e355f6e093
* fix(security): distinguish webhooks from internal hooks in audit summary The attack surface summary reported a single 'hooks: disabled/enabled' line that only checked the external webhook endpoint (hooks.enabled), ignoring internal hooks (hooks.internal.enabled). Users who enabled internal hooks (session-memory, command-logger, etc.) saw 'hooks: disabled' and thought something was broken. Split into two separate lines: - hooks.webhooks: disabled/enabled - hooks.internal: disabled/enabled Fixes #13466 * test(security): move attack surface tests to focused test file Move the 3 new hook-distinction tests from the monolithic audit.test.ts (1,511 lines) into a dedicated audit-extra.sync.test.ts that tests collectAttackSurfaceSummaryFindings directly. Avoids growing the already-large test file and keeps tests focused on the changed unit. * fix: add changelog entry for security audit hook split (#13474) (thanks @mcaxtr) --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
35 lines
1.4 KiB
TypeScript
35 lines
1.4 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import type { OpenClawConfig } from "../config/config.js";
|
|
import { collectAttackSurfaceSummaryFindings } from "./audit-extra.sync.js";
|
|
|
|
describe("collectAttackSurfaceSummaryFindings", () => {
|
|
it("distinguishes external webhooks from internal hooks when only internal hooks are enabled", () => {
|
|
const cfg: OpenClawConfig = {
|
|
hooks: { internal: { enabled: true } },
|
|
};
|
|
|
|
const [finding] = collectAttackSurfaceSummaryFindings(cfg);
|
|
expect(finding.checkId).toBe("summary.attack_surface");
|
|
expect(finding.detail).toContain("hooks.webhooks: disabled");
|
|
expect(finding.detail).toContain("hooks.internal: enabled");
|
|
});
|
|
|
|
it("reports both hook systems as enabled when both are configured", () => {
|
|
const cfg: OpenClawConfig = {
|
|
hooks: { enabled: true, internal: { enabled: true } },
|
|
};
|
|
|
|
const [finding] = collectAttackSurfaceSummaryFindings(cfg);
|
|
expect(finding.detail).toContain("hooks.webhooks: enabled");
|
|
expect(finding.detail).toContain("hooks.internal: enabled");
|
|
});
|
|
|
|
it("reports both hook systems as disabled when neither is configured", () => {
|
|
const cfg: OpenClawConfig = {};
|
|
|
|
const [finding] = collectAttackSurfaceSummaryFindings(cfg);
|
|
expect(finding.detail).toContain("hooks.webhooks: disabled");
|
|
expect(finding.detail).toContain("hooks.internal: disabled");
|
|
});
|
|
});
|