mirror of
https://github.com/sipeed/picoclaw.git
synced 2026-06-12 18:08:54 +00:00
wenjie
8c2a9332c6
* fix(security): harden unauthenticated tool-exec paths (GHSA-pv8c-p6jf-3fpp) - Exec tool: channel-based access control (default deny remote) - Cron tool: command scheduling restricted to internal channels - Web fetch: SSRF defense-in-depth (pre-flight + dial-time + redirect checks) - File permissions: session/state dirs 0700, files 0600 - Registry: inject __channel/__chat_id into tool args (replaces racy SetContext) 28 new security regression tests. (cherry picked from commit 191446ae19021604d3d5b0d9376b9655ab749105) * fix(exec): revalidate working_dir before command start * test(web): allow local oversized payload fixture --------- Co-authored-by: xj <gh-xj@users.noreply.github.com>
117 lines
3.7 KiB
Go
117 lines
3.7 KiB
Go
package tools
|
|
|
|
import (
|
|
"context"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/sipeed/picoclaw/pkg/bus"
|
|
"github.com/sipeed/picoclaw/pkg/config"
|
|
"github.com/sipeed/picoclaw/pkg/cron"
|
|
)
|
|
|
|
func newTestCronTool(t *testing.T) *CronTool {
|
|
t.Helper()
|
|
storePath := filepath.Join(t.TempDir(), "cron.json")
|
|
cronService := cron.NewCronService(storePath, nil)
|
|
msgBus := bus.NewMessageBus()
|
|
cfg := config.DefaultConfig()
|
|
tool, err := NewCronTool(cronService, nil, msgBus, t.TempDir(), true, 0, cfg)
|
|
if err != nil {
|
|
t.Fatalf("NewCronTool() error: %v", err)
|
|
}
|
|
return tool
|
|
}
|
|
|
|
// TestCronTool_CommandBlockedFromRemoteChannel verifies command scheduling is restricted to internal channels
|
|
func TestCronTool_CommandBlockedFromRemoteChannel(t *testing.T) {
|
|
tool := newTestCronTool(t)
|
|
ctx := WithToolContext(context.Background(), "telegram", "chat-1")
|
|
result := tool.Execute(ctx, map[string]any{
|
|
"action": "add",
|
|
"message": "check disk",
|
|
"command": "df -h",
|
|
"command_confirm": true,
|
|
"at_seconds": float64(60),
|
|
})
|
|
|
|
if !result.IsError {
|
|
t.Fatal("expected command scheduling to be blocked from remote channel")
|
|
}
|
|
if !strings.Contains(result.ForLLM, "restricted to internal channels") {
|
|
t.Errorf("expected 'restricted to internal channels', got: %s", result.ForLLM)
|
|
}
|
|
}
|
|
|
|
// TestCronTool_CommandRequiresConfirm verifies command_confirm=true is required
|
|
func TestCronTool_CommandRequiresConfirm(t *testing.T) {
|
|
tool := newTestCronTool(t)
|
|
ctx := WithToolContext(context.Background(), "cli", "direct")
|
|
result := tool.Execute(ctx, map[string]any{
|
|
"action": "add",
|
|
"message": "check disk",
|
|
"command": "df -h",
|
|
"at_seconds": float64(60),
|
|
})
|
|
|
|
if !result.IsError {
|
|
t.Fatal("expected error when command_confirm is missing")
|
|
}
|
|
if !strings.Contains(result.ForLLM, "command_confirm=true") {
|
|
t.Errorf("expected 'command_confirm=true' message, got: %s", result.ForLLM)
|
|
}
|
|
}
|
|
|
|
// TestCronTool_CommandAllowedFromInternalChannel verifies command scheduling works from internal channels
|
|
func TestCronTool_CommandAllowedFromInternalChannel(t *testing.T) {
|
|
tool := newTestCronTool(t)
|
|
ctx := WithToolContext(context.Background(), "cli", "direct")
|
|
result := tool.Execute(ctx, map[string]any{
|
|
"action": "add",
|
|
"message": "check disk",
|
|
"command": "df -h",
|
|
"command_confirm": true,
|
|
"at_seconds": float64(60),
|
|
})
|
|
|
|
if result.IsError {
|
|
t.Fatalf("expected command scheduling to succeed from internal channel, got: %s", result.ForLLM)
|
|
}
|
|
if !strings.Contains(result.ForLLM, "Cron job added") {
|
|
t.Errorf("expected 'Cron job added', got: %s", result.ForLLM)
|
|
}
|
|
}
|
|
|
|
// TestCronTool_AddJobRequiresSessionContext verifies fail-closed when channel/chatID missing
|
|
func TestCronTool_AddJobRequiresSessionContext(t *testing.T) {
|
|
tool := newTestCronTool(t)
|
|
result := tool.Execute(context.Background(), map[string]any{
|
|
"action": "add",
|
|
"message": "reminder",
|
|
"at_seconds": float64(60),
|
|
})
|
|
|
|
if !result.IsError {
|
|
t.Fatal("expected error when session context is missing")
|
|
}
|
|
if !strings.Contains(result.ForLLM, "no session context") {
|
|
t.Errorf("expected 'no session context' message, got: %s", result.ForLLM)
|
|
}
|
|
}
|
|
|
|
// TestCronTool_NonCommandJobAllowedFromRemoteChannel verifies regular reminders work from any channel
|
|
func TestCronTool_NonCommandJobAllowedFromRemoteChannel(t *testing.T) {
|
|
tool := newTestCronTool(t)
|
|
ctx := WithToolContext(context.Background(), "telegram", "chat-1")
|
|
result := tool.Execute(ctx, map[string]any{
|
|
"action": "add",
|
|
"message": "time to stretch",
|
|
"at_seconds": float64(600),
|
|
})
|
|
|
|
if result.IsError {
|
|
t.Fatalf("expected non-command reminder to succeed from remote channel, got: %s", result.ForLLM)
|
|
}
|
|
}
|