fix(gateway): propagate real gateway client into plugin subagent runtime

Plugin subagent dispatch used a hardcoded synthetic client carrying operator.admin, operator.approvals, and operator.pairing for all runtime.subagent.* calls. Plugin HTTP routes with auth:"plugin" require no gateway auth by design, so an unauthenticated external request could drive admin-only gateway methods (sessions.delete, agent.run) through the subagent runtime. Propagate the real gateway client into the plugin runtime request scope when one is available. Plugin HTTP routes now run inside a scoped runtime client: auth:"plugin" routes receive a non-admin synthetic operator.write client; gateway-authenticated routes retain admin-capable scopes. The security boundary is enforced at the HTTP handler level. Fixes GHSA-xw77-45gv-p728
2026-03-12 07:20:45 +00:00 · 2026-03-11 03:56:48 +01:00
parent dafd61b5c1
commit a1520d70ff
7 changed files with 200 additions and 58 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -97,6 +97,7 @@ Docs: https://docs.openclaw.ai
 - Agents/Azure OpenAI Responses: include the `azure-openai` provider in the Responses API store override so Azure OpenAI multi-turn cron jobs and embedded agent runs no longer fail with HTTP 400 "store is set to false". (#42934, fixes #42800) Thanks @ademczuk.
 - Agents/context pruning: prune image-only tool results during soft-trim, align context-pruning coverage with the new tool-result contract, and extend historical image cleanup to the same screenshot-heavy session path. (#43045) Thanks @MoerAI.
 - fix(models): guard optional model.input capability checks (#42096) thanks @andyliu
+- Security/plugin runtime: stop unauthenticated plugin HTTP routes from inheriting synthetic admin gateway scopes when they call `runtime.subagent.*`, so admin-only methods like `sessions.delete` stay blocked without gateway auth.

 ## 2026.3.8

--- a/src/gateway/server-methods.ts
+++ b/src/gateway/server-methods.ts
@@ -153,5 +153,5 @@ export async function handleGatewayRequest(
  // All handlers run inside a request scope so that plugin runtime
  // subagent methods (e.g. context engine tools spawning sub-agents
  // during tool execution) can dispatch back into the gateway.
-  await withPluginRuntimeGatewayRequestScope({ context, isWebchatConnect }, invokeHandler);
+  await withPluginRuntimeGatewayRequestScope({ context, client, isWebchatConnect }, invokeHandler);
 }
--- a/src/gateway/server-plugins.ts
+++ b/src/gateway/server-plugins.ts
@@ -85,7 +85,7 @@ async function dispatchGatewayMethod<T>(
      method,
      params,
    },
-    client: createSyntheticOperatorClient(),
+    client: scope?.client ?? createSyntheticOperatorClient(),
    isWebchatConnect,
    respond: (ok, payload, error) => {
      if (!result) {
--- a/src/gateway/server.talk-config.test.ts
+++ b/src/gateway/server.talk-config.test.ts
@@ -6,6 +6,7 @@ import {
  publicKeyRawBase64UrlFromPem,
  signDevicePayload,
 } from "../infra/device-identity.js";
+import { withEnvAsync } from "../test-utils/env.js";
 import { buildDeviceAuthPayload } from "./device-auth.js";
 import { validateTalkConfigResult } from "./protocol/index.js";
 import {
@@ -150,45 +151,47 @@ describe("gateway talk.config", () => {
      },
    });

-    await withServer(async (ws) => {
-      await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]);
-      const res = await rpcReq<{
-        config?: {
-          talk?: {
-            apiKey?: { source?: string; provider?: string; id?: string };
-            providers?: {
-              elevenlabs?: {
-                apiKey?: { source?: string; provider?: string; id?: string };
+    await withEnvAsync({ ELEVENLABS_API_KEY: "env-elevenlabs-key" }, async () => {
+      await withServer(async (ws) => {
+        await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]);
+        const res = await rpcReq<{
+          config?: {
+            talk?: {
+              apiKey?: { source?: string; provider?: string; id?: string };
+              providers?: {
+                elevenlabs?: {
+                  apiKey?: { source?: string; provider?: string; id?: string };
+                };
              };
-            };
-            resolved?: {
-              provider?: string;
-              config?: {
-                apiKey?: { source?: string; provider?: string; id?: string };
+              resolved?: {
+                provider?: string;
+                config?: {
+                  apiKey?: { source?: string; provider?: string; id?: string };
+                };
              };
            };
          };
-        };
-      }>(ws, "talk.config", {
-        includeSecrets: true,
-      });
-      expect(res.ok).toBe(true);
-      expect(validateTalkConfigResult(res.payload)).toBe(true);
-      expect(res.payload?.config?.talk?.apiKey).toEqual({
-        source: "env",
-        provider: "default",
-        id: "ELEVENLABS_API_KEY",
-      });
-      expect(res.payload?.config?.talk?.providers?.elevenlabs?.apiKey).toEqual({
-        source: "env",
-        provider: "default",
-        id: "ELEVENLABS_API_KEY",
-      });
-      expect(res.payload?.config?.talk?.resolved?.provider).toBe("elevenlabs");
-      expect(res.payload?.config?.talk?.resolved?.config?.apiKey).toEqual({
-        source: "env",
-        provider: "default",
-        id: "ELEVENLABS_API_KEY",
+        }>(ws, "talk.config", {
+          includeSecrets: true,
+        });
+        expect(res.ok).toBe(true);
+        expect(validateTalkConfigResult(res.payload)).toBe(true);
+        expect(res.payload?.config?.talk?.apiKey).toEqual({
+          source: "env",
+          provider: "default",
+          id: "ELEVENLABS_API_KEY",
+        });
+        expect(res.payload?.config?.talk?.providers?.elevenlabs?.apiKey).toEqual({
+          source: "env",
+          provider: "default",
+          id: "ELEVENLABS_API_KEY",
+        });
+        expect(res.payload?.config?.talk?.resolved?.provider).toBe("elevenlabs");
+        expect(res.payload?.config?.talk?.resolved?.config?.apiKey).toEqual({
+          source: "env",
+          provider: "default",
+          id: "ELEVENLABS_API_KEY",
+        });
      });
    });
  });
--- a/src/gateway/server/plugins-http.test.ts
+++ b/src/gateway/server/plugins-http.test.ts
@@ -1,5 +1,7 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { describe, expect, it, vi } from "vitest";
+import type { PluginRuntime } from "../../plugins/runtime/types.js";
+import type { GatewayRequestContext, GatewayRequestOptions } from "../server-methods/types.js";
 import { makeMockHttpResponse } from "../test-http-response.js";
 import { createTestRegistry } from "./__tests__/test-utils.js";
 import {
@@ -8,6 +10,22 @@ import {
  shouldEnforceGatewayAuthForPluginPath,
 } from "./plugins-http.js";

+const loadOpenClawPlugins = vi.hoisted(() => vi.fn());
+type HandleGatewayRequestOptions = GatewayRequestOptions & {
+  extraHandlers?: Record<string, unknown>;
+};
+const handleGatewayRequest = vi.hoisted(() =>
+  vi.fn(async (_opts: HandleGatewayRequestOptions) => {}),
+);
+
+vi.mock("../../plugins/loader.js", () => ({
+  loadOpenClawPlugins,
+}));
+
+vi.mock("../server-methods.js", () => ({
+  handleGatewayRequest,
+}));
+
 type PluginHandlerLog = Parameters<typeof createGatewayPluginRequestHandler>[0]["log"];

 function createPluginLog(): PluginHandlerLog {
@@ -39,7 +57,85 @@ function buildRepeatedEncodedSlash(depth: number): string {
  return encodedSlash;
 }

+function createSubagentRuntimeRegistry() {
+  return createTestRegistry();
+}
+
+async function createSubagentRuntime(): Promise<PluginRuntime["subagent"]> {
+  const serverPlugins = await import("../server-plugins.js");
+  loadOpenClawPlugins.mockReturnValue(createSubagentRuntimeRegistry());
+  serverPlugins.loadGatewayPlugins({
+    cfg: {},
+    workspaceDir: "/tmp",
+    log: {
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      debug: vi.fn(),
+    },
+    coreGatewayHandlers: {},
+    baseMethods: [],
+  });
+  serverPlugins.setFallbackGatewayContext({} as GatewayRequestContext);
+  const call = loadOpenClawPlugins.mock.calls.at(-1)?.[0] as
+    | { runtimeOptions?: { subagent?: PluginRuntime["subagent"] } }
+    | undefined;
+  if (!call?.runtimeOptions?.subagent) {
+    throw new Error("Expected subagent runtime from loadGatewayPlugins");
+  }
+  return call.runtimeOptions.subagent;
+}
+
 describe("createGatewayPluginRequestHandler", () => {
+  it("caps unauthenticated plugin routes to non-admin subagent scopes", async () => {
+    loadOpenClawPlugins.mockReset();
+    handleGatewayRequest.mockReset();
+    handleGatewayRequest.mockImplementation(async (opts: HandleGatewayRequestOptions) => {
+      const scopes = opts.client?.connect.scopes ?? [];
+      if (opts.req.method === "sessions.delete" && !scopes.includes("operator.admin")) {
+        opts.respond(false, undefined, {
+          code: "invalid_request",
+          message: "missing scope: operator.admin",
+        });
+        return;
+      }
+      opts.respond(true, {});
+    });
+
+    const subagent = await createSubagentRuntime();
+    const log = createPluginLog();
+    const handler = createGatewayPluginRequestHandler({
+      registry: createTestRegistry({
+        httpRoutes: [
+          createRoute({
+            path: "/hook",
+            auth: "plugin",
+            handler: async (_req, _res) => {
+              await subagent.deleteSession({ sessionKey: "agent:main:subagent:child" });
+              return true;
+            },
+          }),
+        ],
+      }),
+      log,
+    });
+
+    const { res, setHeader, end } = makeMockHttpResponse();
+    const handled = await handler({ url: "/hook" } as IncomingMessage, res, undefined, {
+      gatewayAuthSatisfied: false,
+    });
+
+    expect(handled).toBe(true);
+    expect(handleGatewayRequest).toHaveBeenCalledTimes(1);
+    expect(handleGatewayRequest.mock.calls[0]?.[0]?.client?.connect.scopes).toEqual([
+      "operator.write",
+    ]);
+    expect(res.statusCode).toBe(500);
+    expect(setHeader).toHaveBeenCalledWith("Content-Type", "text/plain; charset=utf-8");
+    expect(end).toHaveBeenCalledWith("Internal Server Error");
+    expect(log.warn).toHaveBeenCalledWith(expect.stringContaining("missing scope: operator.admin"));
+  });
+
  it("returns false when no routes are registered", async () => {
    const log = createPluginLog();
    const handler = createGatewayPluginRequestHandler({
--- a/src/gateway/server/plugins-http.ts
+++ b/src/gateway/server/plugins-http.ts
@@ -1,6 +1,11 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { createSubsystemLogger } from "../../logging/subsystem.js";
 import type { PluginRegistry } from "../../plugins/registry.js";
+import { withPluginRuntimeGatewayRequestScope } from "../../plugins/runtime/gateway-request-scope.js";
+import { ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE, WRITE_SCOPE } from "../method-scopes.js";
+import { GATEWAY_CLIENT_IDS, GATEWAY_CLIENT_MODES } from "../protocol/client-info.js";
+import { PROTOCOL_VERSION } from "../protocol/index.js";
+import type { GatewayRequestOptions } from "../server-methods/types.js";
 import {
  resolvePluginRoutePathContext,
  type PluginRoutePathContext,
@@ -21,6 +26,32 @@ export { shouldEnforceGatewayAuthForPluginPath } from "./plugins-http/route-auth

 type SubsystemLogger = ReturnType<typeof createSubsystemLogger>;

+function createPluginRouteRuntimeClient(params: {
+  requiresGatewayAuth: boolean;
+  gatewayAuthSatisfied?: boolean;
+}): GatewayRequestOptions["client"] {
+  // Plugin-authenticated webhooks can still use non-admin subagent helpers,
+  // but they must not inherit admin-only gateway methods by default.
+  const scopes =
+    params.requiresGatewayAuth && params.gatewayAuthSatisfied !== false
+      ? [ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE]
+      : [WRITE_SCOPE];
+  return {
+    connect: {
+      minProtocol: PROTOCOL_VERSION,
+      maxProtocol: PROTOCOL_VERSION,
+      client: {
+        id: GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+        version: "internal",
+        platform: "node",
+        mode: GATEWAY_CLIENT_MODES.BACKEND,
+      },
+      role: "operator",
+      scopes,
+    },
+  };
+}
+
 export type PluginHttpRequestHandler = (
  req: IncomingMessage,
  res: ServerResponse,
@@ -49,30 +80,40 @@ export function createGatewayPluginRequestHandler(params: {
    if (matchedRoutes.length === 0) {
      return false;
    }
-    if (
-      matchedPluginRoutesRequireGatewayAuth(matchedRoutes) &&
-      dispatchContext?.gatewayAuthSatisfied === false
-    ) {
+    const requiresGatewayAuth = matchedPluginRoutesRequireGatewayAuth(matchedRoutes);
+    if (requiresGatewayAuth && dispatchContext?.gatewayAuthSatisfied === false) {
      log.warn(`plugin http route blocked without gateway auth (${pathContext.canonicalPath})`);
      return false;
    }
+    const runtimeClient = createPluginRouteRuntimeClient({
+      requiresGatewayAuth,
+      gatewayAuthSatisfied: dispatchContext?.gatewayAuthSatisfied,
+    });

-    for (const route of matchedRoutes) {
-      try {
-        const handled = await route.handler(req, res);
-        if (handled !== false) {
-          return true;
+    return await withPluginRuntimeGatewayRequestScope(
+      {
+        client: runtimeClient,
+        isWebchatConnect: () => false,
+      },
+      async () => {
+        for (const route of matchedRoutes) {
+          try {
+            const handled = await route.handler(req, res);
+            if (handled !== false) {
+              return true;
+            }
+          } catch (err) {
+            log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`);
+            if (!res.headersSent) {
+              res.statusCode = 500;
+              res.setHeader("Content-Type", "text/plain; charset=utf-8");
+              res.end("Internal Server Error");
+            }
+            return true;
+          }
        }
-      } catch (err) {
-        log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`);
-        if (!res.headersSent) {
-          res.statusCode = 500;
-          res.setHeader("Content-Type", "text/plain; charset=utf-8");
-          res.end("Internal Server Error");
-        }
-        return true;
-      }
-    }
-    return false;
+        return false;
+      },
+    );
  };
 }
--- a/src/plugins/runtime/gateway-request-scope.ts
+++ b/src/plugins/runtime/gateway-request-scope.ts
@@ -5,7 +5,8 @@ import type {
 } from "../../gateway/server-methods/types.js";

 export type PluginRuntimeGatewayRequestScope = {
-  context: GatewayRequestContext;
+  context?: GatewayRequestContext;
+  client?: GatewayRequestOptions["client"];
  isWebchatConnect: GatewayRequestOptions["isWebchatConnect"];
 };