity metadata", async () => {
const tmp = await makeTmpDir("install-metadata-clean");
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const cfg: OpenClawConfig = {
plugins: {
installs: {
@@ -2514,8 +2505,8 @@ description: test skill
config: cfg,
includeFilesystem: true,
includeChannelSecurity: false,
stateDir,
configPath: path.join(stateDir, "openclaw.json"),
stateDir: sharedInstallMetadataStateDir,
configPath: path.join(sharedInstallMetadataStateDir, "openclaw.json"),
});
expect(hasFinding(res, "plugins.installs_unpinned_npm_specs")).toBe(false);
@@ -2580,12 +2571,7 @@ description: test skill
});
it("flags enabled extensions when tool policy can expose plugin tools", async () => {
const tmp = await makeTmpDir("plugins-reachable");
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
const stateDir = sharedExtensionsStateDir;
const cfg: OpenClawConfig = {
plugins: { allow: ["some-plugin"] },
@@ -2609,12 +2595,7 @@ description: test skill
});
it("does not flag plugin tool reachability when profile is restrictive", async () => {
const tmp = await makeTmpDir("plugins-restrictive");
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
const stateDir = sharedExtensionsStateDir;
const cfg: OpenClawConfig = {
plugins: { allow: ["some-plugin"] },
@@ -2636,12 +2617,7 @@ description: test skill
it("flags unallowlisted extensions as critical when native skill commands are exposed", async () => {
const prevDiscordToken = process.env.DISCORD_BOT_TOKEN;
delete process.env.DISCORD_BOT_TOKEN;
const tmp = await makeTmpDir("extensions-critical");
const stateDir = path.join(tmp, "state");
await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), {
recursive: true,
mode: 0o700,
});
const stateDir = sharedExtensionsStateDir;
try {
const cfg: OpenClawConfig = {

6
src/security/temp-path-guard.test.ts
View File

@@ -225,7 +225,11 @@ describe("temp path guard", () => {
if (hasDynamicTmpdirJoin(file.source)) {
offenders.push(relativePath);
}
if (WEAK_RANDOM_SAME_LINE_PATTERN.test(file.source)) {
if (
file.source.includes("Date.now") &&
file.source.includes("Math.random") &&
WEAK_RANDOM_SAME_LINE_PATTERN.test(file.source)
) {
weakRandomMatches.push(relativePath);
}
}