

























@@ -375,6 +375,45 @@ describe("resolve-openclaw-package-candidate", () => {
375375);
376376});
377377378+it("rejects loose trusted package source port values", async () => {
379+const dir = await mkdtemp(path.join(tmpdir(), "openclaw-trusted-package-source-"));
380+tempDirs.push(dir);
381+const policy = path.join(dir, "trusted-sources.json");
382+await writeFile(
383+policy,
384+JSON.stringify({
385+schemaVersion: 1,
386+sources: {
387+exponent: {
388+hosts: ["packages.example"],
389+pathPrefixes: ["/openclaw/"],
390+ports: ["1e3"],
391+},
392+fractional: {
393+hosts: ["packages.example"],
394+pathPrefixes: ["/openclaw/"],
395+ports: [443.5],
396+},
397+hex: {
398+hosts: ["packages.example"],
399+pathPrefixes: ["/openclaw/"],
400+ports: ["0x1bb"],
401+},
402+},
403+}),
404+);
405+406+await expect(loadTrustedPackageSource("exponent", policy)).rejects.toThrow(
407+"trusted package source exponent has invalid ports",
408+);
409+await expect(loadTrustedPackageSource("fractional", policy)).rejects.toThrow(
410+"trusted package source fractional has invalid ports",
411+);
412+await expect(loadTrustedPackageSource("hex", policy)).rejects.toThrow(
413+"trusted package source hex has invalid ports",
414+);
415+});
416+378417it("rejects unsafe package_url downloads before fetching private targets", async () => {
379418const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-download-"));
380419tempDirs.push(dir);
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。