vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 23:40:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden system.run companion command binding

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-25 00:01:53 +00:00
parent 8680240f7e
commit 55cf92578d
6 changed files with 520 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/node-host/invoke-system-run.ts
View File

@@ -291,7 +291,6 @@ export async function handleSystemRunInvoke(opts: HandleSystemRunInvokeOptions):
}
const argv = command.argv;
const rawCommand = command.rawCommand ?? "";
const shellCommand = command.shellCommand;
const cmdText = command.cmdText;
const agentId = opts.params.agentId?.trim() || undefined;
@@ -388,7 +387,9 @@ export async function handleSystemRunInvoke(opts: HandleSystemRunInvokeOptions):
if (useMacAppExec) {
const execRequest: ExecHostRequest = {
command: plannedAllowlistArgv ?? argv,
rawCommand: rawCommand || shellCommand || null,
// Forward canonical display text so companion approval/prompt surfaces bind to
// the exact command context already validated on the node-host.
rawCommand: cmdText || null,
cwd: opts.params.cwd ?? null,
env: envOverrides ?? null,
timeoutMs: opts.params.timeoutMs ?? null,