mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-14 10:41:23 +00:00
fbf11ebdb7
* fix(sandbox): enforce CDP source-range restriction by default Auto-derive CDP_SOURCE_RANGE from Docker network gateway IP when not explicitly configured. The entrypoint script refuses to start the socat CDP relay without a source range (fail-closed). - readDockerNetworkGateway: use Go template println, filter <no value> sentinel, prefer IPv4 gateway on dual-stack networks - Reject IPv6-only gateways for auto-derivation (relay binds IPv4) - Remove stale browser_cdp_bridge_unrestricted audit check (runtime auto-derives range for all bridge-like networks) - Bump SANDBOX_BROWSER_SECURITY_HASH_EPOCH to force container recreation * chore(changelog): add sandbox CDP source-range entry * fix(sandbox): gate CDP source-range derivation to bridge-style networks Only auto-derive OPENCLAW_BROWSER_CDP_SOURCE_RANGE from the Docker gateway IP for bridge networks (or when driver is unknown). Non-bridge drivers (macvlan, ipvlan, overlay) may route traffic from different source IPs, so they require explicit cdpSourceRange config. Adds readDockerNetworkDriver helper and a regression test for macvlan. --------- Co-authored-by: Devin Robison <drobison@nvidia.com>
5.9 KiB
Executable File
5.9 KiB
Executable File