vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 01:00:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d1630ced14431c3dbd180c1433f1389d99e0612e
openclaw/src/plugin-sdk/security-runtime.ts
Jesse Merhi a9377fe667 Harden browser download output writes (#78780) 
Summary:
- The PR exports `ensureAbsoluteDirectory` through the fs-safe/SDK runtime facades and routes browser download ... through safe output directory/file helpers with focused tests, a changelog entry, and SDK API hash updates.
- Reproducibility: yes. at source level: current main creates browser download/output roots with raw recursive ... jection coverage for that path. I did not run a live browser runtime reproduction in this read-only review.

Automerge notes:
- PR branch already contained follow-up commit before automerge: fix(browser): use fs-safe output directory helper
- PR branch already contained follow-up commit before automerge: docs(changelog): mention browser fs-safe hardening
- PR branch already contained follow-up commit before automerge: fix(browser): harden download output writes

Validation:
- ClawSweeper review passed for head a9c9570f66.
- Required merge gates passed before the squash merge.

Prepared head SHA: a9c9570f66
Review: https://github.com/openclaw/openclaw/pull/78780#issuecomment-4394146682

Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-05-08 05:57:23 +00:00

137 lines
4.4 KiB
TypeScript
Raw Blame History

// Public security/policy helpers for plugins that need shared trust and DM gating logic.
import { root as fsRoot, type OpenResult } from "../infra/fs-safe.js";
export * from "../secrets/channel-secret-collector-runtime.js";
export * from "../secrets/runtime-shared.js";
export * from "../secrets/shared.js";
export type * from "../secrets/target-registry-types.js";
export * from "../security/channel-metadata.js";
export * from "../security/context-visibility.js";
export * from "../security/dm-policy-shared.js";
export {
ACCESS_GROUP_ALLOW_FROM_PREFIX,
expandAllowFromWithAccessGroups,
parseAccessGroupAllowFromEntry,
resolveAccessGroupAllowFromMatches,
type AccessGroupMembershipResolver,
} from "./access-groups.js";
export * from "../security/external-content.js";
export * from "../security/safe-regex.js";
export {
appendRegularFile,
appendRegularFileSync,
FsSafeError,
FsSafeError as SafeOpenError,
openLocalFileSafely,
pathExists,
pathExistsSync,
readRegularFile,
resolveLocalPathFromRootsSync,
readRegularFileSync,
resolveRegularFileAppendFlags,
root,
statRegularFileSync,
writeExternalFileWithinRoot,
withTimeout,
type ExternalFileWriteOptions,
type ExternalFileWriteResult,
type FsSafeErrorCode as SafeOpenErrorCode,
} from "../infra/fs-safe.js";
export async function openFileWithinRoot(params: {
rootDir: string;
relativePath: string;
rejectHardlinks?: boolean;
nonBlockingRead?: boolean;
allowSymlinkTargetWithinRoot?: boolean;
}): Promise<OpenResult> {
const root = await fsRoot(params.rootDir);
return await root.open(params.relativePath, {
hardlinks: params.rejectHardlinks === false ? "allow" : "reject",
nonBlockingRead: params.nonBlockingRead,
symlinks: params.allowSymlinkTargetWithinRoot === true ? "follow-within-root" : "reject",
});
}
export async function writeFileFromPathWithinRoot(params: {
rootDir: string;
relativePath: string;
sourcePath: string;
mkdir?: boolean;
}): Promise<void> {
const root = await fsRoot(params.rootDir);
await root.copyIn(params.relativePath, params.sourcePath, {
mkdir: params.mkdir,
sourceHardlinks: "reject",
});
}
export { extractErrorCode, formatErrorMessage } from "../infra/errors.js";
export { hasProxyEnvConfigured } from "../infra/net/proxy-env.js";
export { normalizeHostname } from "../infra/net/hostname.js";
export {
SsrFBlockedError,
isBlockedHostnameOrIp,
isPrivateNetworkAllowedByPolicy,
matchesHostnameAllowlist,
resolvePinnedHostnameWithPolicy,
type LookupFn,
type SsrFPolicy,
} from "../infra/net/ssrf.js";
export { isNotFoundPathError, isPathInside } from "../infra/path-guards.js";
export {
assertAbsolutePathInput,
canonicalPathFromExistingAncestor,
ensureAbsoluteDirectory,
findExistingAncestor,
resolveAbsolutePathForRead,
resolveAbsolutePathForWrite,
type AbsolutePathSymlinkPolicy,
type EnsureAbsoluteDirectoryOptions,
type EnsureAbsoluteDirectoryResult,
type ResolvedAbsolutePath,
type ResolvedWritableAbsolutePath,
} from "../infra/fs-safe.js";
export { sanitizeUntrustedFileName } from "../infra/fs-safe-advanced.js";
export {
privateFileStore,
privateFileStoreSync,
type PrivateFileStore,
} from "../infra/private-file-store.js";
export {
movePathWithCopyFallback,
replaceFileAtomic,
replaceFileAtomicSync,
type MovePathWithCopyFallbackOptions,
type ReplaceFileAtomicFileSystem,
type ReplaceFileAtomicOptions,
type ReplaceFileAtomicResult,
type ReplaceFileAtomicSyncFileSystem,
type ReplaceFileAtomicSyncOptions,
} from "../infra/replace-file.js";
export {
writeSiblingTempFile,
type WriteSiblingTempFileOptions,
type WriteSiblingTempFileResult,
} from "../infra/sibling-temp-file.js";
export {
assertNoSymlinkParents,
assertNoSymlinkParentsSync,
type AssertNoSymlinkParentsOptions,
} from "../infra/fs-safe-advanced.js";
export { ensurePortAvailable } from "../infra/ports.js";
export { generateSecureToken } from "../infra/secure-random.js";
export {
resolveExistingPathsWithinRoot,
pathScope,
resolvePathsWithinRoot,
resolvePathWithinRoot,
resolveStrictExistingPathsWithinRoot,
resolveWritablePathWithinRoot,
} from "../infra/root-paths.js";
export { writeViaSiblingTempPath } from "../infra/fs-safe-advanced.js";
export { resolvePreferredOpenClawTmpDir } from "../infra/tmp-openclaw-dir.js";
export { redactSensitiveText } from "../logging/redact.js";
export { safeEqualSecret } from "../security/secret-equal.js";
Reference in New Issue View Git Blame Copy Permalink