vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-23 23:22:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sandbox): enforce CDP source-range restriction by default (#61404)

Browse Source 
* fix(sandbox): enforce CDP source-range restriction by default

Auto-derive CDP_SOURCE_RANGE from Docker network gateway IP when not
explicitly configured. The entrypoint script refuses to start the socat
CDP relay without a source range (fail-closed).

- readDockerNetworkGateway: use Go template println, filter <no value>
  sentinel, prefer IPv4 gateway on dual-stack networks
- Reject IPv6-only gateways for auto-derivation (relay binds IPv4)
- Remove stale browser_cdp_bridge_unrestricted audit check (runtime
  auto-derives range for all bridge-like networks)
- Bump SANDBOX_BROWSER_SECURITY_HASH_EPOCH to force container recreation

* chore(changelog): add sandbox CDP source-range entry

* fix(sandbox): gate CDP source-range derivation to bridge-style networks

Only auto-derive OPENCLAW_BROWSER_CDP_SOURCE_RANGE from the Docker
gateway IP for bridge networks (or when driver is unknown). Non-bridge
drivers (macvlan, ipvlan, overlay) may route traffic from different
source IPs, so they require explicit cdpSourceRange config.

Adds readDockerNetworkDriver helper and a regression test for macvlan.

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
This commit is contained in:
Davanum Srinivas
2026-04-10 22:59:25 +02:00
committed by GitHub
parent 67ae576b9e
commit fbf11ebdb7
8 changed files with 183 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
scripts/sandbox-browser-entrypoint.sh
View File

@@ -174,15 +174,17 @@ fi
echo "[sandbox] CDP ready. Starting socat..."
SOCAT_LISTEN_ADDR="TCP-LISTEN:${CDP_PORT},fork,reuseaddr,bind=0.0.0.0"
if [[ -n "${CDP_SOURCE_RANGE}" ]]; then
if [[ -z "${CDP_SOURCE_RANGE}" ]]; then
echo "[sandbox-browser] WARNING: CDP_SOURCE_RANGE unset; socat CDP relay will not start." >&2
echo "[sandbox-browser] Set OPENCLAW_BROWSER_CDP_SOURCE_RANGE to an explicit CIDR to enable CDP access." >&2
else
SOCAT_LISTEN_ADDR="TCP-LISTEN:${CDP_PORT},fork,reuseaddr,bind=0.0.0.0"
SOCAT_LISTEN_ADDR="${SOCAT_LISTEN_ADDR},range=${CDP_SOURCE_RANGE}"
socat "${SOCAT_LISTEN_ADDR}" "TCP:127.0.0.1:${CHROME_CDP_PORT}" &
SOCAT_PID=$!
echo "[sandbox] socat started (PID: ${SOCAT_PID})"
fi
socat "${SOCAT_LISTEN_ADDR}" "TCP:127.0.0.1:${CHROME_CDP_PORT}" &
SOCAT_PID=$!
echo "[sandbox] socat started (PID: ${SOCAT_PID})"
if [[ "${ENABLE_NOVNC}" == "1" && "${HEADLESS}" != "1" ]]; then
if [[ -z "${NOVNC_PASSWORD}" ]]; then
NOVNC_PASSWORD="$(< /proc/sys/kernel/random/uuid)"