vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 16:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(config): harden include file loading path checks

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 12:23:22 +01:00
parent caace61ba1
commit 9925ac6a2d
5 changed files with 180 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
src/config/includes.test.ts
View File

@@ -5,6 +5,7 @@ import { describe, expect, it } from "vitest";
import {
CircularIncludeError,
ConfigIncludeError,
MAX_INCLUDE_FILE_BYTES,
deepMerge,
type IncludeResolver,
resolveConfigIncludes,
@@ -640,5 +641,55 @@ describe("security: path traversal protection (CWE-22)", () => {
await fs.rm(tempRoot, { recursive: true, force: true });
}
});
it("rejects include files that are hardlinked aliases", async () => {
if (process.platform === "win32") {
return;
}
const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-includes-hardlink-"));
try {
const configDir = path.join(tempRoot, "config");
const outsideDir = path.join(tempRoot, "outside");
await fs.mkdir(configDir, { recursive: true });
await fs.mkdir(outsideDir, { recursive: true });
const includePath = path.join(configDir, "extra.json5");
const outsidePath = path.join(outsideDir, "secret.json5");
await fs.writeFile(outsidePath, '{"logging":{"redactSensitive":"tools"}}\n', "utf-8");
try {
await fs.link(outsidePath, includePath);
} catch (err) {
if ((err as NodeJS.ErrnoException).code === "EXDEV") {
return;
}
throw err;
}
expect(() =>
resolveConfigIncludes(
{ $include: "./extra.json5" },
path.join(configDir, "openclaw.json"),
),
).toThrow(/security checks|hardlink/i);
} finally {
await fs.rm(tempRoot, { recursive: true, force: true });
}
});
it("rejects oversized include files", async () => {
const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-includes-big-"));
try {
const configDir = path.join(tempRoot, "config");
await fs.mkdir(configDir, { recursive: true });
const includePath = path.join(configDir, "big.json5");
const payload = "a".repeat(MAX_INCLUDE_FILE_BYTES + 1);
await fs.writeFile(includePath, `{"blob":"${payload}"}`, "utf-8");
expect(() =>
resolveConfigIncludes({ $include: "./big.json5" }, path.join(configDir, "openclaw.json")),
).toThrow(/security checks|max/i);
} finally {
await fs.rm(tempRoot, { recursive: true, force: true });
}
});
});
});