mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-13 15:10:48 +00:00
0603c2327d
* feat(file-transfer): add bundled plugin for binary file ops on nodes
New extensions/file-transfer/ plugin exposing four agent tools
(file_fetch, dir_list, dir_fetch, file_write) and four matching
node-host commands (file.fetch, dir.list, dir.fetch, file.write).
Lets agents read and write files on paired nodes by absolute path,
bypassing the bash output cap (200KB) and the live tool-result
text cap that would otherwise truncate base64 payloads.
Public surface
--------------
- file_fetch({ node, path, maxBytes? })
Image MIMEs return image content blocks; small text (<=8 KB) inlines
as text content; everything else returns a saved-media-path text
block. sha256-verified end-to-end.
- dir_list({ node, path, pageToken?, maxEntries? })
Structured directory listing — name, path, size, mimeType, isDir,
mtime. Paginated. No content transfer.
- dir_fetch({ node, path, maxBytes?, includeDotfiles? })
Server-side tar -czf streamed back, unpacked into the gateway media
store, returns a manifest of saved paths. Single round-trip.
60s wall-clock timeouts on tar create/unpack. tar -xzf without -P
rejects absolute paths in archive entries.
- file_write({ node, path, contentBase64, mimeType?, overwrite?,
createParents? })
Atomic write (temp + rename). Refuses to overwrite by default.
Refuses to write through symlinks (lstat check). Buffer-side
sha256 (no read-back race). Pair with file_fetch to round-trip
files between nodes — DO NOT use exec/cp for file copies.
All four commands gated by:
- dangerous-by-default node command policy
(gateway.nodes.allowCommands opt-in)
- per-node path policy (gateway.nodes.fileTransfer)
- optional operator approval prompt (ask: off | on-miss | always)
16 MB raw byte ceiling per single-frame round-trip (25 MB WS frame
with ~33% base64 overhead and JSON envelope). 8 MB defaults.
Path policy and approvals
-------------------------
Default behavior is DENY. The operator must explicitly opt in:
{
"gateway": {
"nodes": {
"fileTransfer": {
"<nodeId-or-displayName>": {
"ask": "off" | "on-miss" | "always",
"allowReadPaths": ["~/Screenshots/**", "/tmp/**"],
"allowWritePaths": ["~/Downloads/**"],
"denyPaths": ["**/.ssh/**", "**/.aws/**"],
"maxBytes": 16777216
},
"*": { "ask": "on-miss" }
}
}
}
}
ask modes:
off — silent: allow if matched, deny if not (default)
on-miss — silent allow if matched; prompt on miss
always — prompt every call (denyPaths still hard-deny)
denyPaths always wins. allow-always from the prompt persists the
exact path back into allowReadPaths/allowWritePaths via
mutateConfigFile so subsequent matching calls go silent.
Reuses existing primitives — no new gateway methods:
plugin.approval.request / plugin.approval.waitDecision
decision: allow-once | allow-always | deny
Pre-flight against requested path AND post-flight against the
canonicalPath returned by the node — closes symlink-escape attacks
where the requested path matched policy but realpath resolves
somewhere else.
Audit log
---------
JSONL at ~/.openclaw/audit/file-transfer.jsonl. Records every
decision (allow/allowed-once/allowed-always/denied/error) with
timestamp, op, nodeId, displayName, requestedPath, canonicalPath,
decision, error code, sizeBytes, sha256, durationMs. Best-effort
writes; never propagates failure.
Plugin layout
-------------
extensions/file-transfer/
index.ts definePluginEntry, nodeHostCommands
openclaw.plugin.json contracts.tools registration
package.json
src/node-host/{file-fetch,dir-list,dir-fetch,file-write}.ts
src/tools/{file-fetch,dir-list,dir-fetch,file-write}-tool.ts
src/shared/
mime.ts single-source extension->MIME map + image/text sets
errors.ts shared error code enum and helpers
params.ts shared param-validation helpers + GatewayCallOptions
policy.ts evaluateFilePolicy, persistAllowAlways
approval.ts plugin.approval.request wrapper
gatekeep.ts one-stop policy + approval + audit orchestrator
audit.ts JSONL audit sink
Core touch points
-----------------
- src/infra/node-commands.ts: NODE_FILE_FETCH_COMMAND,
NODE_DIR_LIST_COMMAND, NODE_DIR_FETCH_COMMAND,
NODE_FILE_WRITE_COMMAND, NODE_FILE_COMMANDS array
- src/gateway/node-command-policy.ts: all four added to
DEFAULT_DANGEROUS_NODE_COMMANDS
- src/security/audit-extra.sync.ts: audit detail mentions file ops
- src/agents/tools/nodes-tool-media.ts: MEDIA_INVOKE_ACTIONS entry
for file.fetch redirects raw nodes(action=invoke) callers to the
dedicated file_fetch tool to prevent base64 context bloat
- src/agents/tools/nodes-tool.ts: nodes tool description points to
the dedicated file_fetch tool
Known limitations / follow-ups
------------------------------
- No tests in this PR. For a security-sensitive surface this is a
gap; will follow up with a test pass.
- Direct CLI invocation (openclaw nodes invoke --command file.fetch)
bypasses the plugin policy entirely. Plugin-side gating is the
realistic threat model (agent on iMessage requesting paths it
shouldn't), but for true defense-in-depth, policy belongs in the
gateway-side node.invoke dispatch. Move-policy-to-core is a
separate PR.
- file_watch (long-lived filesystem event subscription) is not
included; it needs a new node-protocol primitive for streaming
event channels and was descoped from this PR.
- dir_fetch includeDotfiles: true is the only supported mode;
BSD tar exclude patterns reliably collapse dotfile filtering
to an empty archive. Reliable filtering needs a
`find ! -name ".*" | tar -T -` pipeline; deferred.
- dir_fetch du -sk preflight is a heuristic (du * 4 vs maxBytes);
the mid-stream byte cap is the actual safety net.
* test(file-transfer): add unit tests for handlers, policy, and shared utilities
Adds 77 tests covering:
- handleFileFetch: validation, fs errors, sha256, size cap, symlink canonicalization
- handleFileWrite: validation, atomic write, overwrite policy, parent dir handling, symlink refusal, integrity check, size cap
- handleDirList: validation, fs errors, sorted listing, dotfile inclusion, pagination
- handleDirFetch: validation, fs errors, gzipped tar with sha256, mid-stream byte cap
- evaluateFilePolicy: default-deny, denyPaths-wins, allow matching, ask modes (off/on-miss/always), node-id/displayName/'*' resolution
- persistAllowAlways: append, dedupe, create-on-missing
- shared/mime: extension lookup, image/text inline sets
- shared/errors: err helper, classifyFsError, throwFromNodePayload
Also fixes accumulated lint regressions in the prod source flagged once these
files moved into the changed-gate scope (parseInt -> Number.parseInt, redundant
type casts removed, single-statement if bodies wrapped in braces).
* fix(file-transfer): address PR review feedback (security + availability)
Reviewer findings addressed (greptile + aisle):
- policy: persistAllowAlways no longer escalates per-node approvals to the
'*' wildcard entry; allow-always now writes under the specific node's
own entry, never the wildcard (greptile P1 SECURITY).
- policy: add literal '..' segment short-circuit in evaluateFilePolicy,
raised before glob match. Stops "/allowed/../etc/passwd" from passing
preflight against "/allowed/**" globs (aisle MEDIUM CWE-22).
- file-write: replace no-op base64 try/catch with actual round-trip
validation. Buffer.from(s, "base64") never throws — invalid input
silently decoded to garbage bytes. Now re-encodes and compares
modulo padding/url-variant chars (greptile P1 SECURITY).
- file-write: document the parent-symlink residual risk and rely on the
existing gateway-side post-flight policy check; full rollback requires
a node-side file.unlink which is deferred to a follow-up. Initial
segment-walk attempt was reverted because it false-positives on system
symlinks like macOS /var → /private/var (aisle HIGH CWE-59).
- dir-fetch tool: add preValidateTarball pass that runs `tar -tzvf` and
rejects symlinks, hardlinks, absolute paths, '..' traversal,
uncompressed sizes >64MB, and entry counts >5000 — before any
extraction. Drops --no-overwrite-dir (GNU-only flag rejected by BSD
tar on macOS) (aisle HIGH x2 CWE-22 + CWE-409, greptile P2).
- dir-fetch tool: stream-hash files via fs.open + read loop instead of
fs.readFile to avoid full-buffer reads on large extracted entries.
- dir-fetch handler: replace spawnSync in countTarEntries with async
spawn + bounded buffer so tar -tzf can't park the node-host event
loop for up to 10s on a slow filesystem (greptile P1 AVAIL).
- audit: clear auditDirPromise on rejection so a transient mkdir
failure doesn't permanently silence the audit log (greptile P2).
New tests: wildcard escalation rejection, base64 malformed/url-variant,
'..' traversal short-circuit (3 cases). 84/84 passing.
* fix(file-transfer): CI failures + second-round PR review feedback
CI failures on previous push:
- Declare runtime deps (minimatch, typebox) in package.json — failed the
extension-runtime-dependencies contract test that scans imports.
- Switch policy.ts and policy.test.ts off the broad
openclaw/plugin-sdk/config-runtime barrel and onto the narrow
openclaw/plugin-sdk/config-mutation + runtime-config-snapshot subpaths.
This satisfies the deprecated-internal-config-api architecture guard.
Second-round Aisle findings:
- policy: traversal-segment check now treats backslash and forward slash
as equivalent, so a Windows node can't be hit with mixed-separator
"C:\\allowed\\..\\Windows\\system.ini" (Aisle HIGH CWE-22).
- dir-fetch tool: replace the single fragile `tar -tvzf` parser pass
(which broke for filenames containing whitespace) with two robust
passes: `tar -tzf` for paths only (one per line, no parsing of
fixed columns) and `tar -tzvf` for type chars only (FIRST CHAR of each
line, never the path column). Also reject backslash-containing entry
names. Drops the in-process uncompressed-size cap because reliably
parsing sizes from tar output is fragile and Aisle flagged it as a
bypass primitive — entry-count cap stays (Aisle HIGH CWE-22, MED).
Tests still 84/84 passing.
* fix(file-transfer): third-round PR review feedback
Aisle's re-analysis on b63daa6a05 surfaced 3 actionable findings:
- nodes.invoke bypass (HIGH CWE-285): generic nodes.action="invoke" let
agents call dir.list/dir.fetch/file.write directly, skipping the
file-transfer plugin's gatekeep + policy + approval flow. Only file.fetch
was redirected to its dedicated tool. Add the other three to
MEDIA_INVOKE_ACTIONS so the redirect-or-deny logic in
nodes-tool-commands fires for all four. The dedicated tools enforce
policy; the generic invoke surface no longer has a way to skip them
without an explicit allowMediaInvokeCommands opt-in.
- prototype pollution in persistAllowAlways (MED CWE-1321): a paired
node with displayName "__proto__" / "prototype" / "constructor" would
mutate the fileTransfer object's prototype when persisting allow-always.
Reject those keys explicitly. Switch the existing-key lookup to
Object.prototype.hasOwnProperty.call so a key like "constructor"
doesn't accidentally match Object.prototype.constructor.
- decompression-bomb cap in dir_fetch (MED CWE-409): compressed tar is
bounded upstream, but a highly compressible bomb can still expand to
gigabytes. Enforce DIR_FETCH_MAX_UNCOMPRESSED_BYTES (64MB) summed
across extracted files and DIR_FETCH_MAX_SINGLE_FILE_BYTES (16MB) per
entry, both checked during the post-extract walk. On bust, rm -rf the
rootDir and audit-log + throw UNCOMPRESSED_TOO_LARGE.
Tests: 85/85 passing (added prototype-pollution rejection test).
Aisle's HIGH parent-symlink finding remains documented as deferred — full
rollback requires a node-side file.unlink command which is out of scope
for this PR. The gateway-side post-flight policy check still detects and
loudly errors on canonical-path mismatches.
* fix(file-transfer): refuse symlink traversal by default with followSymlinks opt-in
Closes the deferred Aisle HIGH parent-symlink finding. Instead of
detecting the escape in a post-flight gateway check after the file is
already written, the node-side handler now refuses pre-flight if any
component of the requested path resolves through a symlink.
Behavior:
- Reads (file.fetch / dir.list / dir.fetch): node realpath()s the
requested path. If canonical != requested AND followSymlinks=false,
return SYMLINK_REDIRECT { canonicalPath } — no I/O happens.
- Writes (file.write): node realpath()s the parent dir. Same refusal
rule. The lstat-on-final check is kept to catch the case where the
target file itself is an existing symlink.
- Opt-in: set gateway.nodes.fileTransfer.<node>.followSymlinks=true to
bring back the previous "follow + post-flight check" behavior.
Operator UX: the SYMLINK_REDIRECT response includes the canonical path
so the operator can either update their allow list to the canonical form
or set followSymlinks=true on that node. On macOS, /var → /private/var
and /tmp → /private/tmp are system aliases that trip the new check, so
operators using those paths need followSymlinks=true OR canonical-path
allowlists.
Wiring:
- Add followSymlinks?: boolean to NodeFilePolicyConfig.
- evaluateFilePolicy returns followSymlinks (default false) on its
ok=true branches.
- gatekeep propagates it via GatekeepOutcome.
- Each tool passes it as a node.invoke param.
- Each handler honors it pre-flight before any read/write.
Tests updated: 89/89 passing.
- realpath(mkdtemp()) so existing happy-path tests don't trip the new
default on macOS where mkdtemp lands under symlinked /var/folders.
- New tests: SYMLINK_REDIRECT refusal for file.fetch and file.write
parent traversal; opt-in passthrough when followSymlinks=true.
- New policy test: followSymlinks propagation default false / true.
* fix(file-transfer): close two more aisle findings on 069bd66
Aisle re-analysis on 069bd66 surfaced two issues my earlier round-three
fix missed:
- HIGH (CWE-284): file.fetch / dir.fetch / dir.list / file.write were
still bypassable via the generic nodes.action="invoke" surface when
the operator had set allowMediaInvokeCommands=true. That flag was
meant to opt in to base64-bloat for camera/screen, not to disable
path policy on file-transfer. Split the redirect map: introduce
POLICY_REDIRECT_INVOKE_COMMANDS (file-transfer only) which ALWAYS
rerouts to its dedicated tool regardless of the bloat flag. Camera
and screen continue to use the bloat-only redirect (suppressed by
allowMediaInvokeCommands=true). Confirmed by clawsweeper P1.
- MED (CWE-276): tar -xzf in dir_fetch unpack preserved archive
ownership and permissions, so a malicious node could plant
setuid/setgid or world-writable files on a gateway running with
elevated privileges. Add --no-same-owner --no-same-permissions
(both flags are portable across BSD tar / GNU tar).
Tests: 89/89 passing.
* chore(file-transfer): drop file_watch from plugin description
Phase 5 (file_watch) was deferred earlier in this PR. Strip the watch
mention from the plugin description in package.json,
openclaw.plugin.json, and index.ts so the metadata reflects what's
actually shipped (file_fetch, dir_list, dir_fetch, file_write).
Closes clawsweeper P3.
* fix(file-transfer): hash before rename and allow zero-byte round-trip
Two of Peter's review findings on PR #74134:
- P2 (file-write integrity): hash the decoded buffer + compare against
expectedSha256 BEFORE temp+rename. Previously the rename happened
first, then the sha check unlinked the target on mismatch — with
overwrite=true a bad caller hash could replace + delete the original.
Now a hash mismatch returns INTEGRITY_FAILURE without touching disk.
Added a regression test that asserts the original file survives.
- P2/P3 (zero-byte round-trip): the tool layer's truthy checks on
contentBase64 and base64 rejected the empty string, blocking zero-byte
files from round-tripping through file_fetch -> file_write. Switched
to type-checks (typeof === "string") and added zero-byte tests at the
handler layer for both fetch and write (sha matches the known empty
digest).
Tests: 92/92 passing.
* fix(file-transfer): declare gateway.nodes.fileTransfer in core config schema
Peter's P1/P2 finding: the plugin reads/writes gateway.nodes.fileTransfer
via casts through unknown because the strict zod schema and OpenClawConfig
type didn't declare it. That meant `openclaw config validate` would
reject the very examples in the plugin's own documentation.
- Add fileTransfer block to gateway.nodes in src/config/zod-schema.ts
with the full per-node entry shape (ask, allowReadPaths,
allowWritePaths, denyPaths, maxBytes, followSymlinks).
- Add GatewayNodeFileTransferEntry + the fileTransfer field on
GatewayNodesConfig in src/config/types.gateway.ts.
- Drop the `as unknown` casts in the extension's policy.ts now that
gateway.nodes.fileTransfer is properly typed end-to-end.
- Regenerate docs/.generated/config-baseline.sha256.
Tests: 92/92 passing. pnpm config:docs:check OK.
* fix(file-transfer): enforce path policy at gateway dispatch
Closes Peter's P1 review finding on PR #74134.
The agent-tool-only redirect added in earlier commits left CLI
(`openclaw nodes invoke`), plugin-runtime, and raw `node.invoke` callers
able to skip the file-transfer path policy entirely. The fix moves the
security boundary down to the gateway: every code path that reaches
`node.invoke` for file.fetch / dir.list / dir.fetch / file.write now
runs the same allow/deny check.
- New: src/gateway/file-transfer-dispatch.ts with
`evaluateFileTransferDispatchPolicy` and `isFileTransferCommand`. Same
semantics as the extension-side `evaluateFilePolicy` minus the
operator-prompt flow (prompts stay at the agent-tool layer; the
gateway is silent enforcement).
- src/gateway/server-methods/nodes.ts: after the existing command
allowlist check, run the new gate before forwarding. Denies emit
INVALID_REQUEST with a structured `{ command, code, reason }`.
- Decision matrix mirrors the extension: NO_POLICY (no entry for
this node) deny, denyPaths-wins, '..' traversal short-circuit
(with backslash separator handling), allowPaths match → allow,
no allow match → deny.
- 19 new unit tests covering each branch including identity
resolution (nodeId/displayName/'*'), prototype-pollution-safe lookup,
and read-vs-write allow-list separation.
Note on allow-once approvals: the agent tool's interactive
`allow-once` decision now has to flow through the dedicated tool's
pre-flight (which forwards an approved request); raw `nodes.invoke`
callers cannot benefit from one-time approvals because the gateway is
silent. allow-always (which persists to allowReadPaths/allowWritePaths)
continues to work transparently because by the time the next request
hits the gateway the path is in the persisted allow list.
Tests: 92 extension + 19 gateway = 111 total, all passing.
* fix(file-transfer): enforce node policy in gateway
* fix(file-transfer): use plugin node policy only
* fix(file-transfer): harden node policy edge cases
* fix(file-transfer): close review hardening gaps
* fix(file-transfer): harden node invoke policy
* fix(file-transfer): align runtime dependency versions
* fix(file-transfer): keep minimatch extension-owned
* refactor(file-transfer): remove unused approval gate
* fix(file-transfer): require canonical node policy authorization
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
* fix(clawsweeper): address review for automerge-openclaw-openclaw-74134 (1)
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
* fix(file-transfer): recheck dir fetch archive policy after fetch
* fix(file-transfer): name file-transfer tool in invoke redirect
---------
Co-authored-by: Omar Shahine <10343873+omarshahine@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: clawsweeper-repair <clawsweeper-repair@users.noreply.github.com>
1086 lines
39 KiB
TypeScript
1086 lines
39 KiB
TypeScript
import { resolveSandboxConfigForAgent } from "../agents/sandbox/config.js";
|
|
import { isDangerousNetworkMode, normalizeNetworkMode } from "../agents/sandbox/network-mode.js";
|
|
import { resolveSandboxToolPolicyForAgent } from "../agents/sandbox/tool-policy.js";
|
|
import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
|
|
import { getBlockedBindReason } from "../agents/sandbox/validate-sandbox-security.js";
|
|
import { isToolAllowedByPolicies } from "../agents/tool-policy-match.js";
|
|
import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
|
|
import { formatCliCommand } from "../cli/command-format.js";
|
|
import type { OpenClawConfig } from "../config/types.openclaw.js";
|
|
import type { AgentToolsConfig } from "../config/types.tools.js";
|
|
import { resolveGatewayAuth } from "../gateway/auth.js";
|
|
import { resolveAllowedAgentIds } from "../gateway/hooks-policy.js";
|
|
import {
|
|
DEFAULT_DANGEROUS_NODE_COMMANDS,
|
|
listDangerousPluginNodeCommands,
|
|
resolveNodeCommandAllowlist,
|
|
} from "../gateway/node-command-policy.js";
|
|
import {
|
|
normalizeOptionalLowercaseString,
|
|
normalizeOptionalString,
|
|
normalizeStringifiedOptionalString,
|
|
} from "../shared/string-coerce.js";
|
|
import { collectAuditModelRefs } from "./audit-model-refs.js";
|
|
import { pickSandboxToolPolicy } from "./audit-tool-policy.js";
|
|
|
|
/**
|
|
* Synchronous security audit collector functions.
|
|
*
|
|
* These functions analyze config-based security properties without I/O.
|
|
*/
|
|
|
|
export type SecurityAuditFinding = {
|
|
checkId: string;
|
|
severity: "info" | "warn" | "critical";
|
|
title: string;
|
|
detail: string;
|
|
remediation?: string;
|
|
};
|
|
|
|
// --------------------------------------------------------------------------
|
|
// Helpers
|
|
// --------------------------------------------------------------------------
|
|
|
|
function isProbablySyncedPath(p: string): boolean {
|
|
const s = p.toLowerCase();
|
|
return (
|
|
s.includes("icloud") ||
|
|
s.includes("dropbox") ||
|
|
s.includes("google drive") ||
|
|
s.includes("googledrive") ||
|
|
s.includes("onedrive")
|
|
);
|
|
}
|
|
|
|
function looksLikeEnvRef(value: string): boolean {
|
|
const v = value.trim();
|
|
return v.startsWith("${") && v.endsWith("}");
|
|
}
|
|
|
|
function isGatewayRemotelyExposed(cfg: OpenClawConfig): boolean {
|
|
const bind = typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback";
|
|
if (bind !== "loopback") {
|
|
return true;
|
|
}
|
|
const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
|
|
return tailscaleMode === "serve" || tailscaleMode === "funnel";
|
|
}
|
|
|
|
const LEGACY_MODEL_PATTERNS: Array<{ id: string; re: RegExp; label: string }> = [
|
|
{ id: "openai.gpt35", re: /\bgpt-3\.5\b/i, label: "GPT-3.5 family" },
|
|
{ id: "anthropic.claude2", re: /\bclaude-(instant|2)\b/i, label: "Claude 2/Instant family" },
|
|
{ id: "openai.gpt4_legacy", re: /\bgpt-4-(0314|0613)\b/i, label: "Legacy GPT-4 snapshots" },
|
|
];
|
|
|
|
const WEAK_TIER_MODEL_PATTERNS: Array<{ id: string; re: RegExp; label: string }> = [
|
|
{ id: "anthropic.haiku", re: /\bhaiku\b/i, label: "Haiku tier (smaller model)" },
|
|
];
|
|
|
|
function isGptModel(id: string): boolean {
|
|
return /\bgpt-/i.test(id);
|
|
}
|
|
|
|
function isGpt5OrHigher(id: string): boolean {
|
|
return /\bgpt-5(?:\b|[.-])/i.test(id);
|
|
}
|
|
|
|
function isClaudeModel(id: string): boolean {
|
|
return /\bclaude-/i.test(id);
|
|
}
|
|
|
|
function isClaude45OrHigher(id: string): boolean {
|
|
// Match claude-*-4-5+, claude-*-45+, claude-*4.5+, or future 5.x+ majors.
|
|
return /\bclaude-[^\s/]*?(?:-4-?(?:[5-9]|[1-9]\d)\b|4\.(?:[5-9]|[1-9]\d)\b|-[5-9](?:\b|[.-]))/i.test(
|
|
id,
|
|
);
|
|
}
|
|
|
|
function hasConfiguredDockerConfig(
|
|
docker: Record<string, unknown> | undefined | null,
|
|
): docker is Record<string, unknown> {
|
|
if (!docker || typeof docker !== "object") {
|
|
return false;
|
|
}
|
|
return Object.values(docker).some((value) => value !== undefined);
|
|
}
|
|
|
|
function normalizeNodeCommand(value: unknown): string {
|
|
return normalizeOptionalString(value) ?? "";
|
|
}
|
|
|
|
function isWildcardEntry(value: unknown): boolean {
|
|
return normalizeStringifiedOptionalString(value) === "*";
|
|
}
|
|
|
|
function listKnownNodeCommands(cfg: OpenClawConfig): Set<string> {
|
|
const baseCfg: OpenClawConfig = {
|
|
...cfg,
|
|
gateway: {
|
|
...cfg.gateway,
|
|
nodes: {
|
|
...cfg.gateway?.nodes,
|
|
denyCommands: [],
|
|
},
|
|
},
|
|
};
|
|
const out = new Set<string>();
|
|
for (const platform of ["ios", "android", "macos", "linux", "windows", "unknown"]) {
|
|
const allow = resolveNodeCommandAllowlist(baseCfg, { platform });
|
|
for (const cmd of allow) {
|
|
const normalized = normalizeNodeCommand(cmd);
|
|
if (normalized) {
|
|
out.add(normalized);
|
|
}
|
|
}
|
|
}
|
|
for (const cmd of DEFAULT_DANGEROUS_NODE_COMMANDS) {
|
|
const normalized = normalizeNodeCommand(cmd);
|
|
if (normalized) {
|
|
out.add(normalized);
|
|
}
|
|
}
|
|
return out;
|
|
}
|
|
|
|
function resolveToolPolicies(params: {
|
|
cfg: OpenClawConfig;
|
|
agentTools?: AgentToolsConfig;
|
|
sandboxMode?: "off" | "non-main" | "all";
|
|
agentId?: string | null;
|
|
}): SandboxToolPolicy[] {
|
|
const policies: SandboxToolPolicy[] = [];
|
|
const profile = params.agentTools?.profile ?? params.cfg.tools?.profile;
|
|
const profilePolicy = resolveToolProfilePolicy(profile);
|
|
if (profilePolicy) {
|
|
policies.push(profilePolicy);
|
|
}
|
|
|
|
const globalPolicy = pickSandboxToolPolicy(params.cfg.tools ?? undefined);
|
|
if (globalPolicy) {
|
|
policies.push(globalPolicy);
|
|
}
|
|
|
|
const agentPolicy = pickSandboxToolPolicy(params.agentTools);
|
|
if (agentPolicy) {
|
|
policies.push(agentPolicy);
|
|
}
|
|
|
|
if (params.sandboxMode === "all") {
|
|
policies.push(resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? undefined));
|
|
}
|
|
|
|
return policies;
|
|
}
|
|
|
|
function looksLikeNodeCommandPattern(value: string): boolean {
|
|
if (!value) {
|
|
return false;
|
|
}
|
|
if (/[?*[\]{}(),|]/.test(value)) {
|
|
return true;
|
|
}
|
|
if (
|
|
value.startsWith("/") ||
|
|
value.endsWith("/") ||
|
|
value.startsWith("^") ||
|
|
value.endsWith("$")
|
|
) {
|
|
return true;
|
|
}
|
|
return /\s/.test(value) || value.includes("group:");
|
|
}
|
|
|
|
function editDistance(a: string, b: string): number {
|
|
if (a === b) {
|
|
return 0;
|
|
}
|
|
if (!a) {
|
|
return b.length;
|
|
}
|
|
if (!b) {
|
|
return a.length;
|
|
}
|
|
|
|
const dp: number[] = Array.from({ length: b.length + 1 }, (_, j) => j);
|
|
|
|
for (let i = 1; i <= a.length; i++) {
|
|
let prev = dp[0];
|
|
dp[0] = i;
|
|
for (let j = 1; j <= b.length; j++) {
|
|
const temp = dp[j];
|
|
const cost = a[i - 1] === b[j - 1] ? 0 : 1;
|
|
dp[j] = Math.min(dp[j] + 1, dp[j - 1] + 1, prev + cost);
|
|
prev = temp;
|
|
}
|
|
}
|
|
|
|
return dp[b.length];
|
|
}
|
|
|
|
function suggestKnownNodeCommands(unknown: string, known: Set<string>): string[] {
|
|
const needle = unknown.trim();
|
|
if (!needle) {
|
|
return [];
|
|
}
|
|
|
|
// Fast path: prefix-ish suggestions.
|
|
const prefix = needle.includes(".") ? needle.split(".").slice(0, 2).join(".") : needle;
|
|
const prefixHits = Array.from(known)
|
|
.filter((cmd) => cmd.startsWith(prefix))
|
|
.slice(0, 3);
|
|
if (prefixHits.length > 0) {
|
|
return prefixHits;
|
|
}
|
|
|
|
// Fuzzy: Levenshtein over a small-ish known set.
|
|
const ranked = Array.from(known)
|
|
.map((cmd) => ({ cmd, d: editDistance(needle, cmd) }))
|
|
.toSorted((a, b) => a.d - b.d || a.cmd.localeCompare(b.cmd));
|
|
|
|
const best = ranked[0]?.d ?? Infinity;
|
|
const threshold = Math.max(2, Math.min(4, best));
|
|
return ranked
|
|
.filter((r) => r.d <= threshold)
|
|
.slice(0, 3)
|
|
.map((r) => r.cmd);
|
|
}
|
|
|
|
function listGroupPolicyOpen(cfg: OpenClawConfig): string[] {
|
|
const out: string[] = [];
|
|
const channels = cfg.channels as Record<string, unknown> | undefined;
|
|
if (!channels || typeof channels !== "object") {
|
|
return out;
|
|
}
|
|
for (const [channelId, value] of Object.entries(channels)) {
|
|
if (!value || typeof value !== "object") {
|
|
continue;
|
|
}
|
|
const section = value as Record<string, unknown>;
|
|
if (section.groupPolicy === "open") {
|
|
out.push(`channels.${channelId}.groupPolicy`);
|
|
}
|
|
const accounts = section.accounts;
|
|
if (accounts && typeof accounts === "object") {
|
|
for (const [accountId, accountVal] of Object.entries(accounts)) {
|
|
if (!accountVal || typeof accountVal !== "object") {
|
|
continue;
|
|
}
|
|
const acc = accountVal as Record<string, unknown>;
|
|
if (acc.groupPolicy === "open") {
|
|
out.push(`channels.${channelId}.accounts.${accountId}.groupPolicy`);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return out;
|
|
}
|
|
|
|
function hasConfiguredGroupTargets(section: Record<string, unknown>): boolean {
|
|
const groupKeys = ["groups", "guilds", "channels", "rooms"];
|
|
return groupKeys.some((key) => {
|
|
const value = section[key];
|
|
return Boolean(value && typeof value === "object" && Object.keys(value).length > 0);
|
|
});
|
|
}
|
|
|
|
function listPotentialMultiUserSignals(cfg: OpenClawConfig): string[] {
|
|
const out = new Set<string>();
|
|
const channels = cfg.channels as Record<string, unknown> | undefined;
|
|
if (!channels || typeof channels !== "object") {
|
|
return [];
|
|
}
|
|
|
|
const inspectSection = (section: Record<string, unknown>, basePath: string) => {
|
|
const groupPolicy = typeof section.groupPolicy === "string" ? section.groupPolicy : null;
|
|
if (groupPolicy === "open") {
|
|
out.add(`${basePath}.groupPolicy="open"`);
|
|
} else if (groupPolicy === "allowlist" && hasConfiguredGroupTargets(section)) {
|
|
out.add(`${basePath}.groupPolicy="allowlist" with configured group targets`);
|
|
}
|
|
|
|
const dmPolicy = typeof section.dmPolicy === "string" ? section.dmPolicy : null;
|
|
if (dmPolicy === "open") {
|
|
out.add(`${basePath}.dmPolicy="open"`);
|
|
}
|
|
|
|
const allowFrom = Array.isArray(section.allowFrom) ? section.allowFrom : [];
|
|
if (allowFrom.some((entry) => isWildcardEntry(entry))) {
|
|
out.add(`${basePath}.allowFrom includes "*"`);
|
|
}
|
|
|
|
const groupAllowFrom = Array.isArray(section.groupAllowFrom) ? section.groupAllowFrom : [];
|
|
if (groupAllowFrom.some((entry) => isWildcardEntry(entry))) {
|
|
out.add(`${basePath}.groupAllowFrom includes "*"`);
|
|
}
|
|
|
|
const dm = section.dm;
|
|
if (dm && typeof dm === "object") {
|
|
const dmSection = dm as Record<string, unknown>;
|
|
const dmLegacyPolicy = typeof dmSection.policy === "string" ? dmSection.policy : null;
|
|
if (dmLegacyPolicy === "open") {
|
|
out.add(`${basePath}.dm.policy="open"`);
|
|
}
|
|
const dmAllowFrom = Array.isArray(dmSection.allowFrom) ? dmSection.allowFrom : [];
|
|
if (dmAllowFrom.some((entry) => isWildcardEntry(entry))) {
|
|
out.add(`${basePath}.dm.allowFrom includes "*"`);
|
|
}
|
|
}
|
|
};
|
|
|
|
for (const [channelId, value] of Object.entries(channels)) {
|
|
if (!value || typeof value !== "object") {
|
|
continue;
|
|
}
|
|
const section = value as Record<string, unknown>;
|
|
inspectSection(section, `channels.${channelId}`);
|
|
const accounts = section.accounts;
|
|
if (!accounts || typeof accounts !== "object") {
|
|
continue;
|
|
}
|
|
for (const [accountId, accountValue] of Object.entries(accounts)) {
|
|
if (!accountValue || typeof accountValue !== "object") {
|
|
continue;
|
|
}
|
|
inspectSection(
|
|
accountValue as Record<string, unknown>,
|
|
`channels.${channelId}.accounts.${accountId}`,
|
|
);
|
|
}
|
|
}
|
|
|
|
return Array.from(out);
|
|
}
|
|
|
|
function collectRiskyToolExposureContexts(cfg: OpenClawConfig): {
|
|
riskyContexts: string[];
|
|
hasRuntimeRisk: boolean;
|
|
} {
|
|
const contexts: Array<{
|
|
label: string;
|
|
agentId?: string;
|
|
tools?: AgentToolsConfig;
|
|
}> = [{ label: "agents.defaults" }];
|
|
for (const agent of cfg.agents?.list ?? []) {
|
|
if (!agent || typeof agent !== "object" || typeof agent.id !== "string") {
|
|
continue;
|
|
}
|
|
contexts.push({
|
|
label: `agents.list.${agent.id}`,
|
|
agentId: agent.id,
|
|
tools: agent.tools,
|
|
});
|
|
}
|
|
|
|
const riskyContexts: string[] = [];
|
|
let hasRuntimeRisk = false;
|
|
for (const context of contexts) {
|
|
const sandboxMode = resolveSandboxConfigForAgent(cfg, context.agentId).mode;
|
|
const policies = resolveToolPolicies({
|
|
cfg,
|
|
agentTools: context.tools,
|
|
sandboxMode,
|
|
agentId: context.agentId ?? null,
|
|
});
|
|
const runtimeTools = ["exec", "process"].filter((tool) =>
|
|
isToolAllowedByPolicies(tool, policies),
|
|
);
|
|
const fsTools = ["read", "write", "edit", "apply_patch"].filter((tool) =>
|
|
isToolAllowedByPolicies(tool, policies),
|
|
);
|
|
const fsWorkspaceOnly = context.tools?.fs?.workspaceOnly ?? cfg.tools?.fs?.workspaceOnly;
|
|
const runtimeUnguarded = runtimeTools.length > 0 && sandboxMode !== "all";
|
|
const fsUnguarded = fsTools.length > 0 && sandboxMode !== "all" && fsWorkspaceOnly !== true;
|
|
if (!runtimeUnguarded && !fsUnguarded) {
|
|
continue;
|
|
}
|
|
if (runtimeUnguarded) {
|
|
hasRuntimeRisk = true;
|
|
}
|
|
riskyContexts.push(
|
|
`${context.label} (sandbox=${sandboxMode}; runtime=[${runtimeTools.join(", ") || "off"}]; fs=[${fsTools.join(", ") || "off"}]; fs.workspaceOnly=${
|
|
fsWorkspaceOnly === true ? "true" : "false"
|
|
})`,
|
|
);
|
|
}
|
|
|
|
return { riskyContexts, hasRuntimeRisk };
|
|
}
|
|
|
|
// --------------------------------------------------------------------------
|
|
// Exported collectors
|
|
// --------------------------------------------------------------------------
|
|
|
|
export function collectSyncedFolderFindings(params: {
|
|
stateDir: string;
|
|
configPath: string;
|
|
}): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
if (isProbablySyncedPath(params.stateDir) || isProbablySyncedPath(params.configPath)) {
|
|
findings.push({
|
|
checkId: "fs.synced_dir",
|
|
severity: "warn",
|
|
title: "State/config path looks like a synced folder",
|
|
detail: `stateDir=${params.stateDir}, configPath=${params.configPath}. Synced folders (iCloud/Dropbox/OneDrive/Google Drive) can leak tokens and transcripts onto other devices.`,
|
|
remediation: `Keep OPENCLAW_STATE_DIR on a local-only volume and re-run "${formatCliCommand("openclaw security audit --fix")}".`,
|
|
});
|
|
}
|
|
return findings;
|
|
}
|
|
|
|
export function collectSecretsInConfigFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const password = normalizeOptionalString(cfg.gateway?.auth?.password) ?? "";
|
|
if (password && !looksLikeEnvRef(password)) {
|
|
findings.push({
|
|
checkId: "config.secrets.gateway_password_in_config",
|
|
severity: "warn",
|
|
title: "Gateway password is stored in config",
|
|
detail:
|
|
"gateway.auth.password is set in the config file; prefer environment variables for secrets when possible.",
|
|
remediation:
|
|
"Prefer OPENCLAW_GATEWAY_PASSWORD (env) and remove gateway.auth.password from disk.",
|
|
});
|
|
}
|
|
|
|
const hooksToken = normalizeOptionalString(cfg.hooks?.token) ?? "";
|
|
if (cfg.hooks?.enabled === true && hooksToken && !looksLikeEnvRef(hooksToken)) {
|
|
findings.push({
|
|
checkId: "config.secrets.hooks_token_in_config",
|
|
severity: "info",
|
|
title: "Hooks token is stored in config",
|
|
detail:
|
|
"hooks.token is set in the config file; keep config perms tight and treat it like an API secret.",
|
|
});
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectHooksHardeningFindings(
|
|
cfg: OpenClawConfig,
|
|
env: NodeJS.ProcessEnv = process.env,
|
|
): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
if (cfg.hooks?.enabled !== true) {
|
|
return findings;
|
|
}
|
|
|
|
const token = normalizeOptionalString(cfg.hooks?.token) ?? "";
|
|
if (token && token.length < 24) {
|
|
findings.push({
|
|
checkId: "hooks.token_too_short",
|
|
severity: "warn",
|
|
title: "Hooks token looks short",
|
|
detail: `hooks.token is ${token.length} chars; prefer a long random token.`,
|
|
});
|
|
}
|
|
|
|
const gatewayAuth = resolveGatewayAuth({
|
|
authConfig: cfg.gateway?.auth,
|
|
tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
|
|
env,
|
|
});
|
|
const openclawGatewayToken =
|
|
typeof env.OPENCLAW_GATEWAY_TOKEN === "string" && env.OPENCLAW_GATEWAY_TOKEN.trim()
|
|
? env.OPENCLAW_GATEWAY_TOKEN.trim()
|
|
: null;
|
|
const gatewayToken =
|
|
gatewayAuth.mode === "token" &&
|
|
typeof gatewayAuth.token === "string" &&
|
|
gatewayAuth.token.trim()
|
|
? gatewayAuth.token.trim()
|
|
: openclawGatewayToken
|
|
? openclawGatewayToken
|
|
: null;
|
|
if (token && gatewayToken && token === gatewayToken) {
|
|
findings.push({
|
|
checkId: "hooks.token_reuse_gateway_token",
|
|
severity: "critical",
|
|
title: "Hooks token reuses the Gateway token",
|
|
detail:
|
|
"hooks.token matches gateway.auth token; compromise of hooks expands blast radius to the Gateway API.",
|
|
remediation: "Use a separate hooks.token dedicated to hook ingress.",
|
|
});
|
|
}
|
|
|
|
const rawPath = normalizeOptionalString(cfg.hooks?.path) ?? "";
|
|
if (rawPath === "/") {
|
|
findings.push({
|
|
checkId: "hooks.path_root",
|
|
severity: "critical",
|
|
title: "Hooks base path is '/'",
|
|
detail: "hooks.path='/' would shadow other HTTP endpoints and is unsafe.",
|
|
remediation: "Use a dedicated path like '/hooks'.",
|
|
});
|
|
}
|
|
|
|
const allowRequestSessionKey = cfg.hooks?.allowRequestSessionKey === true;
|
|
const defaultSessionKey = normalizeOptionalString(cfg.hooks?.defaultSessionKey) ?? "";
|
|
const allowedAgentIds = resolveAllowedAgentIds(cfg.hooks?.allowedAgentIds);
|
|
const allowedPrefixes = Array.isArray(cfg.hooks?.allowedSessionKeyPrefixes)
|
|
? cfg.hooks.allowedSessionKeyPrefixes
|
|
.map((prefix) => prefix.trim())
|
|
.filter((prefix) => prefix.length > 0)
|
|
: [];
|
|
const remoteExposure = isGatewayRemotelyExposed(cfg);
|
|
|
|
if (!defaultSessionKey) {
|
|
findings.push({
|
|
checkId: "hooks.default_session_key_unset",
|
|
severity: "warn",
|
|
title: "hooks.defaultSessionKey is not configured",
|
|
detail:
|
|
"Hook agent runs without explicit sessionKey use generated per-request keys. Set hooks.defaultSessionKey to keep hook ingress scoped to a known session.",
|
|
remediation: 'Set hooks.defaultSessionKey (for example, "hook:ingress").',
|
|
});
|
|
}
|
|
|
|
if (allowedAgentIds === undefined) {
|
|
findings.push({
|
|
checkId: "hooks.allowed_agent_ids_unrestricted",
|
|
severity: remoteExposure ? "critical" : "warn",
|
|
title: "Hook agent routing allows any configured agent",
|
|
detail:
|
|
"hooks.allowedAgentIds is unset or includes '*', so authenticated hook callers may route to any configured agent id.",
|
|
remediation:
|
|
'Set hooks.allowedAgentIds to an explicit allowlist (for example, ["hooks", "main"]) or [] to deny explicit agent routing.',
|
|
});
|
|
}
|
|
|
|
if (allowRequestSessionKey) {
|
|
findings.push({
|
|
checkId: "hooks.request_session_key_enabled",
|
|
severity: remoteExposure ? "critical" : "warn",
|
|
title: "External hook payloads may override sessionKey",
|
|
detail:
|
|
"hooks.allowRequestSessionKey=true allows `/hooks/agent` callers to choose the session key. Treat hook token holders as full-trust unless you also restrict prefixes.",
|
|
remediation:
|
|
"Set hooks.allowRequestSessionKey=false (recommended) or constrain hooks.allowedSessionKeyPrefixes.",
|
|
});
|
|
}
|
|
|
|
if (allowRequestSessionKey && allowedPrefixes.length === 0) {
|
|
findings.push({
|
|
checkId: "hooks.request_session_key_prefixes_missing",
|
|
severity: remoteExposure ? "critical" : "warn",
|
|
title: "Request sessionKey override is enabled without prefix restrictions",
|
|
detail:
|
|
"hooks.allowRequestSessionKey=true and hooks.allowedSessionKeyPrefixes is unset/empty, so request payloads can target arbitrary session key shapes.",
|
|
remediation:
|
|
'Set hooks.allowedSessionKeyPrefixes (for example, ["hook:"]) or disable request overrides.',
|
|
});
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectGatewayHttpSessionKeyOverrideFindings(
|
|
cfg: OpenClawConfig,
|
|
): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
|
|
const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
|
|
if (!chatCompletionsEnabled && !responsesEnabled) {
|
|
return findings;
|
|
}
|
|
|
|
const enabledEndpoints = [
|
|
chatCompletionsEnabled ? "/v1/chat/completions" : null,
|
|
responsesEnabled ? "/v1/responses" : null,
|
|
].filter((entry): entry is string => Boolean(entry));
|
|
|
|
findings.push({
|
|
checkId: "gateway.http.session_key_override_enabled",
|
|
severity: "info",
|
|
title: "HTTP API session-key override is enabled",
|
|
detail:
|
|
`${enabledEndpoints.join(", ")} accept x-openclaw-session-key for per-request session routing. ` +
|
|
"Treat API credential holders as trusted principals.",
|
|
});
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectGatewayHttpNoAuthFindings(
|
|
cfg: OpenClawConfig,
|
|
env: NodeJS.ProcessEnv,
|
|
): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
|
|
const auth = resolveGatewayAuth({ authConfig: cfg.gateway?.auth, tailscaleMode, env });
|
|
if (auth.mode !== "none") {
|
|
return findings;
|
|
}
|
|
|
|
const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
|
|
const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
|
|
const enabledEndpoints = [
|
|
"/tools/invoke",
|
|
chatCompletionsEnabled ? "/v1/chat/completions" : null,
|
|
responsesEnabled ? "/v1/responses" : null,
|
|
].filter((entry): entry is string => Boolean(entry));
|
|
|
|
const remoteExposure = isGatewayRemotelyExposed(cfg);
|
|
findings.push({
|
|
checkId: "gateway.http.no_auth",
|
|
severity: remoteExposure ? "critical" : "warn",
|
|
title: "Gateway HTTP APIs are reachable without auth",
|
|
detail:
|
|
`gateway.auth.mode="none" leaves ${enabledEndpoints.join(", ")} callable without a shared secret. ` +
|
|
"Treat this as trusted-local only and avoid exposing the gateway beyond loopback.",
|
|
remediation:
|
|
"Set gateway.auth.mode to token/password (recommended). If you intentionally keep mode=none, keep gateway.bind=loopback and disable optional HTTP endpoints.",
|
|
});
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectSandboxDockerNoopFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const configuredPaths: string[] = [];
|
|
const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
|
|
|
|
const defaultsSandbox = cfg.agents?.defaults?.sandbox;
|
|
const hasDefaultDocker = hasConfiguredDockerConfig(
|
|
defaultsSandbox?.docker as Record<string, unknown> | undefined,
|
|
);
|
|
const defaultMode = defaultsSandbox?.mode ?? "off";
|
|
const hasAnySandboxEnabledAgent = agents.some((entry) => {
|
|
if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
|
|
return false;
|
|
}
|
|
return resolveSandboxConfigForAgent(cfg, entry.id).mode !== "off";
|
|
});
|
|
if (hasDefaultDocker && defaultMode === "off" && !hasAnySandboxEnabledAgent) {
|
|
configuredPaths.push("agents.defaults.sandbox.docker");
|
|
}
|
|
|
|
for (const entry of agents) {
|
|
if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
|
|
continue;
|
|
}
|
|
if (!hasConfiguredDockerConfig(entry.sandbox?.docker as Record<string, unknown> | undefined)) {
|
|
continue;
|
|
}
|
|
if (resolveSandboxConfigForAgent(cfg, entry.id).mode === "off") {
|
|
configuredPaths.push(`agents.list.${entry.id}.sandbox.docker`);
|
|
}
|
|
}
|
|
|
|
if (configuredPaths.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
findings.push({
|
|
checkId: "sandbox.docker_config_mode_off",
|
|
severity: "warn",
|
|
title: "Sandbox docker settings configured while sandbox mode is off",
|
|
detail:
|
|
"These docker settings will not take effect until sandbox mode is enabled:\n" +
|
|
configuredPaths.map((entry) => `- ${entry}`).join("\n"),
|
|
remediation:
|
|
'Enable sandbox mode (`agents.defaults.sandbox.mode="non-main"` or `"all"`) where needed, or remove unused docker settings.',
|
|
});
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectSandboxDangerousConfigFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
|
|
|
|
const configs: Array<{ source: string; docker: Record<string, unknown> }> = [];
|
|
const defaultDocker = cfg.agents?.defaults?.sandbox?.docker;
|
|
if (defaultDocker && typeof defaultDocker === "object") {
|
|
configs.push({
|
|
source: "agents.defaults.sandbox.docker",
|
|
docker: defaultDocker as Record<string, unknown>,
|
|
});
|
|
}
|
|
for (const entry of agents) {
|
|
if (!entry || typeof entry !== "object" || typeof entry.id !== "string") {
|
|
continue;
|
|
}
|
|
const agentDocker = entry.sandbox?.docker;
|
|
if (agentDocker && typeof agentDocker === "object") {
|
|
configs.push({
|
|
source: `agents.list.${entry.id}.sandbox.docker`,
|
|
docker: agentDocker as Record<string, unknown>,
|
|
});
|
|
}
|
|
}
|
|
|
|
for (const { source, docker } of configs) {
|
|
const binds = Array.isArray(docker.binds) ? docker.binds : [];
|
|
for (const bind of binds) {
|
|
if (typeof bind !== "string") {
|
|
continue;
|
|
}
|
|
const blocked = getBlockedBindReason(bind);
|
|
if (!blocked) {
|
|
continue;
|
|
}
|
|
if (blocked.kind === "non_absolute") {
|
|
findings.push({
|
|
checkId: "sandbox.bind_mount_non_absolute",
|
|
severity: "warn",
|
|
title: "Sandbox bind mount uses a non-absolute source path",
|
|
detail:
|
|
`${source}.binds contains "${bind}" which uses source path "${blocked.sourcePath}". ` +
|
|
"Non-absolute bind sources are hard to validate safely and may resolve unexpectedly.",
|
|
remediation: `Rewrite "${bind}" to use an absolute host path (for example: /home/user/project:/project:ro).`,
|
|
});
|
|
continue;
|
|
}
|
|
if (blocked.kind !== "covers" && blocked.kind !== "targets") {
|
|
continue;
|
|
}
|
|
const verb = blocked.kind === "covers" ? "covers" : "targets";
|
|
findings.push({
|
|
checkId: "sandbox.dangerous_bind_mount",
|
|
severity: "critical",
|
|
title: "Dangerous bind mount in sandbox config",
|
|
detail:
|
|
`${source}.binds contains "${bind}" which ${verb} blocked path "${blocked.blockedPath}". ` +
|
|
"This can expose host system directories or the Docker socket to sandbox containers.",
|
|
remediation: `Remove "${bind}" from ${source}.binds. Use project-specific paths instead.`,
|
|
});
|
|
}
|
|
|
|
const network = typeof docker.network === "string" ? docker.network : undefined;
|
|
const normalizedNetwork = normalizeNetworkMode(network);
|
|
if (isDangerousNetworkMode(network)) {
|
|
const modeLabel = normalizedNetwork === "host" ? '"host"' : `"${network}"`;
|
|
const detail =
|
|
normalizedNetwork === "host"
|
|
? `${source}.network is "host" which bypasses container network isolation entirely.`
|
|
: `${source}.network is ${modeLabel} which joins another container namespace and can bypass sandbox network isolation.`;
|
|
findings.push({
|
|
checkId: "sandbox.dangerous_network_mode",
|
|
severity: "critical",
|
|
title: "Dangerous network mode in sandbox config",
|
|
detail,
|
|
remediation:
|
|
`Set ${source}.network to "bridge", "none", or a custom bridge network name.` +
|
|
` Use ${source}.dangerouslyAllowContainerNamespaceJoin=true only as a break-glass override when you fully trust this runtime.`,
|
|
});
|
|
}
|
|
|
|
const seccompProfile =
|
|
typeof docker.seccompProfile === "string" ? docker.seccompProfile : undefined;
|
|
if (normalizeOptionalLowercaseString(seccompProfile) === "unconfined") {
|
|
findings.push({
|
|
checkId: "sandbox.dangerous_seccomp_profile",
|
|
severity: "critical",
|
|
title: "Seccomp unconfined in sandbox config",
|
|
detail: `${source}.seccompProfile is "unconfined" which disables syscall filtering.`,
|
|
remediation: `Remove ${source}.seccompProfile or use a custom seccomp profile file.`,
|
|
});
|
|
}
|
|
|
|
const apparmorProfile =
|
|
typeof docker.apparmorProfile === "string" ? docker.apparmorProfile : undefined;
|
|
if (normalizeOptionalLowercaseString(apparmorProfile) === "unconfined") {
|
|
findings.push({
|
|
checkId: "sandbox.dangerous_apparmor_profile",
|
|
severity: "critical",
|
|
title: "AppArmor unconfined in sandbox config",
|
|
detail: `${source}.apparmorProfile is "unconfined" which disables AppArmor enforcement.`,
|
|
remediation: `Remove ${source}.apparmorProfile or use a named AppArmor profile.`,
|
|
});
|
|
}
|
|
}
|
|
|
|
// CDP source range is now auto-derived at runtime from the Docker network gateway
|
|
// for all bridge-like networks, so an unset cdpSourceRange is no longer a security gap.
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectNodeDenyCommandPatternFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const denyListRaw = cfg.gateway?.nodes?.denyCommands;
|
|
if (!Array.isArray(denyListRaw) || denyListRaw.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const denyList = denyListRaw.map(normalizeNodeCommand).filter(Boolean);
|
|
if (denyList.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const knownCommands = listKnownNodeCommands(cfg);
|
|
const patternLike = denyList.filter((entry) => looksLikeNodeCommandPattern(entry));
|
|
const unknownExact = denyList.filter(
|
|
(entry) => !looksLikeNodeCommandPattern(entry) && !knownCommands.has(entry),
|
|
);
|
|
if (patternLike.length === 0 && unknownExact.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const detailParts: string[] = [];
|
|
if (patternLike.length > 0) {
|
|
detailParts.push(
|
|
`Pattern-like entries (not supported by exact matching): ${patternLike.join(", ")}`,
|
|
);
|
|
}
|
|
if (unknownExact.length > 0) {
|
|
const unknownDetails = unknownExact
|
|
.map((entry) => {
|
|
const suggestions = suggestKnownNodeCommands(entry, knownCommands);
|
|
if (suggestions.length === 0) {
|
|
return entry;
|
|
}
|
|
return `${entry} (did you mean: ${suggestions.join(", ")})`;
|
|
})
|
|
.join(", ");
|
|
|
|
detailParts.push(`Unknown command names (not in defaults/allowCommands): ${unknownDetails}`);
|
|
}
|
|
const examples = Array.from(knownCommands).slice(0, 8);
|
|
|
|
findings.push({
|
|
checkId: "gateway.nodes.deny_commands_ineffective",
|
|
severity: "warn",
|
|
title: "Some gateway.nodes.denyCommands entries are ineffective",
|
|
detail:
|
|
"gateway.nodes.denyCommands uses exact node command-name matching only (for example `system.run`), not shell-text filtering inside a command payload.\n" +
|
|
detailParts.map((entry) => `- ${entry}`).join("\n"),
|
|
remediation:
|
|
`Use exact command names (for example: ${examples.join(", ")}). ` +
|
|
"If you need broader restrictions, remove risky command IDs from allowCommands/default workflows and tighten tools.exec policy.",
|
|
});
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectNodeDangerousAllowCommandFindings(
|
|
cfg: OpenClawConfig,
|
|
): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const allowRaw = cfg.gateway?.nodes?.allowCommands;
|
|
if (!Array.isArray(allowRaw) || allowRaw.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const allow = new Set(allowRaw.map(normalizeNodeCommand).filter(Boolean));
|
|
if (allow.size === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const deny = new Set((cfg.gateway?.nodes?.denyCommands ?? []).map(normalizeNodeCommand));
|
|
const dangerousAllowed = [
|
|
...DEFAULT_DANGEROUS_NODE_COMMANDS,
|
|
...listDangerousPluginNodeCommands(),
|
|
].filter((cmd) => allow.has(cmd) && !deny.has(cmd));
|
|
if (dangerousAllowed.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
findings.push({
|
|
checkId: "gateway.nodes.allow_commands_dangerous",
|
|
severity: isGatewayRemotelyExposed(cfg) ? "critical" : "warn",
|
|
title: "Dangerous node commands explicitly enabled",
|
|
detail:
|
|
`gateway.nodes.allowCommands includes: ${dangerousAllowed.join(", ")}. ` +
|
|
"These commands can trigger high-impact device actions or read node files (camera/screen/contacts/calendar/reminders/SMS/file).",
|
|
remediation:
|
|
"Remove these entries from gateway.nodes.allowCommands (recommended). " +
|
|
"If you keep them, treat gateway auth as full operator access and keep gateway exposure local/tailnet-only.",
|
|
});
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectMinimalProfileOverrideFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
if (cfg.tools?.profile !== "minimal") {
|
|
return findings;
|
|
}
|
|
|
|
const overrides = (cfg.agents?.list ?? [])
|
|
.filter((entry): entry is { id: string; tools?: AgentToolsConfig } => {
|
|
return Boolean(
|
|
entry &&
|
|
typeof entry === "object" &&
|
|
typeof entry.id === "string" &&
|
|
entry.tools?.profile &&
|
|
entry.tools.profile !== "minimal",
|
|
);
|
|
})
|
|
.map((entry) => `${entry.id}=${entry.tools?.profile}`);
|
|
|
|
if (overrides.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
findings.push({
|
|
checkId: "tools.profile_minimal_overridden",
|
|
severity: "warn",
|
|
title: "Global tools.profile=minimal is overridden by agent profiles",
|
|
detail:
|
|
"Global minimal profile is set, but these agent profiles take precedence:\n" +
|
|
overrides.map((entry) => `- agents.list.${entry}`).join("\n"),
|
|
remediation:
|
|
'Set those agents to `tools.profile="minimal"` (or remove the agent override) if you want minimal tools enforced globally.',
|
|
});
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectModelHygieneFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const models = collectAuditModelRefs(cfg);
|
|
if (models.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const weakMatches = new Map<string, { model: string; source: string; reasons: string[] }>();
|
|
const addWeakMatch = (model: string, source: string, reason: string) => {
|
|
const key = `${model}@@${source}`;
|
|
const existing = weakMatches.get(key);
|
|
if (!existing) {
|
|
weakMatches.set(key, { model, source, reasons: [reason] });
|
|
return;
|
|
}
|
|
if (!existing.reasons.includes(reason)) {
|
|
existing.reasons.push(reason);
|
|
}
|
|
};
|
|
|
|
for (const entry of models) {
|
|
for (const pat of WEAK_TIER_MODEL_PATTERNS) {
|
|
if (pat.re.test(entry.id)) {
|
|
addWeakMatch(entry.id, entry.source, pat.label);
|
|
break;
|
|
}
|
|
}
|
|
if (isGptModel(entry.id) && !isGpt5OrHigher(entry.id)) {
|
|
addWeakMatch(entry.id, entry.source, "Below GPT-5 family");
|
|
}
|
|
if (isClaudeModel(entry.id) && !isClaude45OrHigher(entry.id)) {
|
|
addWeakMatch(entry.id, entry.source, "Below Claude 4.5");
|
|
}
|
|
}
|
|
|
|
const matches: Array<{ model: string; source: string; reason: string }> = [];
|
|
for (const entry of models) {
|
|
for (const pat of LEGACY_MODEL_PATTERNS) {
|
|
if (pat.re.test(entry.id)) {
|
|
matches.push({ model: entry.id, source: entry.source, reason: pat.label });
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (matches.length > 0) {
|
|
const lines = matches
|
|
.slice(0, 12)
|
|
.map((m) => `- ${m.model} (${m.reason}) @ ${m.source}`)
|
|
.join("\n");
|
|
const more = matches.length > 12 ? `\n…${matches.length - 12} more` : "";
|
|
findings.push({
|
|
checkId: "models.legacy",
|
|
severity: "warn",
|
|
title: "Some configured models look legacy",
|
|
detail:
|
|
"Older/legacy models can be less robust against prompt injection and tool misuse.\n" +
|
|
lines +
|
|
more,
|
|
remediation: "Prefer modern, instruction-hardened models for any bot that can run tools.",
|
|
});
|
|
}
|
|
|
|
if (weakMatches.size > 0) {
|
|
const lines = Array.from(weakMatches.values())
|
|
.slice(0, 12)
|
|
.map((m) => `- ${m.model} (${m.reasons.join("; ")}) @ ${m.source}`)
|
|
.join("\n");
|
|
const more = weakMatches.size > 12 ? `\n…${weakMatches.size - 12} more` : "";
|
|
findings.push({
|
|
checkId: "models.weak_tier",
|
|
severity: "warn",
|
|
title: "Some configured models are below recommended tiers",
|
|
detail:
|
|
"Smaller/older models are generally more susceptible to prompt injection and tool misuse.\n" +
|
|
lines +
|
|
more,
|
|
remediation:
|
|
"Use the latest, top-tier model for any bot with tools or untrusted inboxes. Avoid Haiku tiers; prefer GPT-5+ and Claude 4.5+.",
|
|
});
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectExposureMatrixFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const openGroups = listGroupPolicyOpen(cfg);
|
|
if (openGroups.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const elevatedEnabled = cfg.tools?.elevated?.enabled !== false;
|
|
if (elevatedEnabled) {
|
|
findings.push({
|
|
checkId: "security.exposure.open_groups_with_elevated",
|
|
severity: "critical",
|
|
title: "Open groupPolicy with elevated tools enabled",
|
|
detail:
|
|
`Found groupPolicy="open" at:\n${openGroups.map((p) => `- ${p}`).join("\n")}\n` +
|
|
"With tools.elevated enabled, a prompt injection in those rooms can become a high-impact incident.",
|
|
remediation: `Set groupPolicy="allowlist" and keep elevated allowlists extremely tight.`,
|
|
});
|
|
}
|
|
|
|
const { riskyContexts, hasRuntimeRisk } = collectRiskyToolExposureContexts(cfg);
|
|
|
|
if (riskyContexts.length > 0) {
|
|
findings.push({
|
|
checkId: "security.exposure.open_groups_with_runtime_or_fs",
|
|
severity: hasRuntimeRisk ? "critical" : "warn",
|
|
title: "Open groupPolicy with runtime/filesystem tools exposed",
|
|
detail:
|
|
`Found groupPolicy="open" at:\n${openGroups.map((p) => `- ${p}`).join("\n")}\n` +
|
|
`Risky tool exposure contexts:\n${riskyContexts.map((line) => `- ${line}`).join("\n")}\n` +
|
|
"Prompt injection in open groups can trigger command/file actions in these contexts.",
|
|
remediation:
|
|
'For open groups, prefer tools.profile="messaging" (or deny group:runtime/group:fs), set tools.fs.workspaceOnly=true, and use agents.defaults.sandbox.mode="all" for exposed agents.',
|
|
});
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|
|
export function collectLikelyMultiUserSetupFindings(cfg: OpenClawConfig): SecurityAuditFinding[] {
|
|
const findings: SecurityAuditFinding[] = [];
|
|
const signals = listPotentialMultiUserSignals(cfg);
|
|
if (signals.length === 0) {
|
|
return findings;
|
|
}
|
|
|
|
const { riskyContexts, hasRuntimeRisk } = collectRiskyToolExposureContexts(cfg);
|
|
const impactLine = hasRuntimeRisk
|
|
? "Runtime/process tools are exposed without full sandboxing in at least one context."
|
|
: "No unguarded runtime/process tools were detected by this heuristic.";
|
|
const riskyContextsDetail =
|
|
riskyContexts.length > 0
|
|
? `Potential high-impact tool exposure contexts:\n${riskyContexts.map((line) => `- ${line}`).join("\n")}`
|
|
: "No unguarded runtime/filesystem contexts detected.";
|
|
|
|
findings.push({
|
|
checkId: "security.trust_model.multi_user_heuristic",
|
|
severity: "warn",
|
|
title: "Potential multi-user setup detected (personal-assistant model warning)",
|
|
detail:
|
|
"Heuristic signals indicate this gateway may be reachable by multiple users:\n" +
|
|
signals.map((signal) => `- ${signal}`).join("\n") +
|
|
`\n${impactLine}\n${riskyContextsDetail}\n` +
|
|
"OpenClaw's default security model is personal-assistant (one trusted operator boundary), not hostile multi-tenant isolation on one shared gateway.",
|
|
remediation:
|
|
'If users may be mutually untrusted, split trust boundaries (separate gateways + credentials, ideally separate OS users/hosts). If you intentionally run shared-user access, set agents.defaults.sandbox.mode="all", keep tools.fs.workspaceOnly=true, deny runtime/fs/web tools unless required, and keep personal/private identities + credentials off that runtime.',
|
|
});
|
|
|
|
return findings;
|
|
}
|