fix(security): set Windows ACLs in audit include file test

The test expected fs.config_include.perms_writable on Windows but
chmod 0o644 has no effect on Windows ACLs. Use icacls to grant
Everyone write access, which properly triggers the security check.

Also adds cleanup via try/finally to remove the temp directory
containing the world-writable test file.

Fixes checks-windows CI failure.
This commit is contained in:
Kai Valo 2026-01-26 20:25:30 +00:00
parent 320b45c051
commit 60c7d50da5

View File

@ -855,30 +855,41 @@ describe("security audit", () => {
const includePath = path.join(stateDir, "extra.json5"); const includePath = path.join(stateDir, "extra.json5");
await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8"); await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8");
await fs.chmod(includePath, 0o644); if (isWindows) {
// Grant "Everyone" write access to trigger the perms_writable check on Windows
const { execSync } = await import("node:child_process");
execSync(`icacls "${includePath}" /grant Everyone:W`, { stdio: "ignore" });
} else {
await fs.chmod(includePath, 0o644);
}
const configPath = path.join(stateDir, "clawdbot.json"); const configPath = path.join(stateDir, "clawdbot.json");
await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8"); await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8");
await fs.chmod(configPath, 0o600); await fs.chmod(configPath, 0o600);
const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } }; try {
const res = await runSecurityAudit({ const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } };
config: cfg, const res = await runSecurityAudit({
includeFilesystem: true, config: cfg,
includeChannelSecurity: false, includeFilesystem: true,
stateDir, includeChannelSecurity: false,
configPath, stateDir,
}); configPath,
});
const expectedCheckId = isWindows const expectedCheckId = isWindows
? "fs.config_include.perms_writable" ? "fs.config_include.perms_writable"
: "fs.config_include.perms_world_readable"; : "fs.config_include.perms_world_readable";
expect(res.findings).toEqual( expect(res.findings).toEqual(
expect.arrayContaining([ expect.arrayContaining([
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }), expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
]), ]),
); );
} finally {
// Clean up temp directory with world-writable file
await fs.rm(tmp, { recursive: true, force: true });
}
}); });
it("flags extensions without plugins.allow", async () => { it("flags extensions without plugins.allow", async () => {