vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-02 12:10:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(exec): align node shell allowlist wrappers (#62401)

Browse Source 
* fix(exec): align node shell allowlist wrappers

* fix: align node shell allowlist wrappers (#62401) (thanks @ngutman)
This commit is contained in:
Nimrod Gutman
2026-04-07 13:05:57 +03:00
committed by GitHub
parent b6a806d67b
commit d008e2d015
5 changed files with 110 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/node-host/exec-policy.ts
View File

@@ -61,9 +61,16 @@ export function evaluateSystemRunPolicy(params: {
cmdInvocation: boolean;
shellWrapperInvocation: boolean;
}): SystemRunPolicyDecision {
const shellWrapperBlocked = params.security === "allowlist" && params.shellWrapperInvocation;
// POSIX node execution intentionally uses `/bin/sh -lc` as a transport wrapper.
// Keep allowlist decisions based on the analyzed inner shell payload there.
// Windows `cmd.exe /c` wrappers still require explicit approval because they
// change execution semantics for builtins and quoting/parsing behavior.
const windowsShellWrapperBlocked =
shellWrapperBlocked && params.isWindows && params.cmdInvocation;
params.security === "allowlist" &&
params.shellWrapperInvocation &&
params.isWindows &&
params.cmdInvocation;
const shellWrapperBlocked = windowsShellWrapperBlocked;
const analysisOk = shellWrapperBlocked ? false : params.analysisOk;
const allowlistSatisfied = shellWrapperBlocked ? false : params.allowlistSatisfied;
const approvedByAsk = params.approvalDecision !== null || params.approved === true;