mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 05:30:42 +00:00
d5b0083300
Summary: - This PR routes direct APNs HTTP/2 sends through an APNs allowlisted managed-proxy CONNECT wrapper, adds APNs proxy validation/docs/guardrails, and expands regression and live-test coverage. - Reproducibility: yes. source-reproducible: current main `sendApnsRequest()` still uses raw `http2.connect(au ... nly covers HTTP/global-agent/Undici hooks. I did not run a live APNs reproduction in this read-only review. Automerge notes: - PR branch already contained follow-up commit before automerge: test: guard raw HTTP2 APNs connections - PR branch already contained follow-up commit before automerge: test: guard raw HTTP2 with OpenGrep - PR branch already contained follow-up commit before automerge: lint: ban raw HTTP2 imports - PR branch already contained follow-up commit before automerge: fix: use managed proxy state for APNs - PR branch already contained follow-up commit before automerge: test: exercise APNs active proxy state - PR branch already contained follow-up commit before automerge: fix: reject conflicting managed proxy activation Validation: - ClawSweeper review passed for headdab7c86a75. - Required merge gates passed before the squash merge. Prepared head SHA:dab7c86a75Review: https://github.com/openclaw/openclaw/pull/74905#issuecomment-4350181159 Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
121 lines
3.3 KiB
JavaScript
121 lines
3.3 KiB
JavaScript
import fs from "node:fs";
|
|
import path from "node:path";
|
|
const SOURCE_ROOTS = ["src", "extensions"];
|
|
const DEFAULT_SKIPPED_DIR_NAMES = new Set(["node_modules", "dist", "coverage", ".generated"]);
|
|
|
|
function isCodeFile(filePath) {
|
|
if (filePath.endsWith(".d.ts")) {
|
|
return false;
|
|
}
|
|
return /\.(?:[cm]?ts|[cm]?js|tsx|jsx)$/u.test(filePath);
|
|
}
|
|
|
|
function collectFilesSync(rootDir, options) {
|
|
const skipDirNames = options.skipDirNames ?? DEFAULT_SKIPPED_DIR_NAMES;
|
|
const files = [];
|
|
const stack = [rootDir];
|
|
|
|
while (stack.length > 0) {
|
|
const current = stack.pop();
|
|
if (!current) {
|
|
continue;
|
|
}
|
|
let entries = [];
|
|
try {
|
|
entries = fs.readdirSync(current, { withFileTypes: true });
|
|
} catch {
|
|
continue;
|
|
}
|
|
for (const entry of entries) {
|
|
const fullPath = path.join(current, entry.name);
|
|
if (entry.isDirectory()) {
|
|
if (!skipDirNames.has(entry.name)) {
|
|
stack.push(fullPath);
|
|
}
|
|
continue;
|
|
}
|
|
if (entry.isFile() && options.includeFile(fullPath)) {
|
|
files.push(fullPath);
|
|
}
|
|
}
|
|
}
|
|
|
|
return files;
|
|
}
|
|
|
|
function toPosixPath(filePath) {
|
|
return filePath.replaceAll("\\", "/");
|
|
}
|
|
|
|
const FORBIDDEN_HTTP2_MODULES = new Set(["node:http2", "http2"]);
|
|
const ALLOWED_PRODUCTION_FILES = new Set(["src/infra/push-apns-http2.ts"]);
|
|
|
|
function isTestFile(relativePath) {
|
|
return (
|
|
/(?:^|\/)(?:test|test-fixtures)\//u.test(relativePath) ||
|
|
/\.test\.[cm]?[jt]sx?$/u.test(relativePath)
|
|
);
|
|
}
|
|
|
|
function lineNumberForOffset(content, offset) {
|
|
return content.slice(0, offset).split(/\r?\n/u).length;
|
|
}
|
|
|
|
function collectHttp2ImportOffenders(filePath) {
|
|
const relativePath = toPosixPath(path.relative(process.cwd(), filePath));
|
|
if (ALLOWED_PRODUCTION_FILES.has(relativePath) || isTestFile(relativePath)) {
|
|
return [];
|
|
}
|
|
|
|
const content = fs.readFileSync(filePath, "utf8");
|
|
const offenders = [];
|
|
const patterns = [
|
|
/\bimport\s+(?:type\s+)?[\s\S]*?\bfrom\s*["']([^"']+)["']/gu,
|
|
/\bexport\s+(?:type\s+)?[\s\S]*?\bfrom\s*["']([^"']+)["']/gu,
|
|
/\bimport\s*\(\s*["']([^"']+)["']\s*\)/gu,
|
|
/\brequire\s*\(\s*["']([^"']+)["']\s*\)/gu,
|
|
];
|
|
|
|
for (const pattern of patterns) {
|
|
for (const match of content.matchAll(pattern)) {
|
|
const specifier = match[1];
|
|
if (specifier && FORBIDDEN_HTTP2_MODULES.has(specifier)) {
|
|
offenders.push({
|
|
file: relativePath,
|
|
line: lineNumberForOffset(content, match.index ?? 0),
|
|
specifier,
|
|
});
|
|
}
|
|
}
|
|
}
|
|
|
|
return offenders;
|
|
}
|
|
|
|
function collectSourceFiles() {
|
|
return SOURCE_ROOTS.flatMap((root) =>
|
|
collectFilesSync(path.join(process.cwd(), root), {
|
|
includeFile: isCodeFile,
|
|
}),
|
|
);
|
|
}
|
|
|
|
function main() {
|
|
const offenders = collectSourceFiles().flatMap(collectHttp2ImportOffenders);
|
|
if (offenders.length === 0) {
|
|
console.log("OK: raw node:http2 imports stay behind the APNs proxy wrapper.");
|
|
return;
|
|
}
|
|
|
|
console.error("Raw node:http2 imports are only allowed in src/infra/push-apns-http2.ts.");
|
|
for (const offender of offenders.toSorted(
|
|
(a, b) => a.file.localeCompare(b.file) || a.line - b.line,
|
|
)) {
|
|
console.error(`- ${offender.file}:${offender.line} imports ${offender.specifier}`);
|
|
}
|
|
console.error("Use connectApnsHttp2Session() so APNs HTTP/2 honors managed proxy policy.");
|
|
process.exit(1);
|
|
}
|
|
|
|
main();
|