mirror of
https://github.com/openclaw/openclaw.git
synced 2026-03-12 07:20:45 +00:00
c275932aa4
This commit implements critical security fixes for vulnerability OC-22 (CVSS 7.7, CWE-426) in the skill packaging system. ## Security Fixes 1. Symlink Detection and Rejection - Added check to detect and reject symlinks in skill directories - Prevents attackers from including arbitrary system files via symlink following - Rejects packaging with error message if any symlink is found 2. Path Traversal (Zip Slip) Prevention - Added validation for arcname paths in zip archives - Rejects paths containing ".." (directory traversal) - Rejects absolute paths that could escape skill directory - Prevents attackers from overwriting system files during extraction ## Attack Vectors Mitigated - Symlink following: Attacker creates symlink to /etc/passwd or other sensitive files in skill directory → now rejected - Zip Slip: Attacker crafts paths with "../../root/.bashrc" to overwrite system files during extraction → now rejected ## Changes - Modified: skills/skill-creator/scripts/package_skill.py - Added symlink check (line 73-76) - Added path validation check (line 84-87) - Enhanced error messages for security violations - Added: skills/skill-creator/scripts/test_package_skill.py - Comprehensive test suite with 11 test cases - Tests for symlink rejection - Tests for path traversal prevention - Tests for normal file packaging - Tests for edge cases (nested files, multiple files, large skills) ## Testing All 11 tests pass: - test_normal_file_packaging: Normal files packaged correctly - test_symlink_rejection: Symlinks detected and rejected - test_symlink_to_sensitive_file: Sensitive file symlinks rejected - test_zip_slip_prevention: Normal subdirectories work properly - test_absolute_path_prevention: Path validation logic tested - test_nested_files_allowed: Properly nested files allowed - test_multiple_files_with_symlink_mixed: Single symlink fails entire package - test_large_skill_with_many_files: Large skills handled correctly - test_missing_skill_directory: Error handling verified - test_file_instead_of_directory: Error handling verified - test_missing_skill_md: Error handling verified
126 lines
4.0 KiB
Python
126 lines
4.0 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Skill Packager - Creates a distributable .skill file of a skill folder
|
|
|
|
Usage:
|
|
python utils/package_skill.py <path/to/skill-folder> [output-directory]
|
|
|
|
Example:
|
|
python utils/package_skill.py skills/public/my-skill
|
|
python utils/package_skill.py skills/public/my-skill ./dist
|
|
"""
|
|
|
|
import sys
|
|
import zipfile
|
|
from pathlib import Path
|
|
|
|
from quick_validate import validate_skill
|
|
|
|
|
|
def package_skill(skill_path, output_dir=None):
|
|
"""
|
|
Package a skill folder into a .skill file.
|
|
|
|
Args:
|
|
skill_path: Path to the skill folder
|
|
output_dir: Optional output directory for the .skill file (defaults to current directory)
|
|
|
|
Returns:
|
|
Path to the created .skill file, or None if error
|
|
"""
|
|
skill_path = Path(skill_path).resolve()
|
|
|
|
# Validate skill folder exists
|
|
if not skill_path.exists():
|
|
print(f"[ERROR] Skill folder not found: {skill_path}")
|
|
return None
|
|
|
|
if not skill_path.is_dir():
|
|
print(f"[ERROR] Path is not a directory: {skill_path}")
|
|
return None
|
|
|
|
# Validate SKILL.md exists
|
|
skill_md = skill_path / "SKILL.md"
|
|
if not skill_md.exists():
|
|
print(f"[ERROR] SKILL.md not found in {skill_path}")
|
|
return None
|
|
|
|
# Run validation before packaging
|
|
print("Validating skill...")
|
|
valid, message = validate_skill(skill_path)
|
|
if not valid:
|
|
print(f"[ERROR] Validation failed: {message}")
|
|
print(" Please fix the validation errors before packaging.")
|
|
return None
|
|
print(f"[OK] {message}\n")
|
|
|
|
# Determine output location
|
|
skill_name = skill_path.name
|
|
if output_dir:
|
|
output_path = Path(output_dir).resolve()
|
|
output_path.mkdir(parents=True, exist_ok=True)
|
|
else:
|
|
output_path = Path.cwd()
|
|
|
|
skill_filename = output_path / f"{skill_name}.skill"
|
|
|
|
# Create the .skill file (zip format)
|
|
try:
|
|
with zipfile.ZipFile(skill_filename, "w", zipfile.ZIP_DEFLATED) as zipf:
|
|
# Walk through the skill directory
|
|
for file_path in skill_path.rglob("*"):
|
|
# Security Check 1: Reject symlinks to prevent supply chain attacks
|
|
if file_path.is_symlink():
|
|
print(f"[ERROR] Symlinks are not allowed in skills: {file_path}")
|
|
print(" This is a security restriction to prevent including arbitrary files.")
|
|
return None
|
|
|
|
if file_path.is_file():
|
|
# Calculate the relative path within the zip
|
|
arcname = file_path.relative_to(skill_path.parent)
|
|
|
|
# Security Check 2: Validate arcname to prevent Zip Slip attacks
|
|
# Ensure the path doesn't escape the skill directory using ".." or absolute paths
|
|
if ".." in arcname.parts or arcname.is_absolute():
|
|
print(f"[ERROR] Invalid path in skill (possible Zip Slip attack): {arcname}")
|
|
print(" Paths with '..' or absolute paths are not allowed.")
|
|
return None
|
|
|
|
zipf.write(file_path, arcname)
|
|
print(f" Added: {arcname}")
|
|
|
|
print(f"\n[OK] Successfully packaged skill to: {skill_filename}")
|
|
return skill_filename
|
|
|
|
except Exception as e:
|
|
print(f"[ERROR] Error creating .skill file: {e}")
|
|
return None
|
|
|
|
|
|
def main():
|
|
if len(sys.argv) < 2:
|
|
print("Usage: python utils/package_skill.py <path/to/skill-folder> [output-directory]")
|
|
print("\nExample:")
|
|
print(" python utils/package_skill.py skills/public/my-skill")
|
|
print(" python utils/package_skill.py skills/public/my-skill ./dist")
|
|
sys.exit(1)
|
|
|
|
skill_path = sys.argv[1]
|
|
output_dir = sys.argv[2] if len(sys.argv) > 2 else None
|
|
|
|
print(f"Packaging skill: {skill_path}")
|
|
if output_dir:
|
|
print(f" Output directory: {output_dir}")
|
|
print()
|
|
|
|
result = package_skill(skill_path, output_dir)
|
|
|
|
if result:
|
|
sys.exit(0)
|
|
else:
|
|
sys.exit(1)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|