vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-19 22:10:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,062 Commits 799 Branches 80 Tags
68b00a5388860b279281a262d5b85af64dcc5176
Commit Graph

182 Commits

Author SHA1 Message Date
Peter Steinberger
09e2160080 test(browser): add file-chooser traversal regression 2026-02-14 18:20:20 +01:00
Peter Steinberger
dee3abfcd5 refactor(test): share browser control server harness 2026-02-14 17:13:24 +00:00
Peter Steinberger
b769b65b48 refactor(browser): share proxy file helpers 2026-02-14 15:39:45 +00:00
Peter Steinberger
a6fbd0393d fix(browser): annotate csrf middleware type 2026-02-14 15:54:29 +01:00
Peter Steinberger
b566b09f81 fix(security): block cross-origin mutations on loopback browser routes 2026-02-14 15:51:09 +01:00
Peter Steinberger
493f6f458b perf(test): speed up browser test suites 2026-02-14 14:25:54 +00:00
Peter Steinberger
1a7e180e68 refactor(media): normalize inbound MediaType/MediaTypes defaults (#16233) 
* refactor(media): normalize inbound media type defaults

* test(browser): fix Windows path expectation in file chooser hook
 2026-02-14 15:18:19 +01:00
Peter Steinberger
3aa94afcfd fix(security): harden archive extraction (#16203) 
* fix(browser): confine upload paths for file chooser

* fix(browser): sanitize suggested download filenames

* chore(lint): avoid control regex in download sanitizer

* test(browser): cover absolute escape paths

* docs(browser): update upload example path

* refactor(browser): centralize upload path confinement

* fix(infra): harden tmp dir selection

* fix(security): harden archive extraction

* fix(infra): harden tar extraction filter
 2026-02-14 14:42:08 +01:00
Peter Steinberger
ec399aaddf perf(test): parallelize unit-isolated 2026-02-14 13:01:02 +00:00
Peter Steinberger
af50b914a4 refactor(browser): centralize http auth 2026-02-14 13:30:11 +01:00
Peter Steinberger
cd84885a4a test(browser): cover bridge auth registry fallback 2026-02-14 13:23:24 +01:00
Peter Steinberger
6dd6bce997 fix(security): enforce sandbox bridge auth 2026-02-14 13:17:41 +01:00
Peter Steinberger
4711a943e3 fix(browser): authenticate sandbox browser bridge server 2026-02-14 12:54:16 +01:00
Nick Taylor
1fb52b4d7b feat(gateway): add trusted-proxy auth mode (#15940) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 279d4b304f
Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 12:32:17 +01:00
Peter Steinberger
7f227fc8cc perf(test): avoid heavy browser barrels in pw-ai tests 2026-02-14 03:13:32 +00:00
Peter Steinberger
dd08ca97bb perf(test): reduce import and fixture overhead in hot tests 2026-02-14 02:49:19 +00:00
Peter Steinberger
63711330e4 perf(test): dedupe browser/telegram coverage and trim batch retry cost 2026-02-14 02:37:09 +00:00
Peter Steinberger
0b8227fa92 perf(test): trim redundant suites and tighten wait loops 2026-02-14 02:02:03 +00:00
Peter Steinberger
8d52ed318d perf(test): narrow browser maxchars smoke to core contract 2026-02-14 01:52:10 +00:00
Peter Steinberger
c4f550ef2a perf(test): trim browser smoke and speed canvas test reload 2026-02-14 01:47:47 +00:00
Peter Steinberger
db8cabedde perf(test): reduce lock wait and fixture setup overhead 2026-02-14 01:42:47 +00:00
Peter Steinberger
0c00dd92a4 perf(test): parallelize browser control validation requests 2026-02-14 01:42:47 +00:00
Peter Steinberger
8796bfaaac perf(test): consolidate browser and canvas hotspot suites 2026-02-14 01:07:23 +00:00
Peter Steinberger
2e84ae7019 perf(test): consolidate browser profile CRUD checks 2026-02-14 01:02:14 +00:00
Peter Steinberger
e7c3c27fd0 perf(test): trim browser and models suite overhead 2026-02-14 00:38:55 +00:00
Peter Steinberger
212da860a9 perf(test): speed up screenshot normalization e2e fixture 2026-02-14 00:17:49 +00:00
Peter Steinberger
fecb3f326e perf(test): trim models/browser suite overhead 2026-02-14 00:08:02 +00:00
Jessy LANGE
3bda3df729 fix(browser): hot-reload profiles added after gateway start (#4841) (#8816) 
* fix(browser): hot-reload profiles added after gateway start (#4841)

* style: format files with oxfmt

* Fix hot-reload stale config fields bug in forProfile

* Fix test order-dependency in hot-reload profiles test

* Fix mock reset order to prevent stale cfgProfiles

* Fix config cache blocking hot-reload by clearing cache before loadConfig

* test: improve hot-reload test to properly exercise config cache

- Add simulated cache behavior in mock
- Prime cache before mutating config
- Verify stale value without clearConfigCache
- Verify fresh value after hot-reload

Addresses review comment about test not exercising cache

* test: add hot-reload tests for browser profiles in server context.

* fix(browser): optimize profile hot-reload to avoid global cache clear

* fix(browser): remove unused loadConfig import

* fix(test): execute resetModules before test setup

* feat: implement browser server context with profile hot-reloading and tab management.

* fix(browser): harden profile hot-reload and shutdown cleanup

* test(browser): use toSorted in known-profile names test

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-14 00:44:04 +01:00
Peter Steinberger
dac8f5ba3f perf(test): trim fixture and import overhead in hot suites 2026-02-13 23:16:41 +00:00
Peter Steinberger
caebe70e9a perf(test): cut setup/import overhead in hot suites 2026-02-13 21:23:50 +00:00
Peter Steinberger
2086cdfb9b perf(test): reduce hot-suite import and setup overhead 2026-02-13 20:26:39 +00:00
Mariano
7f0489e473 Security/Browser: constrain trace and download output paths to OpenClaw temp roots (#15652) 
* Browser/Security: constrain trace and download output paths to temp roots

* Changelog: remove advisory ID from pre-public security note

* Browser/Security: constrain trace and download output paths to temp roots

* Changelog: remove advisory ID from pre-public security note

* test(bluebubbles): align timeout status expectation to 408

* test(discord): remove unused race-condition counter in threading test

* test(bluebubbles): align timeout status expectation to 408
 2026-02-13 19:24:33 +00:00
Marcus Castro
d9c582627c perf: use .abort.bind() instead of arrow closures to prevent memory leaks (#7174) 2026-02-13 18:13:18 +01:00
Peter Steinberger
b272158fe4 perf(test): eliminate resetModules via injectable seams 2026-02-13 16:20:37 +00:00
Peter Steinberger
41f2f359a5 perf(test): reduce module reload overhead in key suites 2026-02-13 15:45:19 +00:00
Peter Steinberger
5d8eef8b35 perf(test): remove module reloads in browser and embedding suites 2026-02-13 15:31:17 +00:00
Peter Steinberger
9131b22a28 test: migrate suites to e2e coverage layout 2026-02-13 14:28:22 +00:00
Peter Steinberger
f5160ca6be test: add browser evaluate gate trust-boundary regression 2026-02-13 15:19:05 +01:00
Milofax
89503e1451 fix(browser): hide navigator.webdriver from reCAPTCHA v3 detection (openclaw#10735) thanks @Milofax 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test

Co-authored-by: Milofax <2537423+Milofax@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-12 20:16:28 -06:00
Peter Steinberger
9230a2ae14 fix(browser): require auth on control HTTP and auto-bootstrap token 2026-02-13 02:02:28 +01:00
Gustavo Madeira Santana
a158c46828 Tests: make download temp-path assertion cross-platform 2026-02-12 16:58:59 -05:00
Gustavo Madeira Santana
b02c88d3e7 Browser/Logging: share default openclaw tmp dir resolver 2026-02-12 16:44:04 -05:00
Gustavo Madeira Santana
afbce73570 fix: use os.tmpdir fallback paths for temp files (#14985) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 347c689407
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-12 16:08:41 -05:00
Onur
424d2dddf5 fix: prevent act:evaluate hangs from getting browser tool stuck/killed (#13498) 
* fix(browser): prevent permanent timeout after stuck evaluate

Thread AbortSignal from client-fetch through dispatcher to Playwright
operations. When a timeout fires, force-disconnect the Playwright CDP
connection to unblock the serialized command queue, allowing the next
call to reconnect transparently.

Key changes:
- client-fetch.ts: proper AbortController with signal propagation
- pw-session.ts: new forceDisconnectPlaywrightForTarget()
- pw-tools-core.interactions.ts: accept signal, align inner timeout
  to outer-500ms, inject in-browser Promise.race for async evaluates
- routes/dispatcher.ts + types.ts: propagate signal through dispatch
- server.ts + bridge-server.ts: Express middleware creates AbortSignal
  from request lifecycle
- client-actions-core.ts: add timeoutMs to evaluate type

Fixes #10994

* fix(browser): v2 - force-disconnect via Connection.close() instead of browser.close()

When page.evaluate() is stuck on a hung CDP transport, browser.close() also
hangs because it tries to send a close command through the same stuck pipe.

v2 fix: forceDisconnectPlaywrightForTarget now directly calls Playwright's
internal Connection.close() which locally rejects all pending callbacks and
emits 'disconnected' without touching the network. This instantly unblocks
all stuck Playwright operations.

closePlaywrightBrowserConnection (clean shutdown) now also has a 3s timeout
fallback that drops to forceDropConnection if browser.close() hangs.

Fixes permanent browser timeout after stuck evaluate.

* fix(browser): v3 - fire-and-forget browser.close() instead of Connection.close()

v2's forceDropConnection called browser._connection.close() which corrupts
the entire Playwright instance because Connection is shared across all
objects (BrowserType, Browser, Page, etc.). This prevented reconnection
with cascading 'connectOverCDP: Force-disconnected' errors.

v3 fix: forceDisconnectPlaywrightForTarget now:
1. Nulls cached connection immediately
2. Fire-and-forgets browser.close() (doesn't await — it may hang)
3. Next connectBrowser() creates a fresh connectOverCDP WebSocket

Each connectOverCDP creates an independent WebSocket to the CDP endpoint,
so the new connection is unaffected by the old one's pending close.
The old browser.close() eventually resolves when the in-browser evaluate
timeout fires, or the old connection gets GC'd.

* fix(browser): v4 - clear connecting state and remove stale disconnect listeners

The reconnect was failing because:
1. forceDisconnectPlaywrightForTarget nulled cached but not connecting,
   so subsequent calls could await a stale promise
2. The old browser's 'disconnected' event handler raced with new
   connections, nulling the fresh cached reference

Fix: null both cached and connecting, and removeAllListeners on the
old browser before fire-and-forget close.

* fix(browser): v5 - use raw CDP Runtime.terminateExecution to kill stuck evaluate

When forceDisconnectPlaywrightForTarget fires, open a raw WebSocket
to the stuck page's CDP endpoint and send Runtime.terminateExecution.
This kills running JS without navigating away or crashing the page.
Also clear connecting state and remove stale disconnect listeners.

* fix(browser): abort cancels stuck evaluate

* Browser: always cleanup evaluate abort listener

* Chore: remove Playwright debug scripts

* Docs: add CDP evaluate refactor plan

* Browser: refactor Playwright force-disconnect

* Browser: abort stops evaluate promptly

* Node host: extract withTimeout helper

* Browser: remove disconnected listener safely

* Changelog: note act:evaluate hang fix

---------

Co-authored-by: Bob <bob@dutifulbob.com>
 2026-02-11 07:54:48 +08:00
quotentiroler
53910f3643 Deduplicate more 2026-02-09 18:56:58 -08:00
max
8d75a496bf refactor: centralize isPlainObject, isRecord, isErrno, isLoopbackHost utilities (#12926) 2026-02-09 17:02:55 -08:00
max
ec910a235e refactor: consolidate duplicate utility functions (#12439) 
* refactor: consolidate duplicate utility functions

- Add escapeRegExp to src/utils.ts and remove 10 local duplicates
- Rename bash-tools clampNumber to clampWithDefault (different signature)
- Centralize formatError calls to use formatErrorMessage from infra/errors.ts
- Re-export formatErrorMessage from cli/cli-utils.ts to preserve API

* refactor: consolidate remaining escapeRegExp duplicates

* refactor: consolidate sleep, stripAnsi, and clamp duplicates
 2026-02-08 23:59:43 -08:00
Stephen Chen
d2ff28dda7 Make openclaw consistent in this file (#8533) 
Co-authored-by: stephenchen2025 <schenjobs@gmail.com>
 2026-02-04 00:02:25 -05:00
cpojer
935a0e5708 chore: Enable typescript/no-explicit-any rule. 2026-02-02 16:18:09 +09:00
Peter Steinberger
a1e89afcc1 fix: secure chrome extension relay cdp 2026-02-01 02:25:14 -08:00