Files
cft0808--edict/tests/test_cwe22_file_url.py
2026-07-13 13:32:32 +08:00

103 lines
3.4 KiB
Python

"""
PoC test: CWE-22 — Path traversal via file:// URL in add_remote_skill
reads arbitrary local files without allowed_roots check.
Expected: FAIL before fix, PASS after fix.
"""
import json, pathlib, sys, os, tempfile
# Setup project paths
REPO_ROOT = pathlib.Path(__file__).resolve().parent.parent
sys.path.insert(0, str(REPO_ROOT / 'dashboard'))
sys.path.insert(0, str(REPO_ROOT / 'scripts'))
def test_file_url_path_traversal_blocked(tmp_path):
"""file:// URLs pointing outside allowed_roots must be rejected."""
import server as srv
# Create a fake data dir with agent_config
data_dir = tmp_path / 'data'
data_dir.mkdir()
(data_dir / 'agent_config.json').write_text(json.dumps({
'agents': [{'id': 'testagent', 'skills': []}]
}))
srv.DATA = data_dir
# Create a temp OCLAW_HOME that doesn't contain the secret file
oclaw_home = tmp_path / '.openclaw'
oclaw_home.mkdir()
srv.OCLAW_HOME = oclaw_home
# Create a "secret" file outside any allowed root
secret_dir = tmp_path / 'secrets'
secret_dir.mkdir()
secret_file = secret_dir / 'SKILL.md'
# Must have valid frontmatter to pass content validation
secret_file.write_text('---\nname: evil\n---\nSECRET DATA\n')
# Attempt to read via file:// URL — this should be BLOCKED
result = srv.add_remote_skill('testagent', 'evilskill', f'file://{secret_file}')
# The fix should reject this because the path is outside allowed_roots
assert result['ok'] is False, (
f"VULNERABILITY: file:// URL read arbitrary file outside allowed_roots! "
f"Result: {result}"
)
assert '路径' in result.get('error', '') or 'allow' in result.get('error', '').lower(), (
f"Expected path restriction error, got: {result.get('error')}"
)
def test_file_url_within_allowed_roots_works(tmp_path):
"""file:// URLs within allowed_roots should still work after the fix."""
import server as srv
# Setup
data_dir = tmp_path / 'data'
data_dir.mkdir()
(data_dir / 'agent_config.json').write_text(json.dumps({
'agents': [{'id': 'testagent', 'skills': []}]
}))
srv.DATA = data_dir
oclaw_home = tmp_path / '.openclaw'
oclaw_home.mkdir()
srv.OCLAW_HOME = oclaw_home
# Place a valid skill file inside OCLAW_HOME (an allowed root)
skill_src = oclaw_home / 'shared_skills' / 'goodskill'
skill_src.mkdir(parents=True)
good_file = skill_src / 'SKILL.md'
good_file.write_text('---\nname: goodskill\ndescription: a good skill\n---\n\n# Good Skill\n\nDoes good things.\n')
result = srv.add_remote_skill('testagent', 'goodskill', f'file://{good_file}')
assert result['ok'] is True, (
f"file:// URL within allowed_roots should work! Result: {result}"
)
def test_file_url_etc_passwd_blocked(tmp_path):
"""Classic /etc/passwd read via file:// must be blocked."""
import server as srv
data_dir = tmp_path / 'data'
data_dir.mkdir()
(data_dir / 'agent_config.json').write_text(json.dumps({
'agents': [{'id': 'testagent', 'skills': []}]
}))
srv.DATA = data_dir
oclaw_home = tmp_path / '.openclaw'
oclaw_home.mkdir()
srv.OCLAW_HOME = oclaw_home
result = srv.add_remote_skill('testagent', 'readpasswd', 'file:///etc/passwd')
# Must be rejected (either file doesn't exist, or path not in allowed_roots)
assert result['ok'] is False, (
f"VULNERABILITY: file:// read /etc/passwd! Result: {result}"
)