mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-09 22:30:43 +00:00
326 lines
9.4 KiB
Plaintext
326 lines
9.4 KiB
Plaintext
/**
|
|
* @name Managed proxy runtime mutation
|
|
* @description Proxy-related process.env and GLOBAL_AGENT runtime mutations must stay in managed proxy owner scopes.
|
|
* @kind problem
|
|
* @problem.severity error
|
|
* @precision high
|
|
* @id js/openclaw/managed-proxy-runtime-mutation
|
|
* @tags maintainability
|
|
* security
|
|
* external/cwe/cwe-441
|
|
*/
|
|
|
|
import javascript
|
|
|
|
predicate forbiddenEnvKey(string key) {
|
|
key =
|
|
[
|
|
"HTTP_PROXY",
|
|
"HTTPS_PROXY",
|
|
"http_proxy",
|
|
"https_proxy",
|
|
"NO_PROXY",
|
|
"no_proxy",
|
|
"GLOBAL_AGENT_HTTP_PROXY",
|
|
"GLOBAL_AGENT_HTTPS_PROXY",
|
|
"GLOBAL_AGENT_NO_PROXY",
|
|
"GLOBAL_AGENT_FORCE_GLOBAL_AGENT",
|
|
"OPENCLAW_PROXY_ACTIVE",
|
|
"OPENCLAW_PROXY_LOOPBACK_MODE"
|
|
]
|
|
}
|
|
|
|
predicate forbiddenGlobalAgentKey(string key) { key = ["HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY"] }
|
|
|
|
predicate relevantSourceFile(File file) {
|
|
exists(string path |
|
|
path = file.getRelativePath() and
|
|
path.regexpMatch("^(src|extensions)/.*\\.(ts|mts|js|mjs)$") and
|
|
not path.regexpMatch(".*\\.(test|spec)\\.(ts|mts|js|mjs)$") and
|
|
not path.regexpMatch(".*\\.(test-utils|test-harness|e2e-harness)\\.ts$") and
|
|
not path.regexpMatch(".*/test-support/.*") and
|
|
not path.regexpMatch(".*/vendor/.*") and
|
|
not path.regexpMatch(".*\\.min\\.js$") and
|
|
not path.regexpMatch("^extensions/diffs/assets/.*")
|
|
)
|
|
}
|
|
|
|
predicate namedExpr(Expr expr, string name) {
|
|
expr.getUnderlyingValue().(Identifier).getName() = name
|
|
}
|
|
|
|
predicate directProcessEnvExpr(Expr expr) {
|
|
exists(PropAccess access |
|
|
expr.getUnderlyingValue() = access and
|
|
access.getPropertyName() = "env" and
|
|
namedExpr(access.getBase(), "process")
|
|
)
|
|
}
|
|
|
|
predicate envAlias(Variable variable) {
|
|
exists(VariableDeclarator decl |
|
|
decl.getBindingPattern().getAVariable() = variable and
|
|
directProcessEnvExpr(decl.getInit())
|
|
)
|
|
or
|
|
exists(VariableDeclarator decl, ObjectPattern pattern, PropertyPattern property |
|
|
decl.getBindingPattern() = pattern and
|
|
namedExpr(decl.getInit(), "process") and
|
|
property = pattern.getAPropertyPattern() and
|
|
property.getName() = "env" and
|
|
property.getValuePattern().(BindingPattern).getAVariable() = variable
|
|
)
|
|
}
|
|
|
|
predicate processEnvExpr(Expr expr) {
|
|
directProcessEnvExpr(expr)
|
|
or
|
|
exists(VarAccess access |
|
|
expr.getUnderlyingValue() = access and
|
|
envAlias(access.getVariable())
|
|
)
|
|
}
|
|
|
|
predicate stringConst(Variable variable, string value) {
|
|
exists(VariableDeclarator decl |
|
|
decl.getBindingPattern().getAVariable() = variable and
|
|
value = decl.getInit().getStringValue()
|
|
)
|
|
}
|
|
|
|
predicate stringArrayContains(Variable variable, string value) {
|
|
exists(VariableDeclarator decl, ArrayExpr array, Expr element |
|
|
decl.getBindingPattern().getAVariable() = variable and
|
|
decl.getInit().getUnderlyingValue() = array and
|
|
element = array.getAnElement().getUnderlyingValue() and
|
|
value = element.getStringValue()
|
|
)
|
|
or
|
|
exists(VariableDeclarator decl, ArrayExpr array, SpreadElement spread, VarAccess access |
|
|
decl.getBindingPattern().getAVariable() = variable and
|
|
decl.getInit().getUnderlyingValue() = array and
|
|
spread = array.getAnElement().getUnderlyingValue() and
|
|
spread.getOperand().getUnderlyingValue() = access and
|
|
stringArrayContains(access.getVariable(), value)
|
|
)
|
|
}
|
|
|
|
predicate forbiddenEnvLoopVariable(Variable variable) {
|
|
exists(ForOfStmt loop, VarAccess domain, string key |
|
|
variable = loop.getAnIterationVariable() and
|
|
loop.getIterationDomain().getUnderlyingValue() = domain and
|
|
stringArrayContains(domain.getVariable(), key) and
|
|
forbiddenEnvKey(key)
|
|
)
|
|
}
|
|
|
|
predicate envKeyExprForbidden(Expr keyExpr) {
|
|
forbiddenEnvKey(keyExpr.getStringValue())
|
|
or
|
|
exists(VarAccess access, string key |
|
|
keyExpr.getUnderlyingValue() = access and
|
|
stringConst(access.getVariable(), key) and
|
|
forbiddenEnvKey(key)
|
|
)
|
|
or
|
|
exists(VarAccess access |
|
|
keyExpr.getUnderlyingValue() = access and
|
|
forbiddenEnvLoopVariable(access.getVariable())
|
|
)
|
|
}
|
|
|
|
predicate globalAgentKeyExprForbidden(Expr keyExpr) {
|
|
forbiddenGlobalAgentKey(keyExpr.getStringValue())
|
|
or
|
|
exists(VarAccess access, string key |
|
|
keyExpr.getUnderlyingValue() = access and
|
|
stringConst(access.getVariable(), key) and
|
|
forbiddenGlobalAgentKey(key)
|
|
)
|
|
}
|
|
|
|
predicate directGlobalExpr(Expr expr) {
|
|
namedExpr(expr, "global")
|
|
or
|
|
namedExpr(expr, "globalThis")
|
|
}
|
|
|
|
predicate globalAlias(Variable variable) {
|
|
exists(VariableDeclarator decl |
|
|
decl.getBindingPattern().getAVariable() = variable and
|
|
directGlobalExpr(decl.getInit())
|
|
)
|
|
}
|
|
|
|
predicate globalExpr(Expr expr) {
|
|
directGlobalExpr(expr)
|
|
or
|
|
exists(VarAccess access |
|
|
expr.getUnderlyingValue() = access and
|
|
globalAlias(access.getVariable())
|
|
)
|
|
}
|
|
|
|
predicate directGlobalAgentExpr(Expr expr) {
|
|
exists(PropAccess access |
|
|
expr.getUnderlyingValue() = access and
|
|
access.getPropertyName() = "GLOBAL_AGENT" and
|
|
globalExpr(access.getBase())
|
|
)
|
|
}
|
|
|
|
predicate globalAgentAlias(Variable variable) {
|
|
exists(VariableDeclarator decl |
|
|
decl.getBindingPattern().getAVariable() = variable and
|
|
directGlobalAgentExpr(decl.getInit())
|
|
)
|
|
}
|
|
|
|
predicate globalAgentExpr(Expr expr) {
|
|
directGlobalAgentExpr(expr)
|
|
or
|
|
exists(VarAccess access |
|
|
expr.getUnderlyingValue() = access and
|
|
globalAgentAlias(access.getVariable())
|
|
)
|
|
}
|
|
|
|
predicate envMutationTarget(Expr target) {
|
|
exists(PropAccess access |
|
|
target.getUnderlyingReference() = access and
|
|
processEnvExpr(access.getBase()) and
|
|
(
|
|
forbiddenEnvKey(access.getPropertyName())
|
|
or
|
|
envKeyExprForbidden(access.getPropertyNameExpr())
|
|
)
|
|
)
|
|
}
|
|
|
|
predicate globalAgentMutationTarget(Expr target) {
|
|
globalAgentExpr(target)
|
|
or
|
|
exists(PropAccess access |
|
|
target.getUnderlyingReference() = access and
|
|
globalAgentExpr(access.getBase()) and
|
|
(
|
|
forbiddenGlobalAgentKey(access.getPropertyName())
|
|
or
|
|
globalAgentKeyExprForbidden(access.getPropertyNameExpr())
|
|
)
|
|
)
|
|
}
|
|
|
|
predicate objectPropertyWithKey(Expr expr, string key) {
|
|
exists(ObjectExpr object, Property property |
|
|
expr.getUnderlyingValue() = object and
|
|
property = object.getAProperty() and
|
|
property.getName() = key
|
|
)
|
|
}
|
|
|
|
Expr managedProxyRuntimeMutation() {
|
|
exists(Assignment assignment |
|
|
result = assignment and
|
|
(
|
|
envMutationTarget(assignment.getTarget())
|
|
or
|
|
globalAgentMutationTarget(assignment.getTarget())
|
|
)
|
|
)
|
|
or
|
|
exists(DeleteExpr delete |
|
|
result = delete and
|
|
(
|
|
envMutationTarget(delete.getOperand())
|
|
or
|
|
globalAgentMutationTarget(delete.getOperand())
|
|
)
|
|
)
|
|
or
|
|
exists(MethodCallExpr call |
|
|
result = call and
|
|
namedExpr(call.getReceiver(), "Object") and
|
|
call.getMethodName() = "assign" and
|
|
(
|
|
processEnvExpr(call.getArgument(0)) and
|
|
exists(string key |
|
|
forbiddenEnvKey(key) and
|
|
objectPropertyWithKey(call.getArgument(1), key)
|
|
)
|
|
or
|
|
globalAgentExpr(call.getArgument(0)) and
|
|
exists(string key |
|
|
forbiddenGlobalAgentKey(key) and
|
|
objectPropertyWithKey(call.getArgument(1), key)
|
|
)
|
|
)
|
|
)
|
|
or
|
|
exists(MethodCallExpr call |
|
|
result = call and
|
|
namedExpr(call.getReceiver(), "Object") and
|
|
call.getMethodName() = "defineProperty" and
|
|
(
|
|
processEnvExpr(call.getArgument(0)) and
|
|
envKeyExprForbidden(call.getArgument(1))
|
|
or
|
|
globalAgentExpr(call.getArgument(0)) and
|
|
globalAgentKeyExprForbidden(call.getArgument(1))
|
|
)
|
|
)
|
|
}
|
|
|
|
predicate allowedFunctionOwnerScope(Expr mutation, string path, string functionName) {
|
|
exists(Function owner |
|
|
mutation.getFile().getRelativePath() = path and
|
|
owner.getFile() = mutation.getFile() and
|
|
owner.getName() = functionName and
|
|
mutation.getParent*() = owner.getBody()
|
|
)
|
|
}
|
|
|
|
predicate allowedMethodOwnerScope(Expr mutation, string path, string methodName) {
|
|
exists(MethodDeclaration method |
|
|
mutation.getFile().getRelativePath() = path and
|
|
method.getFile() = mutation.getFile() and
|
|
method.getDeclaringType().getName() + "." + method.getName() = methodName and
|
|
mutation.getParent*() = method.getBody().getBody()
|
|
)
|
|
}
|
|
|
|
predicate allowedManagedProxyRuntimeMutation(Expr mutation) {
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "applyProxyEnv")
|
|
or
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "restoreProxyEnv")
|
|
or
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
|
|
"restoreGlobalAgentRuntime")
|
|
or
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
|
|
"restoreNodeHttpStack")
|
|
or
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
|
|
"bootstrapNodeHttpStack")
|
|
or
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
|
|
"writeGlobalAgentNoProxy")
|
|
or
|
|
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
|
|
"disableGlobalAgentProxyForIpv6GatewayLoopback")
|
|
or
|
|
allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts",
|
|
"NoProxyLeaseManager.acquire")
|
|
or
|
|
allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts",
|
|
"NoProxyLeaseManager.release")
|
|
}
|
|
|
|
from Expr mutation
|
|
where
|
|
managedProxyRuntimeMutation() = mutation and
|
|
relevantSourceFile(mutation.getFile()) and
|
|
not allowedManagedProxyRuntimeMutation(mutation)
|
|
select mutation,
|
|
"Only managed proxy owner scopes may mutate proxy-related process.env or GLOBAL_AGENT runtime state."
|