fix(security): set Windows ACLs in audit include file test

The test expected fs.config_include.perms_writable on Windows but
chmod 0o644 has no effect on Windows ACLs. Use icacls to grant
Everyone write access, which properly triggers the security check.

Also adds cleanup via try/finally to remove the temp directory
containing the world-writable test file.

Fixes checks-windows CI failure.
This commit is contained in:
Kai Valo 2026-01-26 20:25:30 +00:00
parent 320b45c051
commit 60c7d50da5

View File

@ -855,12 +855,19 @@ describe("security audit", () => {
const includePath = path.join(stateDir, "extra.json5"); const includePath = path.join(stateDir, "extra.json5");
await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8"); await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8");
if (isWindows) {
// Grant "Everyone" write access to trigger the perms_writable check on Windows
const { execSync } = await import("node:child_process");
execSync(`icacls "${includePath}" /grant Everyone:W`, { stdio: "ignore" });
} else {
await fs.chmod(includePath, 0o644); await fs.chmod(includePath, 0o644);
}
const configPath = path.join(stateDir, "clawdbot.json"); const configPath = path.join(stateDir, "clawdbot.json");
await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8"); await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8");
await fs.chmod(configPath, 0o600); await fs.chmod(configPath, 0o600);
try {
const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } }; const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } };
const res = await runSecurityAudit({ const res = await runSecurityAudit({
config: cfg, config: cfg,
@ -879,6 +886,10 @@ describe("security audit", () => {
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }), expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
]), ]),
); );
} finally {
// Clean up temp directory with world-writable file
await fs.rm(tmp, { recursive: true, force: true });
}
}); });
it("flags extensions without plugins.allow", async () => { it("flags extensions without plugins.allow", async () => {