From fb4b6eef03f783422bb856ab64c0c43eaf507735 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Tue, 17 Mar 2026 09:24:36 +0000 Subject: [PATCH] test: merge audit code safety failure cases --- src/security/audit.test.ts | 81 +++++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 37 deletions(-) diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts index b285c9dce74..898cfb74535 100644 --- a/src/security/audit.test.ts +++ b/src/security/audit.test.ts @@ -3314,45 +3314,52 @@ description: test skill expect(skillFinding?.detail).toMatch(/runner\.js:\d+/); }); - it("flags plugin extension entry path traversal in deep audit", async () => { - const tmpDir = await makeTmpDir("audit-scanner-escape"); - const pluginDir = path.join(tmpDir, "extensions", "escape-plugin"); - await fs.mkdir(pluginDir, { recursive: true }); - await fs.writeFile( - path.join(pluginDir, "package.json"), - JSON.stringify({ - name: "escape-plugin", - openclaw: { extensions: ["../outside.js"] }, - }), - ); - await fs.writeFile(path.join(pluginDir, "index.js"), "export {};"); + it("evaluates plugin code-safety scanner failure modes", async () => { + const cases = [ + { + name: "flags plugin extension entry path traversal in deep audit", + label: "audit-scanner-escape", + pluginName: "escape-plugin", + extensions: ["../outside.js"], + assert: (findings: Awaited>) => { + expect(findings.some((f) => f.checkId === "plugins.code_safety.entry_escape")).toBe(true); + }, + }, + { + name: "reports scan_failed when plugin code scanner throws during deep audit", + label: "audit-scanner-throws", + pluginName: "scanfail-plugin", + extensions: ["index.js"], + beforeRun: () => + vi + .spyOn(skillScanner, "scanDirectoryWithSummary") + .mockRejectedValueOnce(new Error("boom")), + assert: (findings: Awaited>) => { + expect(findings.some((f) => f.checkId === "plugins.code_safety.scan_failed")).toBe(true); + }, + }, + ] as const; - const findings = await collectPluginsCodeSafetyFindings({ stateDir: tmpDir }); - expect(findings.some((f) => f.checkId === "plugins.code_safety.entry_escape")).toBe(true); - }); + for (const testCase of cases) { + const scanSpy = testCase.beforeRun?.(); + try { + const tmpDir = await makeTmpDir(testCase.label); + const pluginDir = path.join(tmpDir, "extensions", testCase.pluginName); + await fs.mkdir(pluginDir, { recursive: true }); + await fs.writeFile( + path.join(pluginDir, "package.json"), + JSON.stringify({ + name: testCase.pluginName, + openclaw: { extensions: testCase.extensions }, + }), + ); + await fs.writeFile(path.join(pluginDir, "index.js"), "export {};"); - it("reports scan_failed when plugin code scanner throws during deep audit", async () => { - const scanSpy = vi - .spyOn(skillScanner, "scanDirectoryWithSummary") - .mockRejectedValueOnce(new Error("boom")); - - const tmpDir = await makeTmpDir("audit-scanner-throws"); - try { - const pluginDir = path.join(tmpDir, "extensions", "scanfail-plugin"); - await fs.mkdir(pluginDir, { recursive: true }); - await fs.writeFile( - path.join(pluginDir, "package.json"), - JSON.stringify({ - name: "scanfail-plugin", - openclaw: { extensions: ["index.js"] }, - }), - ); - await fs.writeFile(path.join(pluginDir, "index.js"), "export {};"); - - const findings = await collectPluginsCodeSafetyFindings({ stateDir: tmpDir }); - expect(findings.some((f) => f.checkId === "plugins.code_safety.scan_failed")).toBe(true); - } finally { - scanSpy.mockRestore(); + const findings = await collectPluginsCodeSafetyFindings({ stateDir: tmpDir }); + testCase.assert(findings); + } finally { + scanSpy?.mockRestore(); + } } });