vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 06:00:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden direct CDP websocket validation (#60469) (thanks @eleqtrizit)

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 11:47:11 +01:00
parent c3f8427973
commit bc356cc8c2
3 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
extensions/browser/src/browser/cdp.test.ts
View File

@@ -257,6 +257,19 @@ describe("cdp", () => {
).rejects.toBeInstanceOf(SsrFBlockedError);
});
it("blocks direct websocket cdp urls outside strict SSRF policy", async () => {
await expect(
createTargetViaCdp({
cdpUrl: "ws://169.254.169.254:9222/devtools/browser/PIVOT",
url: "https://example.com",
ssrfPolicy: {
dangerouslyAllowPrivateNetwork: false,
allowedHostnames: ["127.0.0.1"],
},
}),
).rejects.toBeInstanceOf(SsrFBlockedError);
});
it("evaluates javascript via CDP", async () => {
const wsPort = await startWsServerWithMessages((msg, socket) => {
if (msg.method === "Runtime.enable") {

1
extensions/browser/src/browser/cdp.ts
View File

@@ -183,6 +183,7 @@ export async function createTargetViaCdp(opts: {
let wsUrl: string;
if (isWebSocketUrl(opts.cdpUrl)) {
// Direct WebSocket URL — skip /json/version discovery.
await assertCdpEndpointAllowed(opts.cdpUrl, opts.ssrfPolicy);
wsUrl = opts.cdpUrl;
} else {
// Standard HTTP(S) CDP endpoint — discover WebSocket URL via /json/version.