From 214b3d333676fcd1c45efc7c69fbf253812bf133 Mon Sep 17 00:00:00 2001 From: Francisco Maestre Torreblanca Date: Fri, 1 May 2026 00:14:39 -0500 Subject: [PATCH] fix(pairing): don't silently swallow unexpected stat errors (#63324) Merged via squash. Prepared head SHA: 121512c687150ebda5a91265b90b4a0fe56f349d Co-authored-by: Francisco Maestre Torreblanca <2027043+franciscomaestre@users.noreply.github.com> Co-authored-by: sallyom <11166065+sallyom@users.noreply.github.com> Reviewed-by: @sallyom --- CHANGELOG.md | 1 + src/pairing/allow-from-store-file.test.ts | 29 ++++++++++++++++++++++- src/pairing/allow-from-store-file.ts | 2 +- src/pairing/pairing-store.test.ts | 26 ++++++++++++++++++++ src/pairing/pairing-store.ts | 7 +++++- 5 files changed, 62 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c591ef1537c..fd2c1831035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ Docs: https://docs.openclaw.ai - Gateway/config: include rejected validation paths in foreground and service last-known-good recovery logs plus main-agent notices, so unsupported direct edits explain which key caused restore instead of looking like silent reversion. Fixes #75060. Thanks @amknight. - Plugins/runtime-deps: hash the OS-canonical `packageRoot` via `fs.realpathSync.native` (with `path.resolve` fallback) when computing the bundled runtime-deps stage key, so loader and channel `bundled-root` callers no longer derive divergent stage directories under `~/.openclaw/plugin-runtime-deps/openclaw--/` and bundled channels stop failing with `ENOENT` on shared dist chunks under Windows npm symlinks, junctions, or PM2 multi-instance worker layouts. Fixes #74963. (#75048) Thanks @openperf and @vincentkoc. - fix(logging): add redaction patterns for Tencent Cloud, Alibaba Cloud, HuggingFace and Replicate API keys (#58162). Thanks @gavyngong +- Pairing: surface unexpected allowlist filesystem stat errors instead of treating the allowlist as missing, so permission and I/O failures are visible during pairing authorization checks. (#63324) Thanks @franciscomaestre. ## 2026.4.29 diff --git a/src/pairing/allow-from-store-file.test.ts b/src/pairing/allow-from-store-file.test.ts index 31341d675e4..f2276ff99e2 100644 --- a/src/pairing/allow-from-store-file.test.ts +++ b/src/pairing/allow-from-store-file.test.ts @@ -1,5 +1,7 @@ -import { describe, expect, it } from "vitest"; +import fs from "node:fs"; +import { describe, expect, it, vi } from "vitest"; import { + readAllowFromFileSyncWithExists, resolveAllowFromAccountId, resolveAllowFromFilePath, safeChannelKey, @@ -25,6 +27,10 @@ function expectInvalidPairingKey(params: { throw new Error("expected invalid pairing key error"); } +function fsError(message: string, code: string): NodeJS.ErrnoException { + return Object.assign(new Error(message), { code }); +} + describe("allow-from store file keys", () => { it("formats invalid channel diagnostics without stringifying unsafe values", () => { const circular: Record = { label: "private-channel-value" }; @@ -65,3 +71,24 @@ describe("allow-from store file keys", () => { }); }); }); + +describe("allow-from store file reads", () => { + it("rethrows unexpected sync stat errors", () => { + const error = fsError("permission denied", "EACCES"); + const statSpy = vi.spyOn(fs, "statSync").mockImplementation(() => { + throw error; + }); + + try { + expect(() => + readAllowFromFileSyncWithExists({ + cacheNamespace: "test", + filePath: "/tmp/openclaw-allowFrom.json", + normalizeStore: () => [], + }), + ).toThrow(error); + } finally { + statSpy.mockRestore(); + } + }); +}); diff --git a/src/pairing/allow-from-store-file.ts b/src/pairing/allow-from-store-file.ts index fe9c5feab82..a1a16e8eafa 100644 --- a/src/pairing/allow-from-store-file.ts +++ b/src/pairing/allow-from-store-file.ts @@ -272,7 +272,7 @@ export function readAllowFromFileSyncWithExists(params: { } catch (err) { const code = (err as { code?: string }).code; if (code !== "ENOENT") { - return { entries: [], exists: false }; + throw err; } } diff --git a/src/pairing/pairing-store.test.ts b/src/pairing/pairing-store.test.ts index 945846e125f..f7afa9936a1 100644 --- a/src/pairing/pairing-store.test.ts +++ b/src/pairing/pairing-store.test.ts @@ -472,6 +472,32 @@ describe("pairing store", () => { }); }); + it("rethrows unexpected stat errors after allowFrom writes", async () => { + await withTempStateDir(async (stateDir) => { + const allowFromPath = resolveAllowFromFilePath(stateDir, "telegram", "yy"); + const error = Object.assign(new Error("stat failed"), { code: "EACCES" }); + const originalStat = fsSync.promises.stat.bind(fsSync.promises); + const statSpy = vi.spyOn(fsSync.promises, "stat").mockImplementation(async (target) => { + if (String(target) === allowFromPath) { + throw error; + } + return await originalStat(target); + }); + + try { + await expect( + addChannelAllowFromStoreEntry({ + channel: "telegram", + accountId: "yy", + entry: "12345", + }), + ).rejects.toBe(error); + } finally { + statSpy.mockRestore(); + } + }); + }); + it("reads allowFrom variants with account-scoped isolation", async () => { await withTempStateDir(async (stateDir) => { for (const { setup, accountId, expected, expectedLegacy } of [ diff --git a/src/pairing/pairing-store.ts b/src/pairing/pairing-store.ts index ed923e8f7a9..dfc8bfc91b2 100644 --- a/src/pairing/pairing-store.ts +++ b/src/pairing/pairing-store.ts @@ -305,7 +305,12 @@ async function writeAllowFromState(filePath: string, allowFrom: string[]): Promi let stat: Awaited> | null = null; try { stat = await fs.promises.stat(filePath); - } catch {} + } catch (err) { + const code = (err as { code?: string }).code; + if (code !== "ENOENT") { + throw err; + } + } setAllowFromFileReadCache({ cacheNamespace: PAIRING_ALLOW_FROM_CACHE_NAMESPACE, filePath,