diff --git a/.github/codeql/codeql-raw-socket-boundary-critical-quality.yml b/.github/codeql/codeql-network-runtime-boundary-critical-quality.yml similarity index 76% rename from .github/codeql/codeql-raw-socket-boundary-critical-quality.yml rename to .github/codeql/codeql-network-runtime-boundary-critical-quality.yml index 5bdb6b2f626..13afe6264f2 100644 --- a/.github/codeql/codeql-raw-socket-boundary-critical-quality.yml +++ b/.github/codeql/codeql-network-runtime-boundary-critical-quality.yml @@ -1,9 +1,10 @@ -name: openclaw-codeql-raw-socket-boundary-critical-quality +name: openclaw-codeql-network-runtime-boundary-critical-quality disable-default-queries: true queries: - uses: ./.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql + - uses: ./.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql paths: - src diff --git a/.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql b/.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql new file mode 100644 index 00000000000..c460dc83bc6 --- /dev/null +++ b/.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql @@ -0,0 +1,325 @@ +/** + * @name Managed proxy runtime mutation + * @description Proxy-related process.env and GLOBAL_AGENT runtime mutations must stay in managed proxy owner scopes. + * @kind problem + * @problem.severity error + * @precision high + * @id js/openclaw/managed-proxy-runtime-mutation + * @tags maintainability + * security + * external/cwe/cwe-441 + */ + +import javascript + +predicate forbiddenEnvKey(string key) { + key = + [ + "HTTP_PROXY", + "HTTPS_PROXY", + "http_proxy", + "https_proxy", + "NO_PROXY", + "no_proxy", + "GLOBAL_AGENT_HTTP_PROXY", + "GLOBAL_AGENT_HTTPS_PROXY", + "GLOBAL_AGENT_NO_PROXY", + "GLOBAL_AGENT_FORCE_GLOBAL_AGENT", + "OPENCLAW_PROXY_ACTIVE", + "OPENCLAW_PROXY_LOOPBACK_MODE" + ] +} + +predicate forbiddenGlobalAgentKey(string key) { key = ["HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY"] } + +predicate relevantSourceFile(File file) { + exists(string path | + path = file.getRelativePath() and + path.regexpMatch("^(src|extensions)/.*\\.(ts|mts|js|mjs)$") and + not path.regexpMatch(".*\\.(test|spec)\\.(ts|mts|js|mjs)$") and + not path.regexpMatch(".*\\.(test-utils|test-harness|e2e-harness)\\.ts$") and + not path.regexpMatch(".*/test-support/.*") and + not path.regexpMatch(".*/vendor/.*") and + not path.regexpMatch(".*\\.min\\.js$") and + not path.regexpMatch("^extensions/diffs/assets/.*") + ) +} + +predicate namedExpr(Expr expr, string name) { + expr.getUnderlyingValue().(Identifier).getName() = name +} + +predicate directProcessEnvExpr(Expr expr) { + exists(PropAccess access | + expr.getUnderlyingValue() = access and + access.getPropertyName() = "env" and + namedExpr(access.getBase(), "process") + ) +} + +predicate envAlias(Variable variable) { + exists(VariableDeclarator decl | + decl.getBindingPattern().getAVariable() = variable and + directProcessEnvExpr(decl.getInit()) + ) + or + exists(VariableDeclarator decl, ObjectPattern pattern, PropertyPattern property | + decl.getBindingPattern() = pattern and + namedExpr(decl.getInit(), "process") and + property = pattern.getAPropertyPattern() and + property.getName() = "env" and + property.getValuePattern().(BindingPattern).getAVariable() = variable + ) +} + +predicate processEnvExpr(Expr expr) { + directProcessEnvExpr(expr) + or + exists(VarAccess access | + expr.getUnderlyingValue() = access and + envAlias(access.getVariable()) + ) +} + +predicate stringConst(Variable variable, string value) { + exists(VariableDeclarator decl | + decl.getBindingPattern().getAVariable() = variable and + value = decl.getInit().getStringValue() + ) +} + +predicate stringArrayContains(Variable variable, string value) { + exists(VariableDeclarator decl, ArrayExpr array, Expr element | + decl.getBindingPattern().getAVariable() = variable and + decl.getInit().getUnderlyingValue() = array and + element = array.getAnElement().getUnderlyingValue() and + value = element.getStringValue() + ) + or + exists(VariableDeclarator decl, ArrayExpr array, SpreadElement spread, VarAccess access | + decl.getBindingPattern().getAVariable() = variable and + decl.getInit().getUnderlyingValue() = array and + spread = array.getAnElement().getUnderlyingValue() and + spread.getOperand().getUnderlyingValue() = access and + stringArrayContains(access.getVariable(), value) + ) +} + +predicate forbiddenEnvLoopVariable(Variable variable) { + exists(ForOfStmt loop, VarAccess domain, string key | + variable = loop.getAnIterationVariable() and + loop.getIterationDomain().getUnderlyingValue() = domain and + stringArrayContains(domain.getVariable(), key) and + forbiddenEnvKey(key) + ) +} + +predicate envKeyExprForbidden(Expr keyExpr) { + forbiddenEnvKey(keyExpr.getStringValue()) + or + exists(VarAccess access, string key | + keyExpr.getUnderlyingValue() = access and + stringConst(access.getVariable(), key) and + forbiddenEnvKey(key) + ) + or + exists(VarAccess access | + keyExpr.getUnderlyingValue() = access and + forbiddenEnvLoopVariable(access.getVariable()) + ) +} + +predicate globalAgentKeyExprForbidden(Expr keyExpr) { + forbiddenGlobalAgentKey(keyExpr.getStringValue()) + or + exists(VarAccess access, string key | + keyExpr.getUnderlyingValue() = access and + stringConst(access.getVariable(), key) and + forbiddenGlobalAgentKey(key) + ) +} + +predicate directGlobalExpr(Expr expr) { + namedExpr(expr, "global") + or + namedExpr(expr, "globalThis") +} + +predicate globalAlias(Variable variable) { + exists(VariableDeclarator decl | + decl.getBindingPattern().getAVariable() = variable and + directGlobalExpr(decl.getInit()) + ) +} + +predicate globalExpr(Expr expr) { + directGlobalExpr(expr) + or + exists(VarAccess access | + expr.getUnderlyingValue() = access and + globalAlias(access.getVariable()) + ) +} + +predicate directGlobalAgentExpr(Expr expr) { + exists(PropAccess access | + expr.getUnderlyingValue() = access and + access.getPropertyName() = "GLOBAL_AGENT" and + globalExpr(access.getBase()) + ) +} + +predicate globalAgentAlias(Variable variable) { + exists(VariableDeclarator decl | + decl.getBindingPattern().getAVariable() = variable and + directGlobalAgentExpr(decl.getInit()) + ) +} + +predicate globalAgentExpr(Expr expr) { + directGlobalAgentExpr(expr) + or + exists(VarAccess access | + expr.getUnderlyingValue() = access and + globalAgentAlias(access.getVariable()) + ) +} + +predicate envMutationTarget(Expr target) { + exists(PropAccess access | + target.getUnderlyingReference() = access and + processEnvExpr(access.getBase()) and + ( + forbiddenEnvKey(access.getPropertyName()) + or + envKeyExprForbidden(access.getPropertyNameExpr()) + ) + ) +} + +predicate globalAgentMutationTarget(Expr target) { + globalAgentExpr(target) + or + exists(PropAccess access | + target.getUnderlyingReference() = access and + globalAgentExpr(access.getBase()) and + ( + forbiddenGlobalAgentKey(access.getPropertyName()) + or + globalAgentKeyExprForbidden(access.getPropertyNameExpr()) + ) + ) +} + +predicate objectPropertyWithKey(Expr expr, string key) { + exists(ObjectExpr object, Property property | + expr.getUnderlyingValue() = object and + property = object.getAProperty() and + property.getName() = key + ) +} + +Expr managedProxyRuntimeMutation() { + exists(Assignment assignment | + result = assignment and + ( + envMutationTarget(assignment.getTarget()) + or + globalAgentMutationTarget(assignment.getTarget()) + ) + ) + or + exists(DeleteExpr delete | + result = delete and + ( + envMutationTarget(delete.getOperand()) + or + globalAgentMutationTarget(delete.getOperand()) + ) + ) + or + exists(MethodCallExpr call | + result = call and + namedExpr(call.getReceiver(), "Object") and + call.getMethodName() = "assign" and + ( + processEnvExpr(call.getArgument(0)) and + exists(string key | + forbiddenEnvKey(key) and + objectPropertyWithKey(call.getArgument(1), key) + ) + or + globalAgentExpr(call.getArgument(0)) and + exists(string key | + forbiddenGlobalAgentKey(key) and + objectPropertyWithKey(call.getArgument(1), key) + ) + ) + ) + or + exists(MethodCallExpr call | + result = call and + namedExpr(call.getReceiver(), "Object") and + call.getMethodName() = "defineProperty" and + ( + processEnvExpr(call.getArgument(0)) and + envKeyExprForbidden(call.getArgument(1)) + or + globalAgentExpr(call.getArgument(0)) and + globalAgentKeyExprForbidden(call.getArgument(1)) + ) + ) +} + +predicate allowedFunctionOwnerScope(Expr mutation, string path, string functionName) { + exists(Function owner | + mutation.getFile().getRelativePath() = path and + owner.getFile() = mutation.getFile() and + owner.getName() = functionName and + mutation.getParent*() = owner.getBody() + ) +} + +predicate allowedMethodOwnerScope(Expr mutation, string path, string methodName) { + exists(MethodDeclaration method | + mutation.getFile().getRelativePath() = path and + method.getFile() = mutation.getFile() and + method.getDeclaringType().getName() + "." + method.getName() = methodName and + mutation.getParent*() = method.getBody().getBody() + ) +} + +predicate allowedManagedProxyRuntimeMutation(Expr mutation) { + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "applyProxyEnv") + or + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "restoreProxyEnv") + or + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", + "restoreGlobalAgentRuntime") + or + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", + "restoreNodeHttpStack") + or + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", + "bootstrapNodeHttpStack") + or + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", + "writeGlobalAgentNoProxy") + or + allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", + "disableGlobalAgentProxyForIpv6GatewayLoopback") + or + allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts", + "NoProxyLeaseManager.acquire") + or + allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts", + "NoProxyLeaseManager.release") +} + +from Expr mutation +where + managedProxyRuntimeMutation() = mutation and + relevantSourceFile(mutation.getFile()) and + not allowedManagedProxyRuntimeMutation(mutation) +select mutation, + "Only managed proxy owner scopes may mutate proxy-related process.env or GLOBAL_AGENT runtime state." diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml index be50d6687ed..c72854b9816 100644 --- a/.github/workflows/codeql-critical-quality.yml +++ b/.github/workflows/codeql-critical-quality.yml @@ -21,7 +21,7 @@ on: - plugin-sdk-package-contract - plugin-sdk-reply-runtime - provider-runtime-boundary - - raw-socket-boundary + - network-runtime-boundary - session-diagnostics-boundary pull_request: types: [opened, synchronize, reopened, ready_for_review] @@ -164,7 +164,7 @@ jobs: plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }} plugin_sdk_reply: ${{ steps.detect.outputs.plugin_sdk_reply }} provider: ${{ steps.detect.outputs.provider }} - raw_socket: ${{ steps.detect.outputs.raw_socket }} + network_runtime: ${{ steps.detect.outputs.network_runtime }} session_diagnostics: ${{ steps.detect.outputs.session_diagnostics }} steps: - name: Detect PR shard paths @@ -188,7 +188,7 @@ jobs: plugin_sdk_package=false plugin_sdk_reply=false provider=false - raw_socket=false + network_runtime=false session_diagnostics=false if [[ "${EVENT_NAME}" != "pull_request" ]]; then @@ -203,7 +203,7 @@ jobs: plugin_sdk_package=true plugin_sdk_reply=true provider=true - raw_socket=true + network_runtime=true session_diagnostics=true else while IFS= read -r file; do @@ -220,11 +220,11 @@ jobs: plugin_sdk_package=true plugin_sdk_reply=true provider=true - raw_socket=true + network_runtime=true session_diagnostics=true ;; src/*.ts|src/**/*.ts|extensions/*.ts|extensions/**/*.ts) - raw_socket=true + network_runtime=true ;; src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/pi-embedded-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts) agent=true @@ -308,7 +308,7 @@ jobs: echo "plugin_sdk_package=${plugin_sdk_package}" echo "plugin_sdk_reply=${plugin_sdk_reply}" echo "provider=${provider}" - echo "raw_socket=${raw_socket}" + echo "network_runtime=${network_runtime}" echo "session_diagnostics=${session_diagnostics}" } >> "${GITHUB_OUTPUT}" @@ -404,10 +404,10 @@ jobs: with: category: "/codeql-critical-quality/channel-runtime-boundary" - raw-socket-boundary: - name: Critical Quality (raw-socket-boundary) + network-runtime-boundary: + name: Critical Quality (network-runtime-boundary) needs: quality-shards - if: ${{ needs.quality-shards.outputs.raw_socket == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'raw-socket-boundary') }} + if: ${{ needs.quality-shards.outputs.network_runtime == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'network-runtime-boundary') }} runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: @@ -420,16 +420,16 @@ jobs: uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: javascript-typescript - config-file: ./.github/codeql/codeql-raw-socket-boundary-critical-quality.yml + config-file: ./.github/codeql/codeql-network-runtime-boundary-critical-quality.yml - name: Analyze id: analyze uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: output: sarif-results - category: "/codeql-critical-quality/raw-socket-boundary" + category: "/codeql-critical-quality/network-runtime-boundary" - - name: Fail on raw socket findings + - name: Fail on network runtime boundary findings env: SARIF_OUTPUT: sarif-results run: | @@ -447,7 +447,7 @@ jobs: exit 0 fi - echo "Found ${findings} unclassified raw socket client callsite(s):" >&2 + echo "Found ${findings} network runtime boundary finding(s):" >&2 jq -r ' .runs[]?.results[]? | .locations[0].physicalLocation as $location diff --git a/security/opengrep/precise.yml b/security/opengrep/precise.yml index 2eb13d9f4f4..79ca4608352 100644 --- a/security/opengrep/precise.yml +++ b/security/opengrep/precise.yml @@ -5,7 +5,7 @@ # # Source rules dir: security/opengrep/rules/openclaw-policy # Generated at : 2026-05-07T04:40:02.803Z -# Rule count : 154 +# Rule count : 148 rules: - id: ghsa-25gx-x37c-7pph.openclaw-novnc-x11vnc-missing-auth message: x11vnc starts without VNC authentication; avoid -nopw and require password auth when exposing noVNC observer access. @@ -5010,513 +5010,3 @@ rules: - "**/*.test.mjs" patterns: - pattern: http2.connect(...) - - id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-process-env-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate proxy-related process.env runtime state. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - CWE-441 - category: security - confidence: HIGH - detector-bucket: precise - source-rule-id: managed-proxy-process-env-mutation - source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml - paths: - include: - - src/**/*.ts - - src/**/*.mts - - src/**/*.js - - src/**/*.mjs - - extensions/**/*.ts - - extensions/**/*.mts - - extensions/**/*.js - - extensions/**/*.mjs - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - pattern: process.env.$KEY = ... - - pattern: process.env[$KEY] = ... - - pattern: delete process.env.$KEY - - pattern: delete process.env[$KEY] - - pattern: Object.defineProperty(process.env, $KEY, ...) - - pattern: | - Object.assign(process.env, { $KEY: ... }) - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$ - - pattern-not-inside: | - function applyProxyEnv(...) { - ... - } - - pattern-not-inside: | - function restoreProxyEnv(...) { - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - acquire(...) { - ... - } - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - release(...) { - ... - } - ... - } - - id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-process-env-alias-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate proxy-related process.env aliases. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - CWE-441 - category: security - confidence: HIGH - detector-bucket: precise - source-rule-id: managed-proxy-process-env-alias-mutation - source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml - paths: - include: - - src/**/*.ts - - src/**/*.mts - - src/**/*.js - - src/**/*.mjs - - extensions/**/*.ts - - extensions/**/*.mts - - extensions/**/*.js - - extensions/**/*.mjs - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - patterns: - - pattern-inside: | - const $ENV = process.env; - ... - - pattern-either: - - pattern: $ENV.$KEY = ... - - pattern: $ENV[$KEY] = ... - - pattern: delete $ENV.$KEY - - pattern: delete $ENV[$KEY] - - pattern: Object.defineProperty($ENV, $KEY, ...) - - pattern: | - Object.assign($ENV, { $KEY: ... }) - - patterns: - - pattern-inside: | - const { env } = process; - ... - - pattern-either: - - pattern: env.$KEY = ... - - pattern: env[$KEY] = ... - - pattern: delete env.$KEY - - pattern: delete env[$KEY] - - pattern: Object.defineProperty(env, $KEY, ...) - - pattern: | - Object.assign(env, { $KEY: ... }) - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$ - - pattern-not-inside: | - function applyProxyEnv(...) { - ... - } - - pattern-not-inside: | - function restoreProxyEnv(...) { - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - acquire(...) { - ... - } - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - release(...) { - ... - } - ... - } - - id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-process-env-dynamic-key-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate process.env through proxy-related dynamic keys. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - CWE-441 - category: security - confidence: HIGH - detector-bucket: precise - source-rule-id: managed-proxy-process-env-dynamic-key-mutation - source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml - paths: - include: - - src/**/*.ts - - src/**/*.mts - - src/**/*.js - - src/**/*.mjs - - extensions/**/*.ts - - extensions/**/*.mts - - extensions/**/*.js - - extensions/**/*.mjs - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - patterns: - - pattern-inside: | - const $KEYS = [..., $FORBIDDEN, ...]; - ... - for (const $KEY of $KEYS) { - ... - } - - pattern-either: - - pattern: process.env[$KEY] = ... - - pattern: delete process.env[$KEY] - - patterns: - - pattern-inside: | - const $SOURCE_KEYS = [..., $FORBIDDEN, ...]; - ... - const $KEYS = [..., ...$SOURCE_KEYS, ...]; - ... - for (const $KEY of $KEYS) { - ... - } - - pattern-either: - - pattern: process.env[$KEY] = ... - - pattern: delete process.env[$KEY] - - patterns: - - pattern-inside: | - const $ENV = process.env; - ... - const $KEYS = [..., $FORBIDDEN, ...]; - ... - for (const $KEY of $KEYS) { - ... - } - - pattern-either: - - pattern: $ENV[$KEY] = ... - - pattern: delete $ENV[$KEY] - - metavariable-regex: - metavariable: $FORBIDDEN - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$ - - pattern-not-inside: | - function applyProxyEnv(...) { - ... - } - - pattern-not-inside: | - function restoreProxyEnv(...) { - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - acquire(...) { - ... - } - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - release(...) { - ... - } - ... - } - - id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-global-agent-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate GLOBAL_AGENT proxy runtime state. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - CWE-441 - category: security - confidence: HIGH - detector-bucket: precise - source-rule-id: managed-proxy-global-agent-mutation - source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml - paths: - include: - - src/**/*.ts - - src/**/*.mts - - src/**/*.js - - src/**/*.mjs - - extensions/**/*.ts - - extensions/**/*.mts - - extensions/**/*.js - - extensions/**/*.mjs - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - pattern: global.GLOBAL_AGENT = ... - - pattern: globalThis.GLOBAL_AGENT = ... - - pattern: global["GLOBAL_AGENT"] = ... - - pattern: globalThis["GLOBAL_AGENT"] = ... - - pattern: global.GLOBAL_AGENT.$KEY = ... - - pattern: global.GLOBAL_AGENT[$KEY] = ... - - pattern: globalThis.GLOBAL_AGENT.$KEY = ... - - pattern: globalThis.GLOBAL_AGENT[$KEY] = ... - - pattern: global["GLOBAL_AGENT"][$KEY] = ... - - pattern: globalThis["GLOBAL_AGENT"][$KEY] = ... - - pattern: delete global.GLOBAL_AGENT - - pattern: delete globalThis.GLOBAL_AGENT - - pattern: delete global["GLOBAL_AGENT"] - - pattern: delete globalThis["GLOBAL_AGENT"] - - pattern: delete global.GLOBAL_AGENT.$KEY - - pattern: delete global.GLOBAL_AGENT[$KEY] - - pattern: delete globalThis.GLOBAL_AGENT.$KEY - - pattern: delete globalThis.GLOBAL_AGENT[$KEY] - - pattern: Object.defineProperty(global.GLOBAL_AGENT, $KEY, ...) - - pattern: Object.defineProperty(globalThis.GLOBAL_AGENT, $KEY, ...) - - pattern: | - Object.assign(global.GLOBAL_AGENT, { $KEY: ... }) - - pattern: | - Object.assign(globalThis.GLOBAL_AGENT, { $KEY: ... }) - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$ - - pattern-not-inside: | - function restoreGlobalAgentRuntime(...) { - ... - } - - pattern-not-inside: | - function restoreNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function bootstrapNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function writeGlobalAgentNoProxy(...) { - ... - } - - pattern-not-inside: | - function disableGlobalAgentProxyForIpv6GatewayLoopback(...) { - ... - } - - id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-global-agent-object-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may replace or delete GLOBAL_AGENT runtime state. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - CWE-441 - category: security - confidence: HIGH - detector-bucket: precise - source-rule-id: managed-proxy-global-agent-object-mutation - source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml - paths: - include: - - src/**/*.ts - - src/**/*.mts - - src/**/*.js - - src/**/*.mjs - - extensions/**/*.ts - - extensions/**/*.mts - - extensions/**/*.js - - extensions/**/*.mjs - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - pattern: global.GLOBAL_AGENT = ... - - pattern: globalThis.GLOBAL_AGENT = ... - - pattern: global["GLOBAL_AGENT"] = ... - - pattern: globalThis["GLOBAL_AGENT"] = ... - - pattern: delete global.GLOBAL_AGENT - - pattern: delete globalThis.GLOBAL_AGENT - - pattern: delete global["GLOBAL_AGENT"] - - pattern: delete globalThis["GLOBAL_AGENT"] - - patterns: - - pattern-inside: | - const $GLOBAL = global; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - patterns: - - pattern-inside: | - const $GLOBAL = global as $TYPE; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - pattern-not-inside: | - function restoreNodeHttpStack(...) { - ... - } - - id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-global-agent-alias-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate GLOBAL_AGENT aliases. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - CWE-441 - category: security - confidence: HIGH - detector-bucket: precise - source-rule-id: managed-proxy-global-agent-alias-mutation - source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml - paths: - include: - - src/**/*.ts - - src/**/*.mts - - src/**/*.js - - src/**/*.mjs - - extensions/**/*.ts - - extensions/**/*.mts - - extensions/**/*.js - - extensions/**/*.mjs - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - patterns: - - pattern-inside: | - const $AGENT = global.GLOBAL_AGENT; - ... - - pattern-either: - - pattern: $AGENT.$KEY = ... - - pattern: $AGENT[$KEY] = ... - - pattern: delete $AGENT.$KEY - - pattern: delete $AGENT[$KEY] - - pattern: Object.defineProperty($AGENT, $KEY, ...) - - pattern: | - Object.assign($AGENT, { $KEY: ... }) - - patterns: - - pattern-inside: | - const $AGENT = global["GLOBAL_AGENT"]; - ... - - pattern-either: - - pattern: $AGENT.$KEY = ... - - pattern: $AGENT[$KEY] = ... - - pattern: delete $AGENT.$KEY - - pattern: delete $AGENT[$KEY] - - pattern: Object.defineProperty($AGENT, $KEY, ...) - - pattern: | - Object.assign($AGENT, { $KEY: ... }) - - patterns: - - pattern-inside: | - const $AGENT = (global as $TYPE)["GLOBAL_AGENT"] as $AGENT_TYPE; - ... - - pattern-either: - - pattern: $AGENT.$KEY = ... - - pattern: $AGENT[$KEY] = ... - - pattern: delete $AGENT.$KEY - - pattern: delete $AGENT[$KEY] - - pattern: Object.defineProperty($AGENT, $KEY, ...) - - pattern: | - Object.assign($AGENT, { $KEY: ... }) - - patterns: - - pattern-inside: | - const $GLOBAL = global; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ... - - pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ... - - pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY - - pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY] - - pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY] - - patterns: - - pattern-inside: | - const $GLOBAL = global as $TYPE; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ... - - pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ... - - pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY - - pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY] - - pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY] - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$ - - pattern-not-inside: | - function restoreGlobalAgentRuntime(...) { - ... - } - - pattern-not-inside: | - function restoreNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function bootstrapNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function writeGlobalAgentNoProxy(...) { - ... - } - - pattern-not-inside: | - function disableGlobalAgentProxyForIpv6GatewayLoopback(...) { - ... - } diff --git a/security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml b/security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml deleted file mode 100644 index 6ad563a1eb5..00000000000 --- a/security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml +++ /dev/null @@ -1,498 +0,0 @@ -rules: - - id: managed-proxy-process-env-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate proxy-related process.env runtime state. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - "CWE-441" - category: security - confidence: HIGH - paths: - include: - - "src/**/*.ts" - - "src/**/*.mts" - - "src/**/*.js" - - "src/**/*.mjs" - - "extensions/**/*.ts" - - "extensions/**/*.mts" - - "extensions/**/*.js" - - "extensions/**/*.mjs" - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - pattern: process.env.$KEY = ... - - pattern: process.env[$KEY] = ... - - pattern: delete process.env.$KEY - - pattern: delete process.env[$KEY] - - pattern: Object.defineProperty(process.env, $KEY, ...) - - pattern: | - Object.assign(process.env, { $KEY: ... }) - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$ - - pattern-not-inside: | - function applyProxyEnv(...) { - ... - } - - pattern-not-inside: | - function restoreProxyEnv(...) { - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - acquire(...) { - ... - } - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - release(...) { - ... - } - ... - } - - - id: managed-proxy-process-env-alias-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate proxy-related process.env aliases. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - "CWE-441" - category: security - confidence: HIGH - paths: - include: - - "src/**/*.ts" - - "src/**/*.mts" - - "src/**/*.js" - - "src/**/*.mjs" - - "extensions/**/*.ts" - - "extensions/**/*.mts" - - "extensions/**/*.js" - - "extensions/**/*.mjs" - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - patterns: - - pattern-inside: | - const $ENV = process.env; - ... - - pattern-either: - - pattern: $ENV.$KEY = ... - - pattern: $ENV[$KEY] = ... - - pattern: delete $ENV.$KEY - - pattern: delete $ENV[$KEY] - - pattern: Object.defineProperty($ENV, $KEY, ...) - - pattern: | - Object.assign($ENV, { $KEY: ... }) - - patterns: - - pattern-inside: | - const { env } = process; - ... - - pattern-either: - - pattern: env.$KEY = ... - - pattern: env[$KEY] = ... - - pattern: delete env.$KEY - - pattern: delete env[$KEY] - - pattern: Object.defineProperty(env, $KEY, ...) - - pattern: | - Object.assign(env, { $KEY: ... }) - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$ - - pattern-not-inside: | - function applyProxyEnv(...) { - ... - } - - pattern-not-inside: | - function restoreProxyEnv(...) { - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - acquire(...) { - ... - } - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - release(...) { - ... - } - ... - } - - - id: managed-proxy-process-env-dynamic-key-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate process.env through proxy-related dynamic keys. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - "CWE-441" - category: security - confidence: HIGH - paths: - include: - - "src/**/*.ts" - - "src/**/*.mts" - - "src/**/*.js" - - "src/**/*.mjs" - - "extensions/**/*.ts" - - "extensions/**/*.mts" - - "extensions/**/*.js" - - "extensions/**/*.mjs" - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - patterns: - - pattern-inside: | - const $KEYS = [..., $FORBIDDEN, ...]; - ... - for (const $KEY of $KEYS) { - ... - } - - pattern-either: - - pattern: process.env[$KEY] = ... - - pattern: delete process.env[$KEY] - - patterns: - - pattern-inside: | - const $SOURCE_KEYS = [..., $FORBIDDEN, ...]; - ... - const $KEYS = [..., ...$SOURCE_KEYS, ...]; - ... - for (const $KEY of $KEYS) { - ... - } - - pattern-either: - - pattern: process.env[$KEY] = ... - - pattern: delete process.env[$KEY] - - patterns: - - pattern-inside: | - const $ENV = process.env; - ... - const $KEYS = [..., $FORBIDDEN, ...]; - ... - for (const $KEY of $KEYS) { - ... - } - - pattern-either: - - pattern: $ENV[$KEY] = ... - - pattern: delete $ENV[$KEY] - - metavariable-regex: - metavariable: $FORBIDDEN - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$ - - pattern-not-inside: | - function applyProxyEnv(...) { - ... - } - - pattern-not-inside: | - function restoreProxyEnv(...) { - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - acquire(...) { - ... - } - ... - } - - pattern-not-inside: | - class NoProxyLeaseManager { - ... - release(...) { - ... - } - ... - } - - - id: managed-proxy-global-agent-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate GLOBAL_AGENT proxy runtime state. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - "CWE-441" - category: security - confidence: HIGH - paths: - include: - - "src/**/*.ts" - - "src/**/*.mts" - - "src/**/*.js" - - "src/**/*.mjs" - - "extensions/**/*.ts" - - "extensions/**/*.mts" - - "extensions/**/*.js" - - "extensions/**/*.mjs" - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - pattern: global.GLOBAL_AGENT = ... - - pattern: globalThis.GLOBAL_AGENT = ... - - pattern: global["GLOBAL_AGENT"] = ... - - pattern: globalThis["GLOBAL_AGENT"] = ... - - pattern: global.GLOBAL_AGENT.$KEY = ... - - pattern: global.GLOBAL_AGENT[$KEY] = ... - - pattern: globalThis.GLOBAL_AGENT.$KEY = ... - - pattern: globalThis.GLOBAL_AGENT[$KEY] = ... - - pattern: global["GLOBAL_AGENT"][$KEY] = ... - - pattern: globalThis["GLOBAL_AGENT"][$KEY] = ... - - pattern: delete global.GLOBAL_AGENT - - pattern: delete globalThis.GLOBAL_AGENT - - pattern: delete global["GLOBAL_AGENT"] - - pattern: delete globalThis["GLOBAL_AGENT"] - - pattern: delete global.GLOBAL_AGENT.$KEY - - pattern: delete global.GLOBAL_AGENT[$KEY] - - pattern: delete globalThis.GLOBAL_AGENT.$KEY - - pattern: delete globalThis.GLOBAL_AGENT[$KEY] - - pattern: Object.defineProperty(global.GLOBAL_AGENT, $KEY, ...) - - pattern: Object.defineProperty(globalThis.GLOBAL_AGENT, $KEY, ...) - - pattern: | - Object.assign(global.GLOBAL_AGENT, { $KEY: ... }) - - pattern: | - Object.assign(globalThis.GLOBAL_AGENT, { $KEY: ... }) - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$ - - pattern-not-inside: | - function restoreGlobalAgentRuntime(...) { - ... - } - - pattern-not-inside: | - function restoreNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function bootstrapNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function writeGlobalAgentNoProxy(...) { - ... - } - - pattern-not-inside: | - function disableGlobalAgentProxyForIpv6GatewayLoopback(...) { - ... - } - - - id: managed-proxy-global-agent-object-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may replace or delete GLOBAL_AGENT runtime state. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - "CWE-441" - category: security - confidence: HIGH - paths: - include: - - "src/**/*.ts" - - "src/**/*.mts" - - "src/**/*.js" - - "src/**/*.mjs" - - "extensions/**/*.ts" - - "extensions/**/*.mts" - - "extensions/**/*.js" - - "extensions/**/*.mjs" - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - pattern: global.GLOBAL_AGENT = ... - - pattern: globalThis.GLOBAL_AGENT = ... - - pattern: global["GLOBAL_AGENT"] = ... - - pattern: globalThis["GLOBAL_AGENT"] = ... - - pattern: delete global.GLOBAL_AGENT - - pattern: delete globalThis.GLOBAL_AGENT - - pattern: delete global["GLOBAL_AGENT"] - - pattern: delete globalThis["GLOBAL_AGENT"] - - patterns: - - pattern-inside: | - const $GLOBAL = global; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - patterns: - - pattern-inside: | - const $GLOBAL = global as $TYPE; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - pattern-not-inside: | - function restoreNodeHttpStack(...) { - ... - } - - - id: managed-proxy-global-agent-alias-mutation - languages: - - typescript - - javascript - severity: ERROR - message: Only managed proxy owner scopes may mutate GLOBAL_AGENT aliases. - metadata: - advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION - advisory-url: https://github.com/openclaw/openclaw/pull/77126 - cwe: - - "CWE-441" - category: security - confidence: HIGH - paths: - include: - - "src/**/*.ts" - - "src/**/*.mts" - - "src/**/*.js" - - "src/**/*.mjs" - - "extensions/**/*.ts" - - "extensions/**/*.mts" - - "extensions/**/*.js" - - "extensions/**/*.mjs" - exclude: - - "**/*.test.*" - - "**/*.spec.*" - - "**/*.min.js" - - "**/vendor/**" - patterns: - - pattern-either: - - patterns: - - pattern-inside: | - const $AGENT = global.GLOBAL_AGENT; - ... - - pattern-either: - - pattern: $AGENT.$KEY = ... - - pattern: $AGENT[$KEY] = ... - - pattern: delete $AGENT.$KEY - - pattern: delete $AGENT[$KEY] - - pattern: Object.defineProperty($AGENT, $KEY, ...) - - pattern: | - Object.assign($AGENT, { $KEY: ... }) - - patterns: - - pattern-inside: | - const $AGENT = global["GLOBAL_AGENT"]; - ... - - pattern-either: - - pattern: $AGENT.$KEY = ... - - pattern: $AGENT[$KEY] = ... - - pattern: delete $AGENT.$KEY - - pattern: delete $AGENT[$KEY] - - pattern: Object.defineProperty($AGENT, $KEY, ...) - - pattern: | - Object.assign($AGENT, { $KEY: ... }) - - patterns: - - pattern-inside: | - const $AGENT = (global as $TYPE)["GLOBAL_AGENT"] as $AGENT_TYPE; - ... - - pattern-either: - - pattern: $AGENT.$KEY = ... - - pattern: $AGENT[$KEY] = ... - - pattern: delete $AGENT.$KEY - - pattern: delete $AGENT[$KEY] - - pattern: Object.defineProperty($AGENT, $KEY, ...) - - pattern: | - Object.assign($AGENT, { $KEY: ... }) - - patterns: - - pattern-inside: | - const $GLOBAL = global; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ... - - pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ... - - pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY - - pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY] - - pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY] - - patterns: - - pattern-inside: | - const $GLOBAL = global as $TYPE; - ... - - pattern-either: - - pattern: $GLOBAL.GLOBAL_AGENT = ... - - pattern: $GLOBAL["GLOBAL_AGENT"] = ... - - pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ... - - pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ... - - pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ... - - pattern: delete $GLOBAL.GLOBAL_AGENT - - pattern: delete $GLOBAL["GLOBAL_AGENT"] - - pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY - - pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY] - - pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY] - - metavariable-regex: - metavariable: $KEY - regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$ - - pattern-not-inside: | - function restoreGlobalAgentRuntime(...) { - ... - } - - pattern-not-inside: | - function restoreNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function bootstrapNodeHttpStack(...) { - ... - } - - pattern-not-inside: | - function writeGlobalAgentNoProxy(...) { - ... - } - - pattern-not-inside: | - function disableGlobalAgentProxyForIpv6GatewayLoopback(...) { - ... - }