From a1520d70ff8e9bceed1508aae372f2ced8994108 Mon Sep 17 00:00:00 2001 From: Robin Waslander Date: Wed, 11 Mar 2026 03:56:48 +0100 Subject: [PATCH] fix(gateway): propagate real gateway client into plugin subagent runtime Plugin subagent dispatch used a hardcoded synthetic client carrying operator.admin, operator.approvals, and operator.pairing for all runtime.subagent.* calls. Plugin HTTP routes with auth:"plugin" require no gateway auth by design, so an unauthenticated external request could drive admin-only gateway methods (sessions.delete, agent.run) through the subagent runtime. Propagate the real gateway client into the plugin runtime request scope when one is available. Plugin HTTP routes now run inside a scoped runtime client: auth:"plugin" routes receive a non-admin synthetic operator.write client; gateway-authenticated routes retain admin-capable scopes. The security boundary is enforced at the HTTP handler level. Fixes GHSA-xw77-45gv-p728 --- CHANGELOG.md | 1 + src/gateway/server-methods.ts | 2 +- src/gateway/server-plugins.ts | 2 +- src/gateway/server.talk-config.test.ts | 73 ++++++++------- src/gateway/server/plugins-http.test.ts | 96 ++++++++++++++++++++ src/gateway/server/plugins-http.ts | 81 +++++++++++++---- src/plugins/runtime/gateway-request-scope.ts | 3 +- 7 files changed, 200 insertions(+), 58 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 078c70e1743..b7421450d59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,6 +97,7 @@ Docs: https://docs.openclaw.ai - Agents/Azure OpenAI Responses: include the `azure-openai` provider in the Responses API store override so Azure OpenAI multi-turn cron jobs and embedded agent runs no longer fail with HTTP 400 "store is set to false". (#42934, fixes #42800) Thanks @ademczuk. - Agents/context pruning: prune image-only tool results during soft-trim, align context-pruning coverage with the new tool-result contract, and extend historical image cleanup to the same screenshot-heavy session path. (#43045) Thanks @MoerAI. - fix(models): guard optional model.input capability checks (#42096) thanks @andyliu +- Security/plugin runtime: stop unauthenticated plugin HTTP routes from inheriting synthetic admin gateway scopes when they call `runtime.subagent.*`, so admin-only methods like `sessions.delete` stay blocked without gateway auth. ## 2026.3.8 diff --git a/src/gateway/server-methods.ts b/src/gateway/server-methods.ts index 483914b9bf5..f6f052f8cc2 100644 --- a/src/gateway/server-methods.ts +++ b/src/gateway/server-methods.ts @@ -153,5 +153,5 @@ export async function handleGatewayRequest( // All handlers run inside a request scope so that plugin runtime // subagent methods (e.g. context engine tools spawning sub-agents // during tool execution) can dispatch back into the gateway. - await withPluginRuntimeGatewayRequestScope({ context, isWebchatConnect }, invokeHandler); + await withPluginRuntimeGatewayRequestScope({ context, client, isWebchatConnect }, invokeHandler); } diff --git a/src/gateway/server-plugins.ts b/src/gateway/server-plugins.ts index dde23f703a6..7d8b2a8a051 100644 --- a/src/gateway/server-plugins.ts +++ b/src/gateway/server-plugins.ts @@ -85,7 +85,7 @@ async function dispatchGatewayMethod( method, params, }, - client: createSyntheticOperatorClient(), + client: scope?.client ?? createSyntheticOperatorClient(), isWebchatConnect, respond: (ok, payload, error) => { if (!result) { diff --git a/src/gateway/server.talk-config.test.ts b/src/gateway/server.talk-config.test.ts index f430edfc185..ad9027f36fc 100644 --- a/src/gateway/server.talk-config.test.ts +++ b/src/gateway/server.talk-config.test.ts @@ -6,6 +6,7 @@ import { publicKeyRawBase64UrlFromPem, signDevicePayload, } from "../infra/device-identity.js"; +import { withEnvAsync } from "../test-utils/env.js"; import { buildDeviceAuthPayload } from "./device-auth.js"; import { validateTalkConfigResult } from "./protocol/index.js"; import { @@ -150,45 +151,47 @@ describe("gateway talk.config", () => { }, }); - await withServer(async (ws) => { - await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]); - const res = await rpcReq<{ - config?: { - talk?: { - apiKey?: { source?: string; provider?: string; id?: string }; - providers?: { - elevenlabs?: { - apiKey?: { source?: string; provider?: string; id?: string }; + await withEnvAsync({ ELEVENLABS_API_KEY: "env-elevenlabs-key" }, async () => { + await withServer(async (ws) => { + await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]); + const res = await rpcReq<{ + config?: { + talk?: { + apiKey?: { source?: string; provider?: string; id?: string }; + providers?: { + elevenlabs?: { + apiKey?: { source?: string; provider?: string; id?: string }; + }; }; - }; - resolved?: { - provider?: string; - config?: { - apiKey?: { source?: string; provider?: string; id?: string }; + resolved?: { + provider?: string; + config?: { + apiKey?: { source?: string; provider?: string; id?: string }; + }; }; }; }; - }; - }>(ws, "talk.config", { - includeSecrets: true, - }); - expect(res.ok).toBe(true); - expect(validateTalkConfigResult(res.payload)).toBe(true); - expect(res.payload?.config?.talk?.apiKey).toEqual({ - source: "env", - provider: "default", - id: "ELEVENLABS_API_KEY", - }); - expect(res.payload?.config?.talk?.providers?.elevenlabs?.apiKey).toEqual({ - source: "env", - provider: "default", - id: "ELEVENLABS_API_KEY", - }); - expect(res.payload?.config?.talk?.resolved?.provider).toBe("elevenlabs"); - expect(res.payload?.config?.talk?.resolved?.config?.apiKey).toEqual({ - source: "env", - provider: "default", - id: "ELEVENLABS_API_KEY", + }>(ws, "talk.config", { + includeSecrets: true, + }); + expect(res.ok).toBe(true); + expect(validateTalkConfigResult(res.payload)).toBe(true); + expect(res.payload?.config?.talk?.apiKey).toEqual({ + source: "env", + provider: "default", + id: "ELEVENLABS_API_KEY", + }); + expect(res.payload?.config?.talk?.providers?.elevenlabs?.apiKey).toEqual({ + source: "env", + provider: "default", + id: "ELEVENLABS_API_KEY", + }); + expect(res.payload?.config?.talk?.resolved?.provider).toBe("elevenlabs"); + expect(res.payload?.config?.talk?.resolved?.config?.apiKey).toEqual({ + source: "env", + provider: "default", + id: "ELEVENLABS_API_KEY", + }); }); }); }); diff --git a/src/gateway/server/plugins-http.test.ts b/src/gateway/server/plugins-http.test.ts index 391792b0022..476f76f8850 100644 --- a/src/gateway/server/plugins-http.test.ts +++ b/src/gateway/server/plugins-http.test.ts @@ -1,5 +1,7 @@ import type { IncomingMessage, ServerResponse } from "node:http"; import { describe, expect, it, vi } from "vitest"; +import type { PluginRuntime } from "../../plugins/runtime/types.js"; +import type { GatewayRequestContext, GatewayRequestOptions } from "../server-methods/types.js"; import { makeMockHttpResponse } from "../test-http-response.js"; import { createTestRegistry } from "./__tests__/test-utils.js"; import { @@ -8,6 +10,22 @@ import { shouldEnforceGatewayAuthForPluginPath, } from "./plugins-http.js"; +const loadOpenClawPlugins = vi.hoisted(() => vi.fn()); +type HandleGatewayRequestOptions = GatewayRequestOptions & { + extraHandlers?: Record; +}; +const handleGatewayRequest = vi.hoisted(() => + vi.fn(async (_opts: HandleGatewayRequestOptions) => {}), +); + +vi.mock("../../plugins/loader.js", () => ({ + loadOpenClawPlugins, +})); + +vi.mock("../server-methods.js", () => ({ + handleGatewayRequest, +})); + type PluginHandlerLog = Parameters[0]["log"]; function createPluginLog(): PluginHandlerLog { @@ -39,7 +57,85 @@ function buildRepeatedEncodedSlash(depth: number): string { return encodedSlash; } +function createSubagentRuntimeRegistry() { + return createTestRegistry(); +} + +async function createSubagentRuntime(): Promise { + const serverPlugins = await import("../server-plugins.js"); + loadOpenClawPlugins.mockReturnValue(createSubagentRuntimeRegistry()); + serverPlugins.loadGatewayPlugins({ + cfg: {}, + workspaceDir: "/tmp", + log: { + info: vi.fn(), + warn: vi.fn(), + error: vi.fn(), + debug: vi.fn(), + }, + coreGatewayHandlers: {}, + baseMethods: [], + }); + serverPlugins.setFallbackGatewayContext({} as GatewayRequestContext); + const call = loadOpenClawPlugins.mock.calls.at(-1)?.[0] as + | { runtimeOptions?: { subagent?: PluginRuntime["subagent"] } } + | undefined; + if (!call?.runtimeOptions?.subagent) { + throw new Error("Expected subagent runtime from loadGatewayPlugins"); + } + return call.runtimeOptions.subagent; +} + describe("createGatewayPluginRequestHandler", () => { + it("caps unauthenticated plugin routes to non-admin subagent scopes", async () => { + loadOpenClawPlugins.mockReset(); + handleGatewayRequest.mockReset(); + handleGatewayRequest.mockImplementation(async (opts: HandleGatewayRequestOptions) => { + const scopes = opts.client?.connect.scopes ?? []; + if (opts.req.method === "sessions.delete" && !scopes.includes("operator.admin")) { + opts.respond(false, undefined, { + code: "invalid_request", + message: "missing scope: operator.admin", + }); + return; + } + opts.respond(true, {}); + }); + + const subagent = await createSubagentRuntime(); + const log = createPluginLog(); + const handler = createGatewayPluginRequestHandler({ + registry: createTestRegistry({ + httpRoutes: [ + createRoute({ + path: "/hook", + auth: "plugin", + handler: async (_req, _res) => { + await subagent.deleteSession({ sessionKey: "agent:main:subagent:child" }); + return true; + }, + }), + ], + }), + log, + }); + + const { res, setHeader, end } = makeMockHttpResponse(); + const handled = await handler({ url: "/hook" } as IncomingMessage, res, undefined, { + gatewayAuthSatisfied: false, + }); + + expect(handled).toBe(true); + expect(handleGatewayRequest).toHaveBeenCalledTimes(1); + expect(handleGatewayRequest.mock.calls[0]?.[0]?.client?.connect.scopes).toEqual([ + "operator.write", + ]); + expect(res.statusCode).toBe(500); + expect(setHeader).toHaveBeenCalledWith("Content-Type", "text/plain; charset=utf-8"); + expect(end).toHaveBeenCalledWith("Internal Server Error"); + expect(log.warn).toHaveBeenCalledWith(expect.stringContaining("missing scope: operator.admin")); + }); + it("returns false when no routes are registered", async () => { const log = createPluginLog(); const handler = createGatewayPluginRequestHandler({ diff --git a/src/gateway/server/plugins-http.ts b/src/gateway/server/plugins-http.ts index 50114a33af6..6147e1bee99 100644 --- a/src/gateway/server/plugins-http.ts +++ b/src/gateway/server/plugins-http.ts @@ -1,6 +1,11 @@ import type { IncomingMessage, ServerResponse } from "node:http"; import type { createSubsystemLogger } from "../../logging/subsystem.js"; import type { PluginRegistry } from "../../plugins/registry.js"; +import { withPluginRuntimeGatewayRequestScope } from "../../plugins/runtime/gateway-request-scope.js"; +import { ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE, WRITE_SCOPE } from "../method-scopes.js"; +import { GATEWAY_CLIENT_IDS, GATEWAY_CLIENT_MODES } from "../protocol/client-info.js"; +import { PROTOCOL_VERSION } from "../protocol/index.js"; +import type { GatewayRequestOptions } from "../server-methods/types.js"; import { resolvePluginRoutePathContext, type PluginRoutePathContext, @@ -21,6 +26,32 @@ export { shouldEnforceGatewayAuthForPluginPath } from "./plugins-http/route-auth type SubsystemLogger = ReturnType; +function createPluginRouteRuntimeClient(params: { + requiresGatewayAuth: boolean; + gatewayAuthSatisfied?: boolean; +}): GatewayRequestOptions["client"] { + // Plugin-authenticated webhooks can still use non-admin subagent helpers, + // but they must not inherit admin-only gateway methods by default. + const scopes = + params.requiresGatewayAuth && params.gatewayAuthSatisfied !== false + ? [ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE] + : [WRITE_SCOPE]; + return { + connect: { + minProtocol: PROTOCOL_VERSION, + maxProtocol: PROTOCOL_VERSION, + client: { + id: GATEWAY_CLIENT_IDS.GATEWAY_CLIENT, + version: "internal", + platform: "node", + mode: GATEWAY_CLIENT_MODES.BACKEND, + }, + role: "operator", + scopes, + }, + }; +} + export type PluginHttpRequestHandler = ( req: IncomingMessage, res: ServerResponse, @@ -49,30 +80,40 @@ export function createGatewayPluginRequestHandler(params: { if (matchedRoutes.length === 0) { return false; } - if ( - matchedPluginRoutesRequireGatewayAuth(matchedRoutes) && - dispatchContext?.gatewayAuthSatisfied === false - ) { + const requiresGatewayAuth = matchedPluginRoutesRequireGatewayAuth(matchedRoutes); + if (requiresGatewayAuth && dispatchContext?.gatewayAuthSatisfied === false) { log.warn(`plugin http route blocked without gateway auth (${pathContext.canonicalPath})`); return false; } + const runtimeClient = createPluginRouteRuntimeClient({ + requiresGatewayAuth, + gatewayAuthSatisfied: dispatchContext?.gatewayAuthSatisfied, + }); - for (const route of matchedRoutes) { - try { - const handled = await route.handler(req, res); - if (handled !== false) { - return true; + return await withPluginRuntimeGatewayRequestScope( + { + client: runtimeClient, + isWebchatConnect: () => false, + }, + async () => { + for (const route of matchedRoutes) { + try { + const handled = await route.handler(req, res); + if (handled !== false) { + return true; + } + } catch (err) { + log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`); + if (!res.headersSent) { + res.statusCode = 500; + res.setHeader("Content-Type", "text/plain; charset=utf-8"); + res.end("Internal Server Error"); + } + return true; + } } - } catch (err) { - log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`); - if (!res.headersSent) { - res.statusCode = 500; - res.setHeader("Content-Type", "text/plain; charset=utf-8"); - res.end("Internal Server Error"); - } - return true; - } - } - return false; + return false; + }, + ); }; } diff --git a/src/plugins/runtime/gateway-request-scope.ts b/src/plugins/runtime/gateway-request-scope.ts index 11ed9cb4980..72a6f5af402 100644 --- a/src/plugins/runtime/gateway-request-scope.ts +++ b/src/plugins/runtime/gateway-request-scope.ts @@ -5,7 +5,8 @@ import type { } from "../../gateway/server-methods/types.js"; export type PluginRuntimeGatewayRequestScope = { - context: GatewayRequestContext; + context?: GatewayRequestContext; + client?: GatewayRequestOptions["client"]; isWebchatConnect: GatewayRequestOptions["isWebchatConnect"]; };