let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): expand audit and safe --fix

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-15 05:31:35 +00:00
parent f11a89031b
commit ca1902fb4e
9 changed files with 1077 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
src/security/fix.test.ts
View File

@@ -207,4 +207,61 @@ describe("security fix", () => {
const configMode = (await fs.stat(configPath)).mode & 0o777;
expectPerms(configMode, 0o600);
});
it("tightens perms for credentials + agent auth/sessions + include files", async () => {
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-security-fix-"));
const stateDir = path.join(tmp, "state");
await fs.mkdir(stateDir, { recursive: true });
const includesDir = path.join(stateDir, "includes");
await fs.mkdir(includesDir, { recursive: true });
const includePath = path.join(includesDir, "extra.json5");
await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8");
await fs.chmod(includePath, 0o644);
const configPath = path.join(stateDir, "clawdbot.json");
await fs.writeFile(
configPath,
`{ "$include": "./includes/extra.json5", channels: { whatsapp: { groupPolicy: "open" } } }\n`,
"utf-8",
);
await fs.chmod(configPath, 0o644);
const credsDir = path.join(stateDir, "credentials");
await fs.mkdir(credsDir, { recursive: true });
const allowFromPath = path.join(credsDir, "whatsapp-allowFrom.json");
await fs.writeFile(
allowFromPath,
`${JSON.stringify({ version: 1, allowFrom: ["+15550002222"] }, null, 2)}\n`,
"utf-8",
);
await fs.chmod(allowFromPath, 0o644);
const agentDir = path.join(stateDir, "agents", "main", "agent");
await fs.mkdir(agentDir, { recursive: true });
const authProfilesPath = path.join(agentDir, "auth-profiles.json");
await fs.writeFile(authProfilesPath, "{}\n", "utf-8");
await fs.chmod(authProfilesPath, 0o644);
const sessionsDir = path.join(stateDir, "agents", "main", "sessions");
await fs.mkdir(sessionsDir, { recursive: true });
const sessionsStorePath = path.join(sessionsDir, "sessions.json");
await fs.writeFile(sessionsStorePath, "{}\n", "utf-8");
await fs.chmod(sessionsStorePath, 0o644);
const env = {
...process.env,
CLAWDBOT_STATE_DIR: stateDir,
CLAWDBOT_CONFIG_PATH: "",
};
const res = await fixSecurityFootguns({ env });
expect(res.ok).toBe(true);
expect((await fs.stat(credsDir)).mode & 0o777).toBe(0o700);
expect((await fs.stat(allowFromPath)).mode & 0o777).toBe(0o600);
expect((await fs.stat(authProfilesPath)).mode & 0o777).toBe(0o600);
expect((await fs.stat(sessionsStorePath)).mode & 0o777).toBe(0o600);
expect((await fs.stat(includePath)).mode & 0o777).toBe(0o600);
});
});