vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 02:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block cross-origin mutations on loopback browser routes

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 15:40:56 +01:00
parent 1f1fc095a0
commit b566b09f81
4 changed files with 167 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/browser/bridge-server.ts
View File

@@ -5,6 +5,7 @@ import type { ResolvedBrowserConfig } from "./config.js";
import type { BrowserRouteRegistrar } from "./routes/types.js";
import { isLoopbackHost } from "../gateway/net.js";
import { deleteBridgeAuthForPort, setBridgeAuthForPort } from "./bridge-auth-registry.js";
import { browserMutationGuardMiddleware } from "./csrf.js";
import { isAuthorizedBrowserRequest } from "./http-auth.js";
import { registerBrowserRoutes } from "./routes/index.js";
import {
@@ -49,6 +50,7 @@ export async function startBrowserBridgeServer(params: {
next();
});
app.use(express.json({ limit: "1mb" }));
app.use(browserMutationGuardMiddleware());
const authToken = params.authToken?.trim() || undefined;
const authPassword = params.authPassword?.trim() || undefined;