| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/JAVA/Openclaw/src/commands/doctor/shared/ (KI Agentensystem Version 22©) Datei vom 26.3.2026 mit Größe 8 kB |
|
Quelle exec-safe-bins.tsSprache: JAVA |
|||||||||
|
Spracherkennung für: .ts vermutete Sprache: Unknown {[0] [0] [0]} [Methode: Schwerpunktbildung, einfache Gewichte, sechs Dimensionen] import type { OpenClawConfig } from "../../../config/types.openclaw.js";
import { resolveCommandResolutionFromArgv } from "../../../infra/exec-command-resolut import { listInterpreterLikeSafeBins, resolveMergedSafeBinProfileFixtures, } from "../../../infra/exec-safe-bin-runtime-policy.js"; import { listRiskyConfiguredSafeBins } from "../../../infra/exec-safe-bin-semantics.j import { getTrustedSafeBinDirs, isTrustedSafeBinPath, normalizeTrustedSafeBinDirs, } from "../../../infra/exec-safe-bin-trust.js"; import { normalizeOptionalLowercaseString } from "../../../shared/string-coerce.js"; import { sanitizeForLog } from "../../../terminal/ansi.js"; import { asObjectRecord } from "./object.js"; export type ExecSafeBinCoverageHit = { scopePath: string; bin: string; kind: "missingProfile" | "riskySemantics"; isInterpreter?: boolean; warning?: string; }; type ExecSafeBinScopeRef = { scopePath: string; safeBins: string[]; exec: Record<string, unknown>; mergedProfiles: Record<string, unknown>; trustedSafeBinDirs: ReadonlySet<string>; }; export type ExecSafeBinTrustedDirHintHit = { scopePath: string; bin: string; resolvedPath: string; }; function normalizeConfiguredSafeBins(entries: unknown): string[] { if (!Array.isArray(entries)) { return []; } return Array.from( new Set( entries .map((entry) => normalizeOptionalLowercaseString(entry) ?? "") .filter((entry) => entry.length > 0), ), ).toSorted(); } function normalizeConfiguredTrustedSafeBinDirs(entries: unknown): string[] { if (!Array.isArray(entries)) { return []; } return normalizeTrustedSafeBinDirs( entries.filter((entry): entry is string => typeof entry === "string"), ); } function collectExecSafeBinScopes(cfg: OpenClawConfig): ExecSafeBinScopeRef[] { const scopes: ExecSafeBinScopeRef[] = []; const globalExec = asObjectRecord(cfg.tools?.exec); const globalTrustedDirs = normalizeConfiguredTrustedSafeBinDirs(globalExec?.safeBin if (globalExec) { const safeBins = normalizeConfiguredSafeBins(globalExec.safeBins); if (safeBins.length > 0) { scopes.push({ scopePath: "tools.exec", safeBins, exec: globalExec, mergedProfiles: resolveMergedSafeBinProfileFixtures({ global: globalExec, }) ?? {}, trustedSafeBinDirs: getTrustedSafeBinDirs({ extraDirs: globalTrustedDirs, }), }); } } const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : []; for (const agent of agents) { if (!agent || typeof agent !== "object" || typeof agent.id !== "string") { continue; } const agentExec = asObjectRecord(agent.tools?.exec); if (!agentExec) { continue; } const safeBins = normalizeConfiguredSafeBins(agentExec.safeBins); if (safeBins.length === 0) { continue; } scopes.push({ scopePath: `agents.list.${agent.id}.tools.exec`, safeBins, exec: agentExec, mergedProfiles: resolveMergedSafeBinProfileFixtures({ global: globalExec, local: agentExec, }) ?? {}, trustedSafeBinDirs: getTrustedSafeBinDirs({ extraDirs: [ ...globalTrustedDirs, ...normalizeConfiguredTrustedSafeBinDirs(agentExec.safeBinTrustedDirs), ], }), }); } return scopes; } export function scanExecSafeBinCoverage(cfg: OpenClawConfig): ExecSafeBinCoverageHit const hits: ExecSafeBinCoverageHit[] = []; for (const scope of collectExecSafeBinScopes(cfg)) { const interpreterBins = new Set(listInterpreterLikeSafeBins(scope.safeBins)); for (const bin of scope.safeBins) { if (scope.mergedProfiles[bin]) { continue; } hits.push({ scopePath: scope.scopePath, bin, kind: "missingProfile", isInterpreter: interpreterBins.has(bin), }); } for (const hit of listRiskyConfiguredSafeBins(scope.safeBins)) { hits.push({ scopePath: scope.scopePath, bin: hit.bin, kind: "riskySemantics", warning: hit.warning, }); } } return hits; } export function scanExecSafeBinTrustedDirHints( cfg: OpenClawConfig, ): ExecSafeBinTrustedDirHintHit[] { const hits: ExecSafeBinTrustedDirHintHit[] = []; for (const scope of collectExecSafeBinScopes(cfg)) { for (const bin of scope.safeBins) { const resolution = resolveCommandResolutionFromArgv([bin]); if (!resolution?.execution.resolvedPath) { continue; } if ( isTrustedSafeBinPath({ resolvedPath: resolution.execution.resolvedPath, trustedDirs: scope.trustedSafeBinDirs, }) ) { continue; } hits.push({ scopePath: scope.scopePath, bin, resolvedPath: resolution.execution.resolvedPath, }); } } return hits; } export function collectExecSafeBinCoverageWarnings(params: { hits: ExecSafeBinCoverageHit[]; doctorFixCommand: string; }): string[] { if (params.hits.length === 0) { return []; } const interpreterHits = params.hits.filter( (hit) => hit.kind === "missingProfile" && hit.isInterpreter, ); const customHits = params.hits.filter( (hit) => hit.kind === "missingProfile" && !hit.isInterpreter, ); const riskyHits = params.hits.filter((hit) => hit.kind === "riskySemantics"); const lines: string[] = []; if (interpreterHits.length > 0) { for (const hit of interpreterHits.slice(0, 5)) { lines.push( `- ${sanitizeForLog(hit.scopePath)}.safeBins includes interpreter/runtime '${sanitiz ); } if (interpreterHits.length > 5) { lines.push( `- ${interpreterHits.length - 5} more interpreter/runtime safeBins entries are missing pro ); } } if (customHits.length > 0) { for (const hit of customHits.slice(0, 5)) { lines.push( `- ${sanitizeForLog(hit.scopePath)}.safeBins entry '${sanitizeForLog(hit.bin)}' is mi ); } if (customHits.length > 5) { lines.push(`- ${customHits.length - 5} more custom safeBins entries are missing profiles.` } } if (riskyHits.length > 0) { for (const hit of riskyHits.slice(0, 5)) { lines.push( `- ${sanitizeForLog(hit.scopePath)}.safeBins includes '${sanitizeForLog(hit.bin)}': ); } if (riskyHits.length > 5) { lines.push( `- ${riskyHits.length - 5} more safeBins entries should not use the low-risk safeBins fast pat ); } } lines.push( `- Run "${params.doctorFixCommand}" to scaffold missing custom safeBinProfiles entries.` ); return lines; } export function collectExecSafeBinTrustedDirHintWarnings( hits: ExecSafeBinTrustedDirHintHit[], ): string[] { if (hits.length === 0) { return []; } const lines = hits .slice(0, 5) .map( (hit) => `- ${sanitizeForLog(hit.scopePath)}.safeBins entry '${sanitizeForLog(hit.bin)}' reso ); if (hits.length > 5) { lines.push(`- ${hits.length - 5} more safeBins entries resolve outside trusted safe-bin dir } lines.push( "- If intentional, add the binary directory to tools.exec.safeBinTrustedDirs (global or age ); return lines; } export function maybeRepairExecSafeBinProfiles(cfg: OpenClawConfig): { config: OpenClawConfig; changes: string[]; warnings: string[]; } { const next = structuredClone(cfg); const changes: string[] = []; const warnings: string[] = []; for (const scope of collectExecSafeBinScopes(next)) { const interpreterBins = new Set(listInterpreterLikeSafeBins(scope.safeBins)); for (const hit of listRiskyConfiguredSafeBins(scope.safeBins)) { warnings.push(`- ${scope.scopePath}.safeBins includes '${hit.bin}': ${hit.warning}`) } const missingBins = scope.safeBins.filter((bin) => !scope.mergedProfiles[bin]); if (missingBins.length === 0) { continue; } const profileHolder = asObjectRecord(scope.exec.safeBinProfiles) ?? (scope.exec.safeBinProfiles = {}); for (const bin of missingBins) { if (interpreterBins.has(bin)) { warnings.push( `- ${scope.scopePath}.safeBins includes interpreter/runtime '${bin}' without profile; r ); continue; } if (profileHolder[bin] !== undefined) { continue; } profileHolder[bin] = {}; changes.push( `- ${scope.scopePath}.safeBinProfiles.${bin}: added scaffold profile {} (review and tigh ); } } if (changes.length === 0 && warnings.length === 0) { return { config: cfg, changes: [], warnings: [] }; } return { config: next, changes, warnings }; } ¤ Dauer der Verarbeitung: 0.22 Sekunden (vorverarbeitet am 2026-04-27) ¤*© Formatika GbR, Deutschland |
|
2026-05-26