fix(security): properly test Windows ACL audit for config includes
The test expected fs.config_include.perms_writable on Windows but chmod 0o644 has no effect on Windows ACLs. Use icacls to grant Everyone write access, which properly triggers the security check. Also stubs execIcacls to return proper ACL output so the audit can parse permissions without running actual icacls on the system. Adds cleanup via try/finally to remove temp directory containing world-writable test file. Fixes checks-windows CI failure.
This commit is contained in:
parent
343882d45c
commit
6f61e2dd84
@ -857,51 +857,62 @@ describe("security audit", () => {
|
||||
|
||||
const includePath = path.join(stateDir, "extra.json5");
|
||||
await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8");
|
||||
await fs.chmod(includePath, 0o644);
|
||||
if (isWindows) {
|
||||
// Grant "Everyone" write access to trigger the perms_writable check on Windows
|
||||
const { execSync } = await import("node:child_process");
|
||||
execSync(`icacls "${includePath}" /grant Everyone:W`, { stdio: "ignore" });
|
||||
} else {
|
||||
await fs.chmod(includePath, 0o644);
|
||||
}
|
||||
|
||||
const configPath = path.join(stateDir, "clawdbot.json");
|
||||
await fs.writeFile(configPath, `{ "$include": "./extra.json5" }\n`, "utf-8");
|
||||
await fs.chmod(configPath, 0o600);
|
||||
|
||||
const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } };
|
||||
const user = "DESKTOP-TEST\\Tester";
|
||||
const execIcacls = isWindows
|
||||
? async (_cmd: string, args: string[]) => {
|
||||
const target = args[0];
|
||||
if (target === includePath) {
|
||||
try {
|
||||
const cfg: ClawdbotConfig = { logging: { redactSensitive: "off" } };
|
||||
const user = "DESKTOP-TEST\\Tester";
|
||||
const execIcacls = isWindows
|
||||
? async (_cmd: string, args: string[]) => {
|
||||
const target = args[0];
|
||||
if (target === includePath) {
|
||||
return {
|
||||
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
|
||||
stderr: "",
|
||||
};
|
||||
}
|
||||
return {
|
||||
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
|
||||
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
|
||||
stderr: "",
|
||||
};
|
||||
}
|
||||
return {
|
||||
stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
|
||||
stderr: "",
|
||||
};
|
||||
}
|
||||
: undefined;
|
||||
const res = await runSecurityAudit({
|
||||
config: cfg,
|
||||
includeFilesystem: true,
|
||||
includeChannelSecurity: false,
|
||||
stateDir,
|
||||
configPath,
|
||||
platform: isWindows ? "win32" : undefined,
|
||||
env: isWindows
|
||||
? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" }
|
||||
: undefined,
|
||||
execIcacls,
|
||||
});
|
||||
: undefined;
|
||||
const res = await runSecurityAudit({
|
||||
config: cfg,
|
||||
includeFilesystem: true,
|
||||
includeChannelSecurity: false,
|
||||
stateDir,
|
||||
configPath,
|
||||
platform: isWindows ? "win32" : undefined,
|
||||
env: isWindows
|
||||
? { ...process.env, USERNAME: "Tester", USERDOMAIN: "DESKTOP-TEST" }
|
||||
: undefined,
|
||||
execIcacls,
|
||||
});
|
||||
|
||||
const expectedCheckId = isWindows
|
||||
? "fs.config_include.perms_writable"
|
||||
: "fs.config_include.perms_world_readable";
|
||||
const expectedCheckId = isWindows
|
||||
? "fs.config_include.perms_writable"
|
||||
: "fs.config_include.perms_world_readable";
|
||||
|
||||
expect(res.findings).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
|
||||
]),
|
||||
);
|
||||
expect(res.findings).toEqual(
|
||||
expect.arrayContaining([
|
||||
expect.objectContaining({ checkId: expectedCheckId, severity: "critical" }),
|
||||
]),
|
||||
);
|
||||
} finally {
|
||||
// Clean up temp directory with world-writable file
|
||||
await fs.rm(tmp, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it("flags extensions without plugins.allow", async () => {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user