openclaw/src/security at f1e1ad73ade498a4c988f23e11895648272d7459 - openclaw - Gitea: Git with a cup of tea

vultr/openclaw

mirror of https://github.com/openclaw/openclaw.git synced 2026-04-08 07:41:08 +00:00

Files

History

David Rudduck f1e1ad73ad fix(security): SHA-256 hash before timingSafeEqual to prevent length leak (#20856 )

The previous implementation returned early when buffer lengths differed,
leaking the expected secret's length via timing side-channel. Hashing both
inputs with SHA-256 before comparison ensures fixed-length buffers and
constant-time comparison regardless of input lengths.

2026-02-19 03:16:35 -08:00

..

audit-channel.ts

refactor(security): share DM allowlist state resolver

2026-02-18 23:58:11 +00:00

audit-extra.async.ts

refactor(security): share installed plugin directory scan helper

2026-02-19 00:29:07 +00:00

audit-extra.sync.test.ts

perf(test): fold secret equality assertions into audit extra suite

2026-02-16 00:18:27 +00:00

audit-extra.sync.ts

fix: enforce hooks token separation from gateway auth (#20813 )

2026-02-19 02:48:08 -08:00

audit-extra.ts

fix(security): harden sandbox docker config validation

2026-02-16 03:04:06 +01:00

audit-fs.ts

Doctor/Security: fix telegram numeric ID + symlink config permission warnings (#19844 )

2026-02-18 00:09:51 -08:00

audit-tool-policy.ts

refactor(core): dedupe tool policy and IPv4 matcher logic

2026-02-16 16:14:54 +00:00

audit.test.ts

fix(security): block plaintext WebSocket connections to non-loopback addresses (#20803 )

2026-02-19 03:13:08 -08:00

audit.ts

Doctor/Security: fix telegram numeric ID + symlink config permission warnings (#19844 )

2026-02-18 00:09:51 -08:00

channel-metadata.ts

fix(security): separate untrusted channel metadata from system prompt (thanks @KonstantinMirin)

2026-02-03 23:02:45 -08:00

dangerous-tools.ts

refactor(security): centralize dangerous tool lists

2026-02-14 13:27:05 +01:00

dm-policy-shared.test.ts

refactor(security): share DM allowlist state resolver

2026-02-18 23:58:11 +00:00

dm-policy-shared.ts

refactor(security): share DM allowlist state resolver

2026-02-18 23:58:11 +00:00

external-content.test.ts

refactor(core): dedupe shared config and runtime helpers

2026-02-16 14:59:30 +00:00

external-content.ts

fix(security): handle additional Unicode angle bracket homoglyphs in content sanitization (#14665 )

2026-02-13 16:18:54 +01:00

fix.test.ts

refactor(core): dedupe shared config and runtime helpers

2026-02-16 14:59:30 +00:00

fix.ts

style: align formatting with oxfmt 0.33

2026-02-18 01:34:35 +00:00

scan-paths.ts

refactor(security): share scan path helpers

2026-02-15 04:29:18 +00:00

secret-equal.ts

fix(security): SHA-256 hash before timingSafeEqual to prevent length leak (#20856 )

2026-02-19 03:16:35 -08:00

skill-scanner.test.ts

security: add skill/plugin code safety scanner (#9806 )

2026-02-05 16:06:11 -08:00

skill-scanner.ts

refactor(security): reuse shared scan path containment helper

2026-02-19 00:20:15 +00:00

windows-acl.test.ts

fix: stabilize windows acl tests and command auth registry (#9335 ) (thanks @M00N7682)

2026-02-05 00:38:35 -08:00

windows-acl.ts

chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.

2026-02-01 10:03:47 +09:00