lint: replace raw socket guard with codeql

2026-05-08 20:20:43 +00:00 · 2026-05-07 16:02:54 +10:00
parent 9cc5e49e65
commit dd0a9bf869
10 changed files with 224 additions and 572 deletions
--- a/.github/codeql/codeql-raw-socket-boundary-critical-quality.yml
+++ b/.github/codeql/codeql-raw-socket-boundary-critical-quality.yml
@@ -0,0 +1,27 @@
+name: openclaw-codeql-raw-socket-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: ./.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql
+
+paths:
+  - src
+  - extensions
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
+  - "extensions/diffs/assets/**"
--- a/.github/codeql/openclaw-boundary/codeql-pack.lock.yml
+++ b/.github/codeql/openclaw-boundary/codeql-pack.lock.yml
@@ -0,0 +1,30 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/concepts:
+    version: 0.0.22
+  codeql/controlflow:
+    version: 2.0.32
+  codeql/dataflow:
+    version: 2.1.4
+  codeql/javascript-all:
+    version: 2.6.28
+  codeql/mad:
+    version: 1.0.48
+  codeql/regex:
+    version: 1.0.48
+  codeql/ssa:
+    version: 2.0.24
+  codeql/threat-models:
+    version: 1.0.48
+  codeql/tutorial:
+    version: 1.0.48
+  codeql/typetracking:
+    version: 2.0.32
+  codeql/util:
+    version: 2.0.35
+  codeql/xml:
+    version: 1.0.48
+  codeql/yaml:
+    version: 1.0.48
+compiled: false
--- a/.github/codeql/openclaw-boundary/qlpack.yml
+++ b/.github/codeql/openclaw-boundary/qlpack.yml
@@ -0,0 +1,6 @@
+name: openclaw/codeql-boundary-queries
+version: 0.0.0
+library: false
+dependencies:
+  codeql/javascript-all: 2.6.28
+extractor: javascript
--- a/.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql
+++ b/.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql
@@ -0,0 +1,92 @@
+/**
+ * @name Raw socket client callsite classification
+ * @description Raw net/tls/http2 client egress must be classified before landing.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/openclaw/raw-socket-callsite-classification
+ * @tags maintainability
+ *       security
+ *       external/cwe/cwe-441
+ */
+
+import javascript
+
+predicate rawModule(string moduleName) {
+  moduleName = ["net", "node:net", "tls", "node:tls", "http2", "node:http2"]
+}
+
+predicate netModule(string moduleName) { moduleName = ["net", "node:net"] }
+
+predicate rawConnectMember(string memberName) { memberName = ["connect", "createConnection"] }
+
+predicate relevantSourceFile(File file) {
+  exists(string path |
+    path = file.getRelativePath() and
+    path.regexpMatch("^(src|extensions)/.*\\.ts$") and
+    not path.regexpMatch(".*\\.(test|spec|test-utils|test-harness|e2e-harness)\\.ts$") and
+    not path.regexpMatch(".*/test-support/.*") and
+    not path.regexpMatch("^extensions/diffs/assets/.*")
+  )
+}
+
+Expr rawSocketClientCall() {
+  exists(API::CallNode call, string moduleName, string memberName |
+    rawModule(moduleName) and
+    rawConnectMember(memberName) and
+    call = API::moduleImport(moduleName).getMember(memberName).getACall() and
+    result = call.asExpr()
+  )
+  or
+  exists(string moduleName |
+    netModule(moduleName) and
+    result =
+      DataFlow::moduleMember(moduleName, "Socket")
+          .getAnInstantiation()
+          .getAMethodCall("connect")
+          .asExpr()
+  )
+}
+
+predicate allowedOwnerScope(Expr call, string path, string functionName) {
+  exists(Function owner |
+    call.getFile().getRelativePath() = path and
+    owner.getFile() = call.getFile() and
+    owner.getName() = functionName and
+    call.getParent*() = owner.getBody()
+  )
+}
+
+predicate allowedRawSocketClientCall(Expr call) {
+  allowedOwnerScope(call, "src/cli/gateway-cli/run-loop.ts", "waitForGatewayPortReady")
+  or
+  allowedOwnerScope(call, "src/infra/ssh-tunnel.ts", "canConnectLocal")
+  or
+  allowedOwnerScope(call, "src/infra/gateway-lock.ts", "checkPortFree")
+  or
+  allowedOwnerScope(call, "src/infra/jsonl-socket.ts", "requestJsonlSocket")
+  or
+  allowedOwnerScope(call, "src/infra/net/http-connect-tunnel.ts", "connectToProxy")
+  or
+  allowedOwnerScope(call, "src/infra/net/http-connect-tunnel.ts", "startTargetTls")
+  or
+  allowedOwnerScope(call, "src/infra/push-apns-http2.ts", "openProxiedApnsHttp2Session")
+  or
+  allowedOwnerScope(call, "src/infra/push-apns-http2.ts", "connectApnsHttp2Session")
+  or
+  allowedOwnerScope(call, "src/proxy-capture/proxy-server.ts", "startDebugProxyServer")
+  or
+  allowedOwnerScope(call, "extensions/irc/src/client.ts", "connectIrcClient")
+  or
+  allowedOwnerScope(call, "extensions/qa-lab/src/lab-server-capture.ts", "probeTcpReachability")
+  or
+  allowedOwnerScope(call, "extensions/qa-lab/src/lab-server-ui.ts", "proxyUpgradeRequest")
+}
+
+from Expr call
+where
+  rawSocketClientCall() = call and
+  relevantSourceFile(call.getFile()) and
+  not allowedRawSocketClientCall(call)
+select call,
+  "Classify raw net/tls/http2 client egress as managed/proxied, local-only, diagnostic guarded, or documented unsupported before adding this callsite."