mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-26 16:41:49 +00:00
2d126fc623
* fix: address issue * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * fix: close host env inherited sanitization gap * fix: enforce host env reported baseline coverage * fix: address PR review feedback * fix: address PR review feedback * fix: address PR review feedback * docs: add changelog entry for PR merge
55 lines
2.3 KiB
JavaScript
55 lines
2.3 KiB
JavaScript
import HOST_ENV_SECURITY_POLICY_JSON from "./host-env-security-policy.json" with { type: "json" };
|
|
|
|
function sortUniqueUppercase(values) {
|
|
return Object.freeze(
|
|
Array.from(new Set(values.map((value) => value.toUpperCase()))).toSorted((a, b) =>
|
|
a.localeCompare(b),
|
|
),
|
|
);
|
|
}
|
|
|
|
function derivePolicyArrays(policy) {
|
|
const blockedEverywhereKeys = policy.blockedEverywhereKeys ?? [];
|
|
const blockedOverrideOnlyKeys = policy.blockedOverrideOnlyKeys ?? [];
|
|
const allowedInheritedOverrideOnlyKeys = policy.allowedInheritedOverrideOnlyKeys ?? [];
|
|
const allowedInheritedOverrideOnlyUpper = new Set(
|
|
allowedInheritedOverrideOnlyKeys.map((value) => value.toUpperCase()),
|
|
);
|
|
const blockedPrefixes = policy.blockedPrefixes ?? [];
|
|
const blockedOverridePrefixes = policy.blockedOverridePrefixes ?? [];
|
|
const blockedInheritedPrefixes = policy.blockedInheritedPrefixes ?? blockedPrefixes;
|
|
|
|
return {
|
|
blockedInheritedKeys: sortUniqueUppercase([
|
|
...blockedEverywhereKeys,
|
|
...blockedOverrideOnlyKeys.filter(
|
|
(value) => !allowedInheritedOverrideOnlyUpper.has(value.toUpperCase()),
|
|
),
|
|
]),
|
|
blockedInheritedPrefixes: sortUniqueUppercase(blockedInheritedPrefixes),
|
|
blockedKeys: sortUniqueUppercase(blockedEverywhereKeys),
|
|
blockedOverrideKeys: sortUniqueUppercase(blockedOverrideOnlyKeys),
|
|
blockedPrefixes: sortUniqueUppercase(blockedPrefixes),
|
|
blockedOverridePrefixes: sortUniqueUppercase(blockedOverridePrefixes),
|
|
};
|
|
}
|
|
|
|
export function loadHostEnvSecurityPolicy(rawPolicy = HOST_ENV_SECURITY_POLICY_JSON) {
|
|
const derived = derivePolicyArrays(rawPolicy);
|
|
return Object.freeze({
|
|
blockedEverywhereKeys: Object.freeze(rawPolicy.blockedEverywhereKeys ?? []),
|
|
blockedOverrideOnlyKeys: Object.freeze(rawPolicy.blockedOverrideOnlyKeys ?? []),
|
|
allowedInheritedOverrideOnlyKeys: Object.freeze(
|
|
rawPolicy.allowedInheritedOverrideOnlyKeys ?? [],
|
|
),
|
|
blockedInheritedKeys: derived.blockedInheritedKeys,
|
|
blockedInheritedPrefixes: derived.blockedInheritedPrefixes,
|
|
blockedPrefixes: derived.blockedPrefixes,
|
|
blockedOverridePrefixes: derived.blockedOverridePrefixes,
|
|
blockedKeys: derived.blockedKeys,
|
|
blockedOverrideKeys: derived.blockedOverrideKeys,
|
|
});
|
|
}
|
|
|
|
export const HOST_ENV_SECURITY_POLICY = loadHostEnvSecurityPolicy();
|