Harden macOS shell wrapper allowlist parsing [AI] (#78518)

* fix: harden shell wrapper allowlist parsing * fix: harden shell wrapper approval binding * docs: add changelog entry for PR merge --------- Co-authored-by: Ishaan <ishaan@Ishaans-Mac-mini.local>
2026-05-09 16:50:43 +00:00 · 2026-05-08 10:18:41 +05:30
parent eabae023eb
commit fc065b2693
23 changed files with 1200 additions and 204 deletions
--- a/src/node-host/invoke-system-run-plan.ts
+++ b/src/node-host/invoke-system-run-plan.ts
@@ -8,6 +8,7 @@ import type {
 import { resolveCommandResolutionFromArgv } from "../infra/exec-command-resolution.js";
 import { isInterpreterLikeSafeBin } from "../infra/exec-safe-bin-runtime-policy.js";
 import {
+  isBlockedShellWrapperCommand,
  POSIX_SHELL_WRAPPERS,
  normalizeExecutableToken,
  unwrapKnownDispatchWrapperInvocation,
@@ -1303,6 +1304,12 @@ export function buildSystemRunApprovalPlan(params: {
  if (command.argv.length === 0) {
    return { ok: false, message: "command required" };
  }
+  if (command.shellPayload === null && isBlockedShellWrapperCommand(command.argv)) {
+    return {
+      ok: false,
+      message: "SYSTEM_RUN_DENIED: approval cannot safely bind this interpreter/runtime command",
+    };
+  }
  const hardening = hardenApprovedExecutionPaths({
    approvedByAsk: true,
    argv: command.argv,
--- a/src/node-host/invoke-system-run.test.ts
+++ b/src/node-host/invoke-system-run.test.ts
@@ -1528,7 +1528,7 @@ describe("handleSystemRunInvoke mac app exec host routing", () => {

    const tempDir = createFixtureDir("openclaw-shell-wrapper-allow-");
    const prepared = buildSystemRunApprovalPlan({
-      command: ["/bin/sh", "-lc", "cd ."],
+      command: ["/bin/sh", "-c", "cd ."],
      cwd: tempDir,
    });
    expect(prepared.ok).toBe(true);