vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden safeBins path trust

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-18 04:54:46 +01:00
parent 42d2a61888
commit 28bac46c92
5 changed files with 82 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/tools/exec-approvals.md
View File

@@ -127,6 +127,8 @@ positional file args and path-like tokens, so they can only operate on the incom
Safe bins also force argv tokens to be treated as **literal text** at execution time (no globbing
and no `$VARS` expansion) for stdin-only segments, so patterns like `*` or `$HOME/...` cannot be
used to smuggle file reads.
Safe bins must also resolve from trusted binary directories (system defaults plus the gateway
process `PATH` at startup). This blocks request-scoped PATH hijacking attempts.
Shell chaining and redirections are not auto-allowed in allowlist mode.
Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment satisfies the allowlist