* fix(sandbox): enforce CDP source-range restriction by default
Auto-derive CDP_SOURCE_RANGE from Docker network gateway IP when not
explicitly configured. The entrypoint script refuses to start the socat
CDP relay without a source range (fail-closed).
- readDockerNetworkGateway: use Go template println, filter <no value>
sentinel, prefer IPv4 gateway on dual-stack networks
- Reject IPv6-only gateways for auto-derivation (relay binds IPv4)
- Remove stale browser_cdp_bridge_unrestricted audit check (runtime
auto-derives range for all bridge-like networks)
- Bump SANDBOX_BROWSER_SECURITY_HASH_EPOCH to force container recreation
* chore(changelog): add sandbox CDP source-range entry
* fix(sandbox): gate CDP source-range derivation to bridge-style networks
Only auto-derive OPENCLAW_BROWSER_CDP_SOURCE_RANGE from the Docker
gateway IP for bridge networks (or when driver is unknown). Non-bridge
drivers (macvlan, ipvlan, overlay) may route traffic from different
source IPs, so they require explicit cdpSourceRange config.
Adds readDockerNetworkDriver helper and a regression test for macvlan.
---------
Co-authored-by: Devin Robison <drobison@nvidia.com>
SKILL.md files were created as symlinks pointing to dist/, causing
realpathSync() in resolveContainedSkillPath to resolve outside the
dist-runtime/ directory. The security check then rejected the path,
resulting in all 23 plugin skills being skipped at load time.
Add SKILL.md to the shouldCopyRuntimeFile whitelist so it gets a hard
copy instead of a symlink, matching the existing behavior for
package.json and plugin.json files.
Fixes#64138
* refactor(sandbox): remove socat proxy and fix chromium keyring deadlock
* fix(sandbox): address review feedback by reinstating cdp isolation and stability flags
* fix(sandbox): increase entrypoint cdp timeout to 20s to honor autoStartTimeoutMs
* fix(sandbox): align implementation with PR description (keyring bypass, fail-fast, watchdog)
* fix
* fix(sandbox): remove bash CDP watchdog to eliminate dual-timeout race
* fix(sandbox): apply final fail-fast and lifecycle bindings
* fix(sandbox): restore noVNC and CDP port offset
* fix(sandbox): add max-time to curl to prevent HTTP hang
* fix(sandbox): align timeout with host and restore env flags
* fix(sandbox): pass auto-start timeout to container and restore wait -n
* fix(sandbox): update hash input type to include autoStartTimeoutMs
* fix(sandbox): implement production-grade lifecycle and timeout management
- Add strict integer validation for port and timeout environment variables
- Implement robust two-stage trap cleanup (SIGTERM with SIGKILL fallback) to prevent zombie processes
- Refactor CDP readiness probe to use absolute millisecond-precision deadlines
- Add early fail-fast detection if Chromium crashes during the startup phase
- Track all daemon PIDs explicitly for reliable teardown via wait -n
* fix(sandbox): allow renderer process limit to be 0 for chromium default
* fix(sandbox): add autoStartTimeoutMs to SandboxBrowserHashInput type
* test(sandbox): cover browser timeout cleanup
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
* fix(qqbot): replace raw fetch in image-size probe with SSRF-guarded fetchRemoteMedia
Replace the bare fetch() in getImageSizeFromUrl() with fetchRemoteMedia()
from the plugin SDK, closing the blind SSRF via markdown image dimension
probing (GHSA-2767-2q9v-9326).
fetchRemoteMedia options: maxBytes 65536, maxRedirects 0, generic
public-network-only SSRF policy (no hostname allowlist, blocks
private/reserved/loopback/link-local/metadata IPs after DNS resolution).
Also fixes the repo-root resolution in scripts/lib/ts-guard-utils.mjs
which caused lint:tmp:no-raw-channel-fetch to miss extension files
entirely. The guard now walks up to .git instead of hardcoding two parent
traversals, and the allowlist is refreshed with all pre-existing raw
fetch callsites that became visible.
* fix(qqbot): guard image-size probe against SSRF (#63495) (thanks @dims)
---------
Co-authored-by: sliverp <870080352@qq.com>
