vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-28 01:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,618 Commits 1,602 Branches 147 Tags
313e5bb58bea07a35cb2bcba6c950da031577e50
Commit Graph

64 Commits

Author SHA1 Message Date
Peter Steinberger
27e863ce40 chore: update dependencies 2026-03-14 02:09:53 +00:00
Peter Steinberger
8de2f7339c test: fix current ci regressions 2026-03-14 01:29:04 +00:00
Peter Steinberger
89e52d6178 test: tighten hostname normalization coverage 2026-03-14 01:02:20 +00:00
Peter Steinberger
7621589ba2 test: tighten proxy fetch helper coverage 2026-03-14 00:38:43 +00:00
Peter Steinberger
2d0b9ee53c test: extract fingerprint helper coverage 2026-03-14 00:01:33 +00:00
Peter Steinberger
0386dcb63f test: add small infra helper coverage 2026-03-13 19:39:07 +00:00
Peter Steinberger
dfcbfcfcc9 test: tighten proxy env and conversation id coverage 2026-03-13 19:11:10 +00:00
Peter Steinberger
5aa79f1ba4 test: harden guarded fetch redirect coverage 2026-03-13 18:21:02 +00:00
Peter Steinberger
f3d4bb4103 test: simplify ssrf hostname coverage 2026-03-13 18:20:08 +00:00
Ayaan Zaidi
8023f4c701 fix(telegram): thread media transport policy into SSRF (#44639) 
* fix(telegram): preserve media download transport policy

* refactor(telegram): thread media transport policy

* fix(telegram): sync fallback media policy

* fix: note telegram media transport fix (#44639)
 2026-03-13 10:11:43 +05:30
Efe Büken
771066d122 fix(compaction): use full-session token count for post-compaction sanity check (#28347) 
Merged via squash.

Prepared head SHA: cf4eab1c51
Co-authored-by: efe-arv <259833796+efe-arv@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-12 21:26:30 -07:00
Peter Steinberger
fc2b796f02 test(proxy): make env proxy tests windows-safe 2026-03-13 04:17:10 +00:00
Cypherm
61d219cb39 feat: show status reaction during context compaction (#35474) 
Merged via squash.

Prepared head SHA: 145a7b7c4e
Co-authored-by: Cypherm <28184436+Cypherm@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-03-12 21:06:15 -07:00
Tak Hoffman
87876a3e36 Fix env proxy bootstrap for model traffic (#43248) 
* Fix env proxy bootstrap for model traffic

* Address proxy dispatcher review followups

* Fix proxy env precedence for empty lowercase vars
 2026-03-11 10:21:35 -05:00
Eugene
45b74fb56c fix(telegram): move network fallback to resolver-scoped dispatchers (#40740) 
Merged via squash.

Prepared head SHA: a4456d48b4
Co-authored-by: sircrumpet <4436535+sircrumpet@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-03-10 11:28:51 +05:30
Peter Steinberger
a31d3cad96 refactor(fetch-guard): clarify cross-origin redirect header filtering 2026-03-07 17:58:05 +00:00
Peter Steinberger
46715371b0 fix(security): strip custom auth headers on cross-origin redirects 2026-03-07 17:34:42 +00:00
Vignesh Natarajan
05fb16d151 fix(agent): harden undici stream timeouts for long openai-completions runs 2026-03-05 19:44:11 -08:00
Peter Steinberger
a50dd0bb06 refactor(infra): dedupe ssrf fetch guard test fixtures 2026-03-03 02:53:13 +00:00
Marcus Castro
58cde87436 fix: warn when proxy env var is set but agent creation fails 2026-03-02 21:37:36 +00:00
Marcus Castro
ba3fa44c5b refactor: extract shared proxy-fetch utility from Telegram module 
Move makeProxyFetch to src/infra/net/proxy-fetch.ts and add
resolveProxyFetchFromEnv which reads standard proxy env vars
(HTTPS_PROXY, HTTP_PROXY, and lowercase variants) and returns a
proxy-aware fetch via undici's EnvHttpProxyAgent. Telegram re-exports
from the shared location to avoid duplication.
 2026-03-02 21:37:36 +00:00
Peter Steinberger
c973b053a5 refactor(net): unify proxy env checks and guarded fetch modes 2026-03-02 16:24:26 +00:00
Peter Steinberger
345abf0b20 fix: preserve dns pinning for strict web SSRF fetches 2026-03-02 15:54:46 +00:00
Peter Steinberger
46003e85bf fix: unify web tool proxy path (#27430) (thanks @kevinWangSheng) 2026-02-26 11:32:43 +00:00
Ayaan Zaidi
30fd2bbe19 fix(ssrf): honor global family policy for pinned dispatcher 2026-02-26 14:57:15 +05:30
Peter Steinberger
61b3246a7f fix(ssrf): unify ipv6 special-use blocking 2026-02-26 03:43:42 +01:00
Peter Steinberger
baf656bc6f fix: block IPv6 multicast SSRF bypass 2026-02-26 03:35:10 +01:00
Peter Steinberger
d18ae2256f refactor: unify channel plugin resolution, family ordering, and changelog entry tooling 2026-02-24 15:15:22 +00:00
Glucksberg
dd9ba974d0 fix: sort IPv4 addresses before IPv6 in SSRF pinned DNS to fix Telegram media fetch on IPv6-broken hosts 
On hosts where IPv6 is configured but not routed (common on cloud VMs),
Telegram media downloads fail because the pinned DNS lookup may return
IPv6 addresses first. Even though autoSelectFamily (Happy Eyeballs) is
enabled, the round-robin pinned lookup serves individual IPv6 addresses
that fail before IPv4 is attempted.

Sort resolved addresses so IPv4 comes first, ensuring both Happy Eyeballs
and single-address round-robin try the working address family first.

Fixes #23975

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-24 14:53:01 +00:00
Peter Steinberger
3af9d1f8e9 fix: scope Telegram RFC2544 SSRF exception to policy opt-in (#24982) (thanks @stakeswky) 2026-02-24 03:28:00 +00:00
User
9df80b73e2 fix: allow RFC2544 benchmark range (198.18.0.0/15) through SSRF filter 
Telegram's API and file servers resolve to IPs in the 198.18.0.0/15
range (RFC 2544 benchmarking range). The SSRF filter was blocking these
addresses because ipaddr.js classifies them as 'reserved', and the
filter also had an explicit RFC2544_BENCHMARK_PREFIX check that blocked
them unconditionally.

Fix: exempt 198.18.0.0/15 from the 'reserved' range block in
isBlockedSpecialUseIpv4Address(). Other 'reserved' ranges (TEST-NET-2,
TEST-NET-3, documentation prefixes) remain blocked. The explicit
RFC2544_BENCHMARK_PREFIX check is repurposed as the exemption guard.

Closes #24973
 2026-02-24 03:28:00 +00:00
Peter Steinberger
5eb72ab769 fix(security): harden browser SSRF defaults and migrate legacy key 2026-02-24 01:52:01 +00:00
Peter Steinberger
98427453ba fix(network): normalize SSRF IP parsing and monitor typing 2026-02-22 18:55:34 +01:00
Peter Steinberger
e9ed688c2c fix(net): enable family fallback for pinned SSRF dispatcher 2026-02-22 17:54:15 +01:00
Peter Steinberger
333fbb8634 refactor(net): consolidate IP checks with ipaddr.js 2026-02-22 17:02:44 +01:00
Peter Steinberger
44dfbd23df fix(ssrf): centralize host/ip block checks 2026-02-22 15:41:41 +01:00
Peter Steinberger
ffd9b86ca4 test(ssrf): table-drive blocked hostname literal checks 2026-02-21 23:33:47 +00:00
Peter Steinberger
71bd15bb42 fix(ssrf): block special-use ipv4 ranges 2026-02-21 23:45:49 +01:00
Peter Steinberger
cc2ff68947 test: optimize gateway infra memory and security coverage 2026-02-21 21:44:50 +00:00
George Pickett
802f043e53 Net: expand cross-origin sensitive header regression test 2026-02-19 11:42:25 -08:00
Andrii Furmanets
c0cd5a7265 Net: strip sensitive headers on cross-origin redirects 2026-02-19 11:42:25 -08:00
Peter Steinberger
26c9b37f5b fix(security): enforce strict IPv4 SSRF literal handling 2026-02-19 15:24:47 +01:00
Peter Steinberger
baa335f258 fix(security): harden SSRF IPv4 literal parsing 2026-02-19 15:14:46 +01:00
Peter Steinberger
d05c8eb912 refactor: unify SSRF hostname/ip precheck and add policy regression 2026-02-19 10:25:31 +01:00
Peter Steinberger
d51929ecb5 fix: block ISATAP SSRF bypass via shared host/ip guard 2026-02-19 09:59:47 +01:00
Peter Steinberger
e8154c12e6 refactor(net): table-drive embedded IPv6 decoding and SSRF tests 2026-02-18 04:57:08 +01:00
Peter Steinberger
442fdbf3d8 fix(security): block SSRF IPv6 transition bypasses 2026-02-18 04:53:09 +01:00
cpojer
49bd9f75f4 chore: Fix types in tests 33/N. 2026-02-17 15:50:07 +09:00
cpojer
6e5df1dc0f chore: Fix types in tests 25/N. 2026-02-17 14:31:02 +09:00
Sebastian
f924ab40d8 revert(tools): undo accidental merge of PR #18584 2026-02-16 21:13:48 -05:00