vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 08:30:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
31,448 Commits 1,843 Branches 149 Tags
2e230021b6bba8733ff6d29ff2aaa6ae0da53a71
Commit Graph

202 Commits

Author SHA1 Message Date
Mason Huang
7eecfa411d fix(browser): unblock loopback CDP readiness under strict SSRF defaults (#66354) 
Merged via squash.

Prepared head SHA: d9030ff2f0
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>
Reviewed-by: @hxy91819
 2026-04-14 16:30:43 +08:00
Ayaan Zaidi
213c36cf51 fix(browser): preserve legacy strict SSRF alias 2026-04-14 12:50:02 +05:30
Ayaan Zaidi
1dabfef28d fix(browser): preserve explicit strict SSRF config 2026-04-14 12:42:59 +05:30
Ayaan Zaidi
1b76966f05 fix(browser): use loopback policy for json-new fallback 2026-04-14 12:42:59 +05:30
Ayaan Zaidi
bf1d49093a fix(browser): relax default hostname SSRF guard 2026-04-14 12:42:59 +05:30
Peter Steinberger
df84225504 test: align post-rebase full-suite drift 2026-04-13 20:49:39 -07:00
Pavan Kumar Gondhi
b75ad800a5 fix(browser): enforce SSRF policy on snapshot, screenshot, and tab routes [AI] (#66040) 
* fix: address issue

* fix: address review feedback

* fix: finalize issue changes

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
 2026-04-13 23:56:39 +05:30
Mariano
2c59ba24af fix(browser): detect local attachOnly loopback CDP sessions (#66080) 
Merged via squash.

Prepared head SHA: 90c1c10cc9
Reviewed-by: @mbelinky
 2026-04-13 19:46:56 +02:00
Mariano
8cfdc8dea1 fix(browser): unblock managed loopback CDP startup and control (#66043) 
Merged via squash.

Prepared head SHA: c3d0a99ffa
Reviewed-by: @mbelinky
 2026-04-13 18:48:48 +02:00
Peter Steinberger
1a47660518 feat(browser): add qa web runtime support 2026-04-12 19:41:06 -07:00
Peter Steinberger
a8e140e395 chore: bump version to 2026.4.12 2026-04-12 10:37:18 -07:00
Peter Steinberger
23e50859eb test(e2e): align release harness coverage 2026-04-12 16:08:12 +01:00
Vincent Koc
24051ddf38 test(browser): share existing-session route harness 2026-04-12 09:07:06 +01:00
Vincent Koc
add2900520 test(browser): share control auth persistence checks 2026-04-12 05:33:09 +01:00
Peter Steinberger
bf82a7c46e fix: keep browser cdp range wide for high ports 2026-04-11 13:55:08 +01:00
Peter Steinberger
5915d7cb6b perf: optimize messaging plugin tests 2026-04-11 13:55:07 +01:00
Vincent Koc
81535d394d fix(cycles): repair broken type surfaces 2026-04-11 13:42:17 +01:00
Vincent Koc
74e7b8d47b fix(cycles): bulk extract leaf type surfaces 2026-04-11 13:26:50 +01:00
Peter Steinberger
1ab6e5dbf0 chore(release): bump version to 2026.4.11 2026-04-11 04:51:17 +01:00
Peter Steinberger
3e80bd33e4 refactor: simplify extension conversions 2026-04-11 01:37:23 +01:00
Peter Steinberger
11b0016e9e refactor: simplify provider channel conversions 2026-04-11 01:08:23 +01:00
Peter Steinberger
a18c717add test: isolate browser network guards 2026-04-11 00:07:41 +01:00
Peter Steinberger
4ff237d776 refactor: simplify browser snapshot strings 2026-04-11 00:07:03 +01:00
Peter Steinberger
f01469358f test: simplify browser download path checks 2026-04-10 23:48:27 +01:00
Peter Steinberger
405a920862 refactor: remove redundant browser helper conversions 2026-04-10 21:48:38 +01:00
Peter Steinberger
20849e7196 refactor: remove redundant browser session conversions 2026-04-10 21:46:52 +01:00
Peter Steinberger
3475404c7e refactor: remove redundant browser state conversions 2026-04-10 21:46:00 +01:00
Peter Steinberger
b76f218c53 refactor: remove redundant browser screenshot conversions 2026-04-10 21:44:53 +01:00
Peter Steinberger
1560da7be2 refactor: remove redundant browser cdp conversions 2026-04-10 21:43:34 +01:00
Peter Steinberger
d236cb4680 chore: enable redundant type constituent checks 2026-04-10 21:23:40 +01:00
Peter Steinberger
d3cabde7b8 fix(browser): keep legacy ssrf alias raw-config only 2026-04-10 21:22:16 +01:00
Peter Steinberger
0ebeee8b0d chore: enable consistent-return 2026-04-10 20:56:43 +01:00
Peter Steinberger
d015986265 fix: preserve browser cdp ssrf policy 2026-04-10 20:45:45 +01:00
Peter Steinberger
8e9e584b1e fix: validate browser profile driver before cdp policy 2026-04-10 20:31:27 +01:00
Peter Steinberger
d2c0440fac ci: fix current main additional checks 2026-04-10 20:28:48 +01:00
Agustin Rivera
121c452d66 fix(browser): tighten strict browser hostname navigation (#64367) 
* fix(browser): tighten strict browser hostname navigation

* fix(browser): address review follow-ups

* chore(changelog): add strict browser hostname navigation entry

* fix(browser): remove stale state prop from SelectionDeps call site

The PR's SelectionDeps uses getSsrFPolicy instead of the full state
object; the state property was leftover from an earlier iteration.

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 13:18:53 -06:00
Peter Steinberger
04c8026d03 chore: enable no-unnecessary-type-arguments 2026-04-10 20:14:49 +01:00
Peter Steinberger
01113566fd chore: enable await-thenable 2026-04-10 20:14:49 +01:00
Agustin Rivera
109267b82a Handle subframe document navigations in browser guards (#64371) 
* fix(browser): guard subframe document navigations

Co-authored-by: zsx <git@zsxsoft.com>

* fix(browser): preserve quarantine on subframe blocks

* chore(changelog): add subframe SSRF guard entry

* fix(browser): fail closed when subframe frame resolution throws

isSubframeDocumentNavigationRequest now returns true (apply SSRF
check) instead of false (skip check) when request.frame() throws,
so transient renderer churn cannot bypass the subframe navigation
policy guard.

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:51:23 -06:00
Peter Steinberger
b2df0ed4b7 fix: align browser ssrf policy typing 2026-04-10 19:49:46 +01:00
Peter Steinberger
abc499ec49 fix: preserve cdp guarded fetch dispatchers 2026-04-10 19:49:09 +01:00
Peter Steinberger
81ead0bc5b fix(browser): keep legacy ssrf alias internal 2026-04-10 19:46:37 +01:00
Agustin Rivera
905f19230a Align external marker span mapping (#63885) 
* fix(markers): align external marker spans

* fix(browser): ssrfPolicy defaults fail-closed for unconfigured installs (GHSA-53vx-pmqw-863c)

* fix(browser): enforce strict default SSRF policy

* chore(changelog): add browser SSRF default + marker alignment entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:35:20 -06:00
Agustin Rivera
daeb74920d fix(browser): guard existing-session navigation (#64370) 
* fix(browser): guard existing-session navigation

Co-authored-by: zsx <git@zsxsoft.com>

* fix(browser): tighten interaction navigation guard

* fix(browser): tighten existing-session nav guard

* fix(browser): fail closed on unstable existing-session probes

* fix(browser): add follow-up probe for late URL transitions in existing-session nav guard

* fix(browser): keep probing through full navigation window

* fix(browser): reset stability flag on probe error in existing-session nav guard

* chore(changelog): add Chrome MCP interaction SSRF guard entry

---------

Co-authored-by: zsx <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 12:31:41 -06:00
Peter Steinberger
59925c1a74 chore: update dependencies and oxc tooling 2026-04-10 19:28:42 +01:00
Peter Steinberger
925a499d84 ci: fix additional guard failures 2026-04-10 19:23:10 +01:00
Peter Steinberger
f6ed276f51 style: apply updated formatter output 2026-04-10 19:17:39 +01:00
Michael Appel
e0b8ddc1a5 fix(browser): apply three-phase interaction navigation guard to pressKey and type(submit) [AI-assisted] (#63889) 
* fix: address issue

* chore(changelog): add pressKey/type SSRF guard entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:27:53 -06:00
Agustin Rivera
8dfbf3268b fix(browser): gate sandbox noVNC helper auth 
Require bridge auth before /sandbox/novnc token redemption and keep the noVNC observer URL out of model-visible prompt context.

Local verification:
- pnpm test extensions/browser/src/browser/bridge-server.auth.test.ts src/agents/sanitize-for-prompt.test.ts src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts

Note: pnpm check currently fails on latest main in unrelated files (src/agents/tools/message-tool.ts and src/gateway/mcp-http.test.ts), outside this PR diff.

Thanks @eleqtrizit.

Co-authored-by: eleqtrizit <31522568+eleqtrizit@users.noreply.github.com>
 2026-04-10 18:01:26 +01:00
Peter Steinberger
81ae34c434 test: keep browser selection cdp guard profile-aware 2026-04-10 17:35:54 +01:00