

























@@ -12,6 +12,7 @@ import {
1212downloadUrl,
1313findSingleTarballForTest,
1414loadTrustedPackageSource,
15+moveNewestPackedTarballForTest,
1516parseArgs,
1617readArtifactPackageCandidateMetadata,
1718readPackageBuildSourceSha,
@@ -211,6 +212,57 @@ describe("resolve-openclaw-package-candidate", () => {
211212});
212213});
213214215+it("keeps npm pack filenames inside the package candidate output directory", async () => {
216+const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-npm-pack-"));
217+tempDirs.push(dir);
218+await writeFile(path.join(dir, "openclaw-2026.6.17.tgz"), "package");
219+220+await expect(
221+moveNewestPackedTarballForTest(
222+dir,
223+JSON.stringify([{ filename: "openclaw-2026.6.17.tgz" }]),
224+"openclaw-current.tgz",
225+),
226+).resolves.toBe(path.join(dir, "openclaw-current.tgz"));
227+await expect(readFile(path.join(dir, "openclaw-current.tgz"), "utf8")).resolves.toBe("package");
228+});
229+230+it("rejects path-like npm pack filenames instead of renaming outside the output directory", async () => {
231+const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-npm-pack-"));
232+tempDirs.push(dir);
233+234+const unsafeFilenames = [
235+"../openclaw-2026.6.17.tgz",
236+"nested/openclaw-2026.6.17.tgz",
237+"nested\\openclaw-2026.6.17.tgz",
238+"/tmp/openclaw-2026.6.17.tgz",
239+"C:\\temp\\openclaw-2026.6.17.tgz",
240+"openclaw-2026.6.17.tar.gz",
241+];
242+243+for (const filename of unsafeFilenames) {
244+await expect(
245+moveNewestPackedTarballForTest(dir, JSON.stringify([{ filename }]), "openclaw-current.tgz"),
246+).rejects.toThrow("npm pack reported unsafe OpenClaw tarball filename");
247+}
248+});
249+250+it("rejects unsafe text npm pack filenames instead of using loose stdout fallback", async () => {
251+const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-npm-pack-"));
252+tempDirs.push(dir);
253+await writeFile(path.join(dir, "openclaw-2026.6.17.tgz"), "safe fallback");
254+255+for (const filename of ["../openclaw-2026.6.17.tgz", "C:openclaw-2026.6.17.tgz"]) {
256+await expect(
257+moveNewestPackedTarballForTest(
258+dir,
259+["npm notice", filename].join("\n"),
260+"openclaw-current.tgz",
261+),
262+).rejects.toThrow("npm pack reported unsafe OpenClaw tarball filename");
263+}
264+});
265+214266it("bounds captured command stderr tails on failures", async () => {
215267await expect(
216268runCommandForTest(
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。