@@ -29,8 +29,7 @@ describe("security audit trust model findings", () => {
2929tools: { elevated: { enabled: true, allowFrom: { whatsapp: ["+1"] } } },
3030channels: { whatsapp: { groupPolicy: "open" } },
3131} satisfies OpenClawConfig,
32-assert: () => {
33-const findings = audit(cases[0].cfg);
32+assert: (findings: ReturnType<typeof audit>) => {
3433expect(
3534findings.some(
3635(finding) =>
@@ -46,8 +45,7 @@ describe("security audit trust model findings", () => {
4645channels: { whatsapp: { groupPolicy: "open" } },
4746tools: { elevated: { enabled: false } },
4847} satisfies OpenClawConfig,
49-assert: () => {
50-const findings = audit(cases[1].cfg);
48+assert: (findings: ReturnType<typeof audit>) => {
5149expect(
5250findings.some(
5351(finding) =>
@@ -71,8 +69,7 @@ describe("security audit trust model findings", () => {
7169},
7270},
7371} satisfies OpenClawConfig,
74-assert: () => {
75-const findings = audit(cases[2].cfg);
72+assert: (findings: ReturnType<typeof audit>) => {
7673expect(
7774findings.some(
7875(finding) => finding.checkId === "security.exposure.open_groups_with_runtime_or_fs",
@@ -91,8 +88,7 @@ describe("security audit trust model findings", () => {
9188fs: { workspaceOnly: true },
9289},
9390} satisfies OpenClawConfig,
94-assert: () => {
95-const findings = audit(cases[3].cfg);
91+assert: (findings: ReturnType<typeof audit>) => {
9692expect(
9793findings.some(
9894(finding) => finding.checkId === "security.exposure.open_groups_with_runtime_or_fs",
@@ -117,8 +113,7 @@ describe("security audit trust model findings", () => {
117113},
118114tools: { elevated: { enabled: false } },
119115} satisfies OpenClawConfig,
120-assert: () => {
121-const findings = audit(cases[4].cfg);
116+assert: (findings: ReturnType<typeof audit>) => {
122117const finding = requireMultiUserHeuristicFinding(findings);
123118expect(finding.severity).toBe("warn");
124119expect(finding.detail).toContain(
@@ -138,19 +133,108 @@ describe("security audit trust model findings", () => {
138133},
139134tools: { elevated: { enabled: false } },
140135} satisfies OpenClawConfig,
141-assert: () => {
142-const findings = audit(cases[5].cfg);
136+assert: (findings: ReturnType<typeof audit>) => {
143137expect(
144138findings.some(
145139(finding) => finding.checkId === "security.trust_model.multi_user_heuristic",
146140),
147141).toBe(false);
148142},
149143},
144+{
145+name: "flags open dmPolicy when tools.elevated is enabled",
146+cfg: {
147+tools: { elevated: { enabled: true, allowFrom: { feishu: ["ou_123"] } } },
148+channels: { feishu: { groupPolicy: "disabled", dmPolicy: "open" } },
149+} satisfies OpenClawConfig,
150+assert: (findings: ReturnType<typeof audit>) => {
151+const finding = findings.find(
152+(entry) => entry.checkId === "security.exposure.open_groups_with_elevated",
153+);
154+expect(finding?.severity).toBe("critical");
155+expect(finding?.detail).toContain("channels.feishu.dmPolicy");
156+},
157+},
158+{
159+name: "flags open dmPolicy when runtime/filesystem tools are exposed without guards",
160+cfg: {
161+channels: { feishu: { groupPolicy: "disabled", dmPolicy: "open" } },
162+tools: { elevated: { enabled: false }, profile: "coding" },
163+} satisfies OpenClawConfig,
164+assert: (findings: ReturnType<typeof audit>) => {
165+const finding = findings.find(
166+(entry) => entry.checkId === "security.exposure.open_groups_with_runtime_or_fs",
167+);
168+expect(finding?.severity).toBe("critical");
169+expect(finding?.detail).toContain("channels.feishu.dmPolicy");
170+},
171+},
172+{
173+name: "flags account-level open dmPolicy",
174+cfg: {
175+channels: {
176+discord: {
177+dmPolicy: "allowlist",
178+accounts: { work: { dmPolicy: "open" } },
179+},
180+},
181+} satisfies OpenClawConfig,
182+assert: (findings: ReturnType<typeof audit>) => {
183+const finding = findings.find(
184+(entry) => entry.checkId === "security.exposure.open_groups_with_elevated",
185+);
186+expect(finding?.detail).toContain("channels.discord.accounts.work.dmPolicy");
187+expect(finding?.detail).not.toContain("channels.discord.dmPolicy");
188+},
189+},
190+{
191+name: "flags supported legacy open dm.policy",
192+cfg: {
193+channels: { discord: { dm: { policy: "open" } } },
194+} satisfies OpenClawConfig,
195+assert: (findings: ReturnType<typeof audit>) => {
196+const finding = findings.find(
197+(entry) => entry.checkId === "security.exposure.open_groups_with_elevated",
198+);
199+expect(finding?.detail).toContain("channels.discord.dm.policy");
200+},
201+},
202+{
203+name: "preserves the detected nested-only DM policy path in remediation",
204+cfg: {
205+channels: { matrix: { dm: { policy: "open" } } },
206+} satisfies OpenClawConfig,
207+assert: (findings: ReturnType<typeof audit>) => {
208+const finding = findings.find(
209+(entry) => entry.checkId === "security.exposure.open_groups_with_elevated",
210+);
211+expect(finding?.detail).toContain("channels.matrix.dm.policy");
212+expect(finding?.remediation).toContain("each listed group/DM policy");
213+expect(finding?.remediation).not.toContain("dmPolicy");
214+},
215+},
216+{
217+name: "prefers canonical dmPolicy over conflicting legacy dm.policy",
218+cfg: {
219+channels: {
220+discord: {
221+dmPolicy: "allowlist",
222+dm: { policy: "open" },
223+},
224+},
225+} satisfies OpenClawConfig,
226+assert: (findings: ReturnType<typeof audit>) => {
227+expect(
228+findings.some((finding) =>
229+finding.checkId.startsWith("security.exposure.open_groups_"),
230+),
231+).toBe(false);
232+},
233+},
150234] as const;
151235152236for (const testCase of cases) {
153-testCase.assert();
237+testCase.assert(audit(testCase.cfg));
154238}
155239});
156240});
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。