From 735216f7e4ce3ffd7976cc6645b241bf28657050 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Mon, 2 Mar 2026 11:41:33 +0000 Subject: [PATCH] test(perf): reduce security audit and guardrail overhead --- src/security/audit.test.ts | 124 +++++++++++---------------- src/security/temp-path-guard.test.ts | 6 +- 2 files changed, 55 insertions(+), 75 deletions(-) diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts index cb77128c8..acfc6979f 100644 --- a/src/security/audit.test.ts +++ b/src/security/audit.test.ts @@ -149,6 +149,8 @@ describe("security audit", () => { let channelSecurityStateDir = ""; let sharedCodeSafetyStateDir = ""; let sharedCodeSafetyWorkspaceDir = ""; + let sharedExtensionsStateDir = ""; + let sharedInstallMetadataStateDir = ""; const makeTmpDir = async (label: string) => { const dir = path.join(fixtureRoot, `case-${caseId++}-${label}`); @@ -216,6 +218,13 @@ description: test skill const codeSafetyFixture = await createSharedCodeSafetyFixture(); sharedCodeSafetyStateDir = codeSafetyFixture.stateDir; sharedCodeSafetyWorkspaceDir = codeSafetyFixture.workspaceDir; + sharedExtensionsStateDir = path.join(fixtureRoot, "shared-extensions-state"); + await fs.mkdir(path.join(sharedExtensionsStateDir, "extensions", "some-plugin"), { + recursive: true, + mode: 0o700, + }); + sharedInstallMetadataStateDir = path.join(fixtureRoot, "shared-install-metadata-state"); + await fs.mkdir(sharedInstallMetadataStateDir, { recursive: true }); }); afterAll(async () => { @@ -2341,50 +2350,45 @@ description: test skill await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8"); await fs.chmod(configPath, 0o600); - try { - const cfg: OpenClawConfig = { logging: { redactSensitive: "off" } }; - const user = "DESKTOP-TEST\\Tester"; - const execIcacls = isWindows - ? async (_cmd: string, args: string[]) => { - const target = args[0]; - if (target === includePath) { - return { - stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`, - stderr: "", - }; - } + const cfg: OpenClawConfig = { logging: { redactSensitive: "off" } }; + const user = "DESKTOP-TEST\\Tester"; + const execIcacls = isWindows + ? async (_cmd: string, args: string[]) => { + const target = args[0]; + if (target === includePath) { return { - stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`, + stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`, stderr: "", }; } - : undefined; - const res = await runSecurityAudit({ - config: cfg, - includeFilesystem: true, - includeChannelSecurity: false, - stateDir, - configPath, - platform: isWindows ? "win32" : undefined, - env: isWindows - ? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" } - : undefined, - execIcacls, - }); + return { + stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`, + stderr: "", + }; + } + : undefined; + const res = await runSecurityAudit({ + config: cfg, + includeFilesystem: true, + includeChannelSecurity: false, + stateDir, + configPath, + platform: isWindows ? "win32" : undefined, + env: isWindows + ? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" } + : undefined, + execIcacls, + }); - const expectedCheckId = isWindows - ? "fs.config_include.perms_writable" - : "fs.config_include.perms_world_readable"; + const expectedCheckId = isWindows + ? "fs.config_include.perms_writable" + : "fs.config_include.perms_world_readable"; - expect(res.findings).toEqual( - expect.arrayContaining([ - expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }), - ]), - ); - } finally { - // Clean up temp directory with world-writable file - await fs.rm(tmp, { recursive: true, force: true }); - } + expect(res.findings).toEqual( + expect.arrayContaining([ + expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }), + ]), + ); }); it("flags extensions without plugins.allow", async () => { @@ -2396,12 +2400,7 @@ description: test skill delete process.env.TELEGRAM_BOT_TOKEN; delete process.env.SLACK_BOT_TOKEN; delete process.env.SLACK_APP_TOKEN; - const tmp = await makeTmpDir("extensions-no-allowlist"); - const stateDir = path.join(tmp, "state"); - await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), { - recursive: true, - mode: 0o700, - }); + const stateDir = sharedExtensionsStateDir; try { const cfg: OpenClawConfig = {}; @@ -2443,10 +2442,6 @@ description: test skill }); it("warns on unpinned npm install specs and missing integrity metadata", async () => { - const tmp = await makeTmpDir("install-metadata-warns"); - const stateDir = path.join(tmp, "state"); - await fs.mkdir(stateDir, { recursive: true }); - const cfg: OpenClawConfig = { plugins: { installs: { @@ -2472,8 +2467,8 @@ description: test skill config: cfg, includeFilesystem: true, includeChannelSecurity: false, - stateDir, - configPath: path.join(stateDir, "openclaw.json"), + stateDir: sharedInstallMetadataStateDir, + configPath: path.join(sharedInstallMetadataStateDir, "openclaw.json"), }); expect(hasFinding(res, "plugins.installs_unpinned_npm_specs", "warn")).toBe(true); @@ -2483,10 +2478,6 @@ description: test skill }); it("does not warn on pinned npm install specs with integrity metadata", async () => { - const tmp = await makeTmpDir("install-metadata-clean"); - const stateDir = path.join(tmp, "state"); - await fs.mkdir(stateDir, { recursive: true }); - const cfg: OpenClawConfig = { plugins: { installs: { @@ -2514,8 +2505,8 @@ description: test skill config: cfg, includeFilesystem: true, includeChannelSecurity: false, - stateDir, - configPath: path.join(stateDir, "openclaw.json"), + stateDir: sharedInstallMetadataStateDir, + configPath: path.join(sharedInstallMetadataStateDir, "openclaw.json"), }); expect(hasFinding(res, "plugins.installs_unpinned_npm_specs")).toBe(false); @@ -2580,12 +2571,7 @@ description: test skill }); it("flags enabled extensions when tool policy can expose plugin tools", async () => { - const tmp = await makeTmpDir("plugins-reachable"); - const stateDir = path.join(tmp, "state"); - await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), { - recursive: true, - mode: 0o700, - }); + const stateDir = sharedExtensionsStateDir; const cfg: OpenClawConfig = { plugins: { allow: ["some-plugin"] }, @@ -2609,12 +2595,7 @@ description: test skill }); it("does not flag plugin tool reachability when profile is restrictive", async () => { - const tmp = await makeTmpDir("plugins-restrictive"); - const stateDir = path.join(tmp, "state"); - await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), { - recursive: true, - mode: 0o700, - }); + const stateDir = sharedExtensionsStateDir; const cfg: OpenClawConfig = { plugins: { allow: ["some-plugin"] }, @@ -2636,12 +2617,7 @@ description: test skill it("flags unallowlisted extensions as critical when native skill commands are exposed", async () => { const prevDiscordToken = process.env.DISCORD_BOT_TOKEN; delete process.env.DISCORD_BOT_TOKEN; - const tmp = await makeTmpDir("extensions-critical"); - const stateDir = path.join(tmp, "state"); - await fs.mkdir(path.join(stateDir, "extensions", "some-plugin"), { - recursive: true, - mode: 0o700, - }); + const stateDir = sharedExtensionsStateDir; try { const cfg: OpenClawConfig = { diff --git a/src/security/temp-path-guard.test.ts b/src/security/temp-path-guard.test.ts index b71a6f92a..9a2c3afac 100644 --- a/src/security/temp-path-guard.test.ts +++ b/src/security/temp-path-guard.test.ts @@ -225,7 +225,11 @@ describe("temp path guard", () => { if (hasDynamicTmpdirJoin(file.source)) { offenders.push(relativePath); } - if (WEAK_RANDOM_SAME_LINE_PATTERN.test(file.source)) { + if ( + file.source.includes("Date.now") && + file.source.includes("Math.random") && + WEAK_RANDOM_SAME_LINE_PATTERN.test(file.source) + ) { weakRandomMatches.push(relativePath); } }