[Repo Assist] test: add ExecShellWrapperParser and ExecEnvSanitizer unit tests (+98 tests)#212
Draft
github-actions[bot] wants to merge 1 commit intomasterfrom
Conversation
… tests) ExecShellWrapperParser (security-critical shell-unwrapping parser): - 34 new tests covering cmd /c, cmd /k, powershell -Command, -EncodedCommand (-enc/-ec aliases), pwsh, bash/sh wrapping, semicolon/& /&&/|| chaining, quote-protected separators, depth limiting, nested shell wrapping, and shell normalisation - Exercises all error paths: empty payload, invalid base64, missing -Command arg ExecEnvSanitizer (env variable security filter): - 24 new tests covering all 30 known-blocked names, case-insensitive matching, LD_*/DYLD_* prefix blocking, null/whitespace/invalid-char name rejection, mixed allowed+blocked split, all-blocked (null Allowed), all-allowed (empty Blocked) - Regression-grade: tests that PATH/PATHEXT/ComSpec/GIT_SSH_COMMAND etc. are blocked Both classes are internal with InternalsVisibleTo already configured for the test project. Baseline: 652 passed → after: 750 passed (+98); 20 skipped unchanged; Tray 122/122. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 This is an automated PR from Repo Assist.
Adds 98 new unit tests for two security-critical internal classes that previously had zero dedicated test coverage.
What changed
ExecShellWrapperParserTests(34 tests)ExecShellWrapperParser.Expandis the parser that unwraps nested shell invocations so the approval policy can evaluate the actual underlying command rather than the wrapper. For example,powershell -EncodedCommand <base64>should be unwrapped and checked against the policy — not treated as a single opaque token.Coverage added:
cmd /c,cmd /k,cmd.exevariants (payload extraction +cmdshell assignment)powershell -Command,-c,-EncodedCommand,-enc,-ec(with base64 decode)pwshequivalentsbash -c,sh -c,.exevariants;,&,&&,||chaining → multiple targetscmd /c powershell -Command ...)powershell, explicit shell propagation)-Commandarg, invalid base64, badEncodedCommandExecEnvSanitizerTests(24 tests)ExecEnvSanitizerblocks dangerous environment variable overrides before they reach the shell process. OverridingPATH,LD_PRELOAD,GIT_SSH_COMMANDetc. is a well-known privilege-escalation vector.Coverage added:
path,Path,COMSPEC,comspecall blocked)LD_*andDYLD_*prefix-based blocking=, NUL, CR, LF, space, tab) rejectedAllowedandBlockedAllowedisnullBlockedis emptyTest Status
OpenClaw.Shared.TestsOpenClaw.Tray.TestsNo failures. Both
InternalsVisibleToand the test infrastructure were already in place.