vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
9,614 Commits 680 Branches 76 Tags
767fd9f222fda451a28deed3a6dbfd8a32df715e
Commit Graph

18 Commits

Author SHA1 Message Date
Peter Steinberger
767fd9f222 fix: classify /tools/invoke errors and sanitize 500s (#13185) (thanks @davidrudduck) 2026-02-13 16:58:30 +01:00
Peter Steinberger
ee31cd47b4 fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (#15390) (thanks @aether-ai-agent) 2026-02-13 14:30:06 +01:00
aether-ai-agent
749e28dec7 fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02) 
Two critical RCE vectors patched:

Vector 1 - Gateway HTTP /tools/invoke:
- Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn,
  sessions_send, gateway, whatsapp_login from HTTP invocation
- Apply deny filter after existing policy cascade, before tool lookup
- Add gateway.tools.{allow,deny} config override in GatewayConfig

Vector 2 - ACP client auto-approval:
- Replace blind allow_once selection with danger-aware permission handler
- Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation
- Safe tools retain auto-approve behavior (backward compatible)
- Empty options array now denied (was hardcoded "allow")
- 30s timeout auto-denies to prevent hung sessions

CWE-78 | CVSS:3.1 9.8 Critical
 2026-02-13 14:30:06 +01:00
Peter Steinberger
8899f9e94a perf(test): optimize heavy suites and stabilize lock timing 2026-02-13 13:29:07 +00:00
cpojer
935a0e5708 chore: Enable typescript/no-explicit-any rule. 2026-02-02 16:18:09 +09:00
Tyler Yust
476f367cf1 Gateway: avoid writing host config in tools invoke test 2026-02-01 17:19:23 -08:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer
5ceff756e1 chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
Josh Palmer
6522de6ce0 Tests: use agents_list in tools invoke gateway test 
What: swap sessions_list for agents_list in /tools/invoke tests
Why: avoid nested gateway calls that can hang under CI; still validates tool invocation + allowlist
Tests: not run (CI should cover)
 2026-01-30 18:17:12 +01:00
Peter Steinberger
9a7160786a refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
Peter Steinberger
6d16a658e5 refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
Peter Steinberger
fb14146033 fix: harden ssh target handling 2026-01-26 21:11:48 +00:00
Vignesh Natarajan
d62b7c0d1e fix: treat tools.alsoAllow as implicit allow-all when no allowlist 2026-01-26 10:05:31 -08:00
Vignesh Natarajan
2ad3508a33 feat(config): add tools.alsoAllow additive allowlist 2026-01-26 10:05:31 -08:00
Peter Steinberger
c4a80f4edb fix: require gateway auth by default 2026-01-26 12:56:33 +00:00
plum-dawg
c96ffa7186 feat: Add Line plugin (#1630) 
* feat: add LINE plugin (#1630) (thanks @plum-dawg)

* feat: complete LINE plugin (#1630) (thanks @plum-dawg)

* chore: drop line plugin node_modules (#1630) (thanks @plum-dawg)

* test: mock /context report in commands test (#1630) (thanks @plum-dawg)

* test: limit macOS CI workers to avoid OOM (#1630) (thanks @plum-dawg)

* test: reduce macOS CI vitest workers (#1630) (thanks @plum-dawg)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-25 12:22:36 +00:00
Peter Steinberger
d73e8ecca3 fix: document tools invoke + honor main session key (#1575) (thanks @vignesh07) 2026-01-24 09:29:32 +00:00
Vignesh Natarajan
f1083cd52c gateway: add /tools/invoke HTTP endpoint 2026-01-24 09:29:32 +00:00