test(security): cover bundled plugin allowlist audit · openclaw/openclaw@3db407d
steipete
·
2026-04-27
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -19,6 +19,16 @@ const mockChannelPlugins = vi.hoisted(() => [
|
19 | 19 | }, |
20 | 20 | }, |
21 | 21 | ]); |
| 22 | +const mockPluginRegistryIds = vi.hoisted(() => [ |
| 23 | +"active-memory", |
| 24 | +"anthropic", |
| 25 | +"brave", |
| 26 | +"discord", |
| 27 | +"google", |
| 28 | +"lmstudio", |
| 29 | +"memory-core", |
| 30 | +"ollama", |
| 31 | +]); |
22 | 32 | |
23 | 33 | const readInstalledPackageVersionMock = vi.hoisted(() => |
24 | 34 | vi.fn(async (dir: string) => { |
@@ -87,7 +97,7 @@ vi.mock("../plugins/plugin-registry.js", () => ({
|
87 | 97 | createPluginRegistryIdNormalizer: () => (id: string) => id, |
88 | 98 | loadPluginRegistrySnapshot: () => ({ |
89 | 99 | diagnostics: [], |
90 | | -plugins: [{ pluginId: "discord" }], |
| 100 | +plugins: mockPluginRegistryIds.map((pluginId) => ({ pluginId })), |
91 | 101 | }), |
92 | 102 | })); |
93 | 103 | |
@@ -349,6 +359,35 @@ describe("security audit install metadata findings", () => {
|
349 | 359 | expect(phantomFinding?.detail).toContain("ghost-plugin-xyz"); |
350 | 360 | expect(phantomFinding?.detail).not.toContain("installed-plugin"); |
351 | 361 | }); |
| 362 | + |
| 363 | +it("does not report bundled provider and utility plugins as phantom allowlist entries", async () => { |
| 364 | +const stateDir = await makeTmpDir("phantom-bundled-providers"); |
| 365 | +await fs.mkdir(path.join(stateDir, "extensions", "installed-plugin"), { |
| 366 | +recursive: true, |
| 367 | +}); |
| 368 | + |
| 369 | +const findings = await runInstallMetadataAudit( |
| 370 | +{ |
| 371 | +plugins: { |
| 372 | +allow: [ |
| 373 | +"active-memory", |
| 374 | +"anthropic", |
| 375 | +"brave", |
| 376 | +"google", |
| 377 | +"lmstudio", |
| 378 | +"memory-core", |
| 379 | +"ollama", |
| 380 | +"installed-plugin", |
| 381 | +], |
| 382 | +}, |
| 383 | +}, |
| 384 | +stateDir, |
| 385 | +); |
| 386 | + |
| 387 | +expect( |
| 388 | +findings.find((finding) => finding.checkId === "plugins.allow_phantom_entries"), |
| 389 | +).toBeUndefined(); |
| 390 | +}); |
352 | 391 | }); |
353 | 392 | |
354 | 393 | describe("security audit extension tool reachability findings", () => { |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。