diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cdfbae73..7d42cd8ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -109,22 +109,23 @@ Docs: https://docs.openclaw.ai - macOS/Build: default release packaging to `BUNDLE_ID=ai.openclaw.mac` in `scripts/package-mac-dist.sh`, so Sparkle feed URL is retained and auto-update no longer fails with an empty appcast feed. (#19750) thanks @loganprit. - Signal/Outbound: preserve case for Base64 group IDs during outbound target normalization so cross-context routing and policy checks no longer break when group IDs include uppercase characters. (#5578) Thanks @heyhudson. - Anthropic/Agents: preserve required pi-ai default OAuth beta headers when `context1m` injects `anthropic-beta`, preventing 401 auth failures for `sk-ant-oat-*` tokens. (#19789, fixes #19769) Thanks @minupla. -- Security/Exec: block unquoted heredoc body expansion tokens in shell allowlist analysis, reject unterminated heredocs, and require explicit approval for allowlisted heredoc execution on gateway hosts to prevent heredoc substitution allowlist bypass. This ships in the next npm release. Thanks @torturado for reporting. -- WhatsApp/Security: enforce allowlist JID authorization for reaction actions so authenticated callers cannot target non-allowlisted chats by forging `chatJid` + valid `messageId` pairs. This ships in the next npm release. Thanks @aether-ai-agent for reporting. -- ACP/Security: escape control and delimiter characters in ACP `resource_link` title/URI metadata before prompt interpolation to prevent metadata-driven prompt injection through resource links. This ships in the next npm release. Thanks @aether-ai-agent for reporting. -- TTS/Security: make model-driven provider switching opt-in by default (`messages.tts.modelOverrides.allowProvider=false` unless explicitly enabled), while keeping voice/style overrides available, to reduce prompt-injection-driven provider hops and unexpected TTS cost escalation. This ships in the next npm release. Thanks @aether-ai-agent for reporting. -- Security/Agents: keep overflow compaction retry budgeting global across tool-result truncation recovery so successful truncation cannot reset the overflow retry counter and amplify retry/cost cycles. This ships in the next npm release. Thanks @aether-ai-agent for reporting. +- Security/Exec: block unquoted heredoc body expansion tokens in shell allowlist analysis, reject unterminated heredocs, and require explicit approval for allowlisted heredoc execution on gateway hosts to prevent heredoc substitution allowlist bypass. Thanks @torturado for reporting. +- macOS/Security: evaluate `system.run` allowlists per shell segment in macOS node runtime and companion exec host (including chained shell operators), fail closed on shell/process substitution parsing, and require explicit approval on unsafe parse cases to prevent allowlist bypass via `rawCommand` chaining. Thanks @tdjackey for reporting. +- WhatsApp/Security: enforce allowlist JID authorization for reaction actions so authenticated callers cannot target non-allowlisted chats by forging `chatJid` + valid `messageId` pairs. Thanks @aether-ai-agent for reporting. +- ACP/Security: escape control and delimiter characters in ACP `resource_link` title/URI metadata before prompt interpolation to prevent metadata-driven prompt injection through resource links. Thanks @aether-ai-agent for reporting. +- TTS/Security: make model-driven provider switching opt-in by default (`messages.tts.modelOverrides.allowProvider=false` unless explicitly enabled), while keeping voice/style overrides available, to reduce prompt-injection-driven provider hops and unexpected TTS cost escalation. Thanks @aether-ai-agent for reporting. +- Security/Agents: keep overflow compaction retry budgeting global across tool-result truncation recovery so successful truncation cannot reset the overflow retry counter and amplify retry/cost cycles. Thanks @aether-ai-agent for reporting. - BlueBubbles/Security: require webhook token authentication for all BlueBubbles webhook requests (including loopback/proxied setups), removing passwordless webhook fallback behavior. Thanks @zpbrent. - iOS/Security: force `https://` for non-loopback manual gateway hosts during iOS onboarding to block insecure remote transport URLs. (#21969) Thanks @mbelinky. - Gateway/Security: remove shared-IP fallback for canvas endpoints and require token or session capability for canvas access. Thanks @thewilloftheshadow. -- Gateway/Security: require secure context and paired-device checks for Control UI auth even when `gateway.controlUi.allowInsecureAuth` is set, and align audit messaging with the hardened behavior. This ships in the next npm release. (#20684) Thanks @coygeek and @Vasco0x4 for reporting. -- Gateway/Security: scope tokenless Tailscale forwarded-header auth to Control UI websocket auth only, so HTTP gateway routes still require token/password even on trusted hosts. This ships in the next npm release. Thanks @zpbrent for reporting. +- Gateway/Security: require secure context and paired-device checks for Control UI auth even when `gateway.controlUi.allowInsecureAuth` is set, and align audit messaging with the hardened behavior. (#20684) Thanks @coygeek and @Vasco0x4 for reporting. +- Gateway/Security: scope tokenless Tailscale forwarded-header auth to Control UI websocket auth only, so HTTP gateway routes still require token/password even on trusted hosts. Thanks @zpbrent for reporting. - Docker/Security: run E2E and install-sh test images as non-root by adding appuser directives. Thanks @thewilloftheshadow. - Skills/Security: sanitize skill env overrides to block unsafe runtime injection variables and only allow sensitive keys when declared in skill metadata, with warnings for suspicious values. Thanks @thewilloftheshadow. - Security/Commands: block prototype-key injection in runtime `/debug` overrides and require own-property checks for gated command flags (`bash`, `config`, `debug`) so inherited prototype values cannot enable privileged commands. Thanks @tdjackey for reporting. -- Security/Browser: block non-network browser navigation protocols (including `file:`, `data:`, and `javascript:`) while preserving `about:blank`, preventing local file reads via browser tool navigation. This ships in the next npm release. Thanks @q1uf3ng for reporting. -- Security/Exec: block shell startup-file env injection (`BASH_ENV`, `ENV`, `BASH_FUNC_*`, `LD_*`, `DYLD_*`) across config env ingestion, node-host inherited environment sanitization, and macOS exec host runtime to prevent pre-command execution from attacker-controlled environment variables. This ships in the next npm release. Thanks @tdjackey. -- Security/Exec (Windows): canonicalize `cmd.exe /c` command text across validation, approval binding, and audit/event rendering to prevent trailing-argument approval mismatches in `system.run`. This ships in the next npm release. Thanks @tdjackey for reporting. +- Security/Browser: block non-network browser navigation protocols (including `file:`, `data:`, and `javascript:`) while preserving `about:blank`, preventing local file reads via browser tool navigation. Thanks @q1uf3ng for reporting. +- Security/Exec: block shell startup-file env injection (`BASH_ENV`, `ENV`, `BASH_FUNC_*`, `LD_*`, `DYLD_*`) across config env ingestion, node-host inherited environment sanitization, and macOS exec host runtime to prevent pre-command execution from attacker-controlled environment variables. Thanks @tdjackey. +- Security/Exec (Windows): canonicalize `cmd.exe /c` command text across validation, approval binding, and audit/event rendering to prevent trailing-argument approval mismatches in `system.run`. Thanks @tdjackey for reporting. - Security/Gateway/Hooks: block `__proto__`, `constructor`, and `prototype` traversal in webhook template path resolution to prevent prototype-chain payload data leakage in `messageTemplate` rendering. (#22213) Thanks @SleuthCo. - Security/OpenClawKit/UI: prevent injected inbound user context metadata blocks from leaking into chat history in TUI, webchat, and macOS surfaces by stripping all untrusted metadata prefixes at display boundaries. (#22142) Thanks @Mellowambience, @vincentkoc. - Security/OpenClawKit/UI: strip inbound metadata blocks from user messages in TUI rendering while preserving user-authored content. (#22345) Thanks @kansodata, @vincentkoc. @@ -138,9 +139,9 @@ Docs: https://docs.openclaw.ai - Browser/Security: block upload path symlink escapes so browser upload sources cannot traverse outside the allowed workspace via symlinked paths. (#21972) Thanks @mbelinky. - Security/Dependencies: bump transitive `hono` usage to `4.11.10` to incorporate timing-safe authentication comparison hardening for `basicAuth`/`bearerAuth` (`GHSA-gq3j-xvxp-8hrf`). Thanks @vincentkoc. - Security/Gateway: parse `X-Forwarded-For` with trust-preserving semantics when requests come from configured trusted proxies, preventing proxy-chain spoofing from influencing client IP classification and rate-limit identity. Thanks @AnthonyDiSanti and @vincentkoc. -- Security/Sandbox: remove default `--no-sandbox` for the browser container entrypoint, add explicit opt-in via `OPENCLAW_BROWSER_NO_SANDBOX` / `CLAWDBOT_BROWSER_NO_SANDBOX`, and add security-audit checks for stale/missing sandbox browser Docker hash labels. This ships in the next npm release. Thanks @TerminalsandCoffee and @vincentkoc. -- Security/Sandbox Browser: require VNC password auth for noVNC observer sessions in the sandbox browser entrypoint, plumb per-container noVNC passwords from runtime, and emit short-lived noVNC observer token URLs while keeping loopback-only host port publishing. This ships in the next npm release. Thanks @TerminalsandCoffee for reporting. -- Security/Sandbox Browser: default browser sandbox containers to a dedicated Docker network (`openclaw-sandbox-browser`), add optional CDP ingress source-range restrictions, auto-create missing dedicated networks, and warn in `openclaw security --audit` when browser sandboxing runs on bridge without source-range limits. This ships in the next npm release. Thanks @TerminalsandCoffee for reporting. +- Security/Sandbox: remove default `--no-sandbox` for the browser container entrypoint, add explicit opt-in via `OPENCLAW_BROWSER_NO_SANDBOX` / `CLAWDBOT_BROWSER_NO_SANDBOX`, and add security-audit checks for stale/missing sandbox browser Docker hash labels. Thanks @TerminalsandCoffee and @vincentkoc. +- Security/Sandbox Browser: require VNC password auth for noVNC observer sessions in the sandbox browser entrypoint, plumb per-container noVNC passwords from runtime, and emit short-lived noVNC observer token URLs while keeping loopback-only host port publishing. Thanks @TerminalsandCoffee for reporting. +- Security/Sandbox Browser: default browser sandbox containers to a dedicated Docker network (`openclaw-sandbox-browser`), add optional CDP ingress source-range restrictions, auto-create missing dedicated networks, and warn in `openclaw security --audit` when browser sandboxing runs on bridge without source-range limits. Thanks @TerminalsandCoffee for reporting. ## 2026.2.19 @@ -192,8 +193,8 @@ Docs: https://docs.openclaw.ai - OTEL/diagnostics-otel: complete OpenTelemetry v2 API migration. (#12897) Thanks @vincentkoc. - Cron/Webhooks: protect cron webhook POST delivery with SSRF-guarded outbound fetch (`fetchWithSsrFGuard`) to block private/metadata destinations before request dispatch. Thanks @Adam55A-code. - Security/Voice Call: harden `voice-call` telephony TTS override merging by blocking unsafe deep-merge keys (`__proto__`, `prototype`, `constructor`) and add regression coverage for top-level and nested prototype-pollution payloads. -- Security/Windows Daemon: harden Scheduled Task `gateway.cmd` generation by quoting cmd metacharacter arguments, escaping `%`/`!` expansions, and rejecting CR/LF in arguments, descriptions, and environment assignments (`set "KEY=VALUE"`), preventing command injection in Windows daemon startup scripts. This ships in the next npm release. Thanks @tdjackey for reporting. -- Security/Gateway/Canvas: replace shared-IP fallback auth with node-scoped session capability URLs for `/__openclaw__/canvas/*` and `/__openclaw__/a2ui/*`, fail closed when trusted-proxy requests omit forwarded client headers, and add IPv6/proxy-header regression coverage. This ships in the next npm release. Thanks @aether-ai-agent for reporting. +- Security/Windows Daemon: harden Scheduled Task `gateway.cmd` generation by quoting cmd metacharacter arguments, escaping `%`/`!` expansions, and rejecting CR/LF in arguments, descriptions, and environment assignments (`set "KEY=VALUE"`), preventing command injection in Windows daemon startup scripts. Thanks @tdjackey for reporting. +- Security/Gateway/Canvas: replace shared-IP fallback auth with node-scoped session capability URLs for `/__openclaw__/canvas/*` and `/__openclaw__/a2ui/*`, fail closed when trusted-proxy requests omit forwarded client headers, and add IPv6/proxy-header regression coverage. Thanks @aether-ai-agent for reporting. - Security/Net: enforce strict dotted-decimal IPv4 literals in SSRF checks and fail closed on unsupported legacy forms (octal/hex/short/packed, for example `0177.0.0.1`, `127.1`, `2130706433`) before DNS lookup. - Security/Discord: enforce trusted-sender guild permission checks for moderation actions (`timeout`, `kick`, `ban`) and ignore untrusted `senderUserId` params to prevent privilege escalation in tool-driven flows. Thanks @aether-ai-agent for reporting. - Security/ACP+Exec: add `openclaw acp --token-file/--password-file` secret-file support (with inline secret flag warnings), redact ACP working-directory prefixes to `~` home-relative paths, constrain exec script preflight file inspection to the effective `workdir` boundary, and add security-audit warnings when `tools.exec.host="sandbox"` is configured while sandbox mode is off. @@ -221,10 +222,10 @@ Docs: https://docs.openclaw.ai - Security/Media: harden local media ingestion against TOCTOU/symlink swap attacks by pinning reads to a single file descriptor with symlink rejection and inode/device verification in `saveMediaSource`. Thanks @dorjoos for reporting. - Security/Lobster (Windows): for the next npm release, remove shell-based fallback when launching Lobster wrappers (`.cmd`/`.bat`) and switch to explicit argv execution with wrapper entrypoint resolution, preventing command injection while preserving Windows wrapper compatibility. Thanks @allsmog for reporting. - Security/Exec: require `tools.exec.safeBins` binaries to resolve from trusted bin directories (system defaults plus gateway startup `PATH`) so PATH-hijacked trojan binaries cannot bypass allowlist checks. Thanks @jackhax for reporting. -- Security/Exec: remove file-existence oracle behavior from `tools.exec.safeBins` by using deterministic argv-only stdin-safe validation and blocking file-oriented flags (for example `sort -o`, `jq -f`, `grep -f`) so allow/deny results no longer disclose host file presence. This ships in the next npm release. Thanks @nedlir for reporting. -- Security/Browser: route browser URL navigation through one SSRF-guarded validation path for tab-open/CDP-target/Playwright navigation flows and block private/metadata destinations by default (configurable via `browser.ssrfPolicy`). This ships in the next npm release. Thanks @dorjoos for reporting. +- Security/Exec: remove file-existence oracle behavior from `tools.exec.safeBins` by using deterministic argv-only stdin-safe validation and blocking file-oriented flags (for example `sort -o`, `jq -f`, `grep -f`) so allow/deny results no longer disclose host file presence. Thanks @nedlir for reporting. +- Security/Browser: route browser URL navigation through one SSRF-guarded validation path for tab-open/CDP-target/Playwright navigation flows and block private/metadata destinations by default (configurable via `browser.ssrfPolicy`). Thanks @dorjoos for reporting. - Security/Exec: for the next npm release, harden safe-bin stdin-only enforcement by blocking output/recursive flags (`sort -o/--output`, grep recursion) and tightening default safe bins to remove `sort`/`grep`, preventing safe-bin allowlist bypass for file writes/recursive reads. Thanks @nedlir for reporting. -- Security/Exec: block grep safe-bin positional operand bypass by setting grep positional budget to zero, so `-e/--regexp` cannot smuggle bare filename reads (for example `.env`) via ambiguous positionals; safe-bin grep patterns must come from `-e/--regexp`. This ships in the next npm release. Thanks @athuljayaram for reporting. +- Security/Exec: block grep safe-bin positional operand bypass by setting grep positional budget to zero, so `-e/--regexp` cannot smuggle bare filename reads (for example `.env`) via ambiguous positionals; safe-bin grep patterns must come from `-e/--regexp`. Thanks @athuljayaram for reporting. - Security/Gateway/Agents: remove implicit admin scopes from agent tool gateway calls by classifying methods to least-privilege operator scopes, and enforce owner-only tooling (`cron`, `gateway`, `whatsapp_login`) through centralized tool-policy wrappers plus tool metadata to prevent non-owner DM privilege escalation. Ships in the next npm release. Thanks @Adam55A-code for reporting. - Security/Gateway: centralize gateway method-scope authorization and default non-CLI gateway callers to least-privilege method scopes, with explicit CLI scope handling, full core-handler scope classification coverage, and regression guards to prevent scope drift. - Security/Net: block SSRF bypass via NAT64 (`64:ff9b::/96`, `64:ff9b:1::/48`), 6to4 (`2002::/16`), and Teredo (`2001:0000::/32`) IPv6 transition addresses, and fail closed on IPv6 parse errors. Thanks @jackhax. diff --git a/apps/macos/Sources/OpenClaw/CameraCaptureService.swift b/apps/macos/Sources/OpenClaw/CameraCaptureService.swift index 24717ec55..4e3749d6a 100644 --- a/apps/macos/Sources/OpenClaw/CameraCaptureService.swift +++ b/apps/macos/Sources/OpenClaw/CameraCaptureService.swift @@ -357,8 +357,8 @@ private final class PhotoCaptureDelegate: NSObject, AVCapturePhotoCaptureDelegat func photoOutput( _ output: AVCapturePhotoOutput, didFinishProcessingPhoto photo: AVCapturePhoto, - error: Error? - ) { + error: Error?) + { guard !self.didResume, let cont else { return } self.didResume = true self.cont = nil @@ -380,8 +380,8 @@ private final class PhotoCaptureDelegate: NSObject, AVCapturePhotoCaptureDelegat func photoOutput( _ output: AVCapturePhotoOutput, didFinishCaptureFor resolvedSettings: AVCaptureResolvedPhotoSettings, - error: Error? - ) { + error: Error?) + { guard let error else { return } guard !self.didResume, let cont else { return } self.didResume = true diff --git a/apps/macos/Sources/OpenClaw/CoalescingFSEventsWatcher.swift b/apps/macos/Sources/OpenClaw/CoalescingFSEventsWatcher.swift index 7999123db..f9e38d811 100644 --- a/apps/macos/Sources/OpenClaw/CoalescingFSEventsWatcher.swift +++ b/apps/macos/Sources/OpenClaw/CoalescingFSEventsWatcher.swift @@ -16,8 +16,8 @@ final class CoalescingFSEventsWatcher: @unchecked Sendable { queueLabel: String, coalesceDelay: TimeInterval = 0.12, shouldNotify: @escaping (Int, UnsafeMutableRawPointer?) -> Bool = { _, _ in true }, - onChange: @escaping () -> Void - ) { + onChange: @escaping () -> Void) + { self.paths = paths self.queue = DispatchQueue(label: queueLabel) self.coalesceDelay = coalesceDelay @@ -92,8 +92,8 @@ extension CoalescingFSEventsWatcher { private func handleEvents( numEvents: Int, eventPaths: UnsafeMutableRawPointer?, - eventFlags: UnsafePointer? - ) { + eventFlags: UnsafePointer?) + { guard numEvents > 0 else { return } guard eventFlags != nil else { return } guard self.shouldNotify(numEvents, eventPaths) else { return } @@ -108,4 +108,3 @@ extension CoalescingFSEventsWatcher { } } } - diff --git a/apps/macos/Sources/OpenClaw/ExecApprovals.swift b/apps/macos/Sources/OpenClaw/ExecApprovals.swift index f6bc83925..2a58be39d 100644 --- a/apps/macos/Sources/OpenClaw/ExecApprovals.swift +++ b/apps/macos/Sources/OpenClaw/ExecApprovals.swift @@ -571,6 +571,40 @@ struct ExecCommandResolution: Sendable { return self.resolve(command: command, cwd: cwd, env: env) } + static func resolveForAllowlist( + command: [String], + rawCommand: String?, + cwd: String?, + env: [String: String]?) -> [ExecCommandResolution] + { + let shell = self.extractShellCommandFromArgv(command: command, rawCommand: rawCommand) + if shell.isWrapper { + guard let shellCommand = shell.command, + let segments = self.splitShellCommandChain(shellCommand) + else { + // Fail closed: if we cannot safely parse a shell wrapper payload, + // treat this as an allowlist miss and require approval. + return [] + } + var resolutions: [ExecCommandResolution] = [] + resolutions.reserveCapacity(segments.count) + for segment in segments { + guard let token = self.parseFirstToken(segment), + let resolution = self.resolveExecutable(rawExecutable: token, cwd: cwd, env: env) + else { + return [] + } + resolutions.append(resolution) + } + return resolutions + } + + guard let resolution = self.resolve(command: command, rawCommand: rawCommand, cwd: cwd, env: env) else { + return [] + } + return [resolution] + } + static func resolve(command: [String], cwd: String?, env: [String: String]?) -> ExecCommandResolution? { guard let raw = command.first?.trimmingCharacters(in: .whitespacesAndNewlines), !raw.isEmpty else { return nil @@ -619,6 +653,156 @@ struct ExecCommandResolution: Sendable { return trimmed.split(whereSeparator: { $0.isWhitespace }).first.map(String.init) } + private static func basenameLower(_ token: String) -> String { + let trimmed = token.trimmingCharacters(in: .whitespacesAndNewlines) + guard !trimmed.isEmpty else { return "" } + let normalized = trimmed.replacingOccurrences(of: "\\", with: "/") + return normalized.split(separator: "/").last.map { String($0).lowercased() } ?? normalized.lowercased() + } + + private static func extractShellCommandFromArgv( + command: [String], + rawCommand: String?) -> (isWrapper: Bool, command: String?) + { + guard let token0 = command.first?.trimmingCharacters(in: .whitespacesAndNewlines), !token0.isEmpty else { + return (false, nil) + } + let base0 = self.basenameLower(token0) + let trimmedRaw = rawCommand?.trimmingCharacters(in: .whitespacesAndNewlines) ?? "" + let preferredRaw = trimmedRaw.isEmpty ? nil : trimmedRaw + + if ["sh", "bash", "zsh", "dash", "ksh"].contains(base0) { + let flag = command.count > 1 ? command[1].trimmingCharacters(in: .whitespacesAndNewlines) : "" + guard flag == "-lc" || flag == "-c" else { return (false, nil) } + let payload = command.count > 2 ? command[2].trimmingCharacters(in: .whitespacesAndNewlines) : "" + let normalized = preferredRaw ?? (payload.isEmpty ? nil : payload) + return (true, normalized) + } + + if base0 == "cmd.exe" || base0 == "cmd" { + guard let idx = command + .firstIndex(where: { $0.trimmingCharacters(in: .whitespacesAndNewlines).lowercased() == "/c" }) + else { + return (false, nil) + } + let tail = command.suffix(from: command.index(after: idx)).joined(separator: " ") + let payload = tail.trimmingCharacters(in: .whitespacesAndNewlines) + let normalized = preferredRaw ?? (payload.isEmpty ? nil : payload) + return (true, normalized) + } + + return (false, nil) + } + + private static func splitShellCommandChain(_ command: String) -> [String]? { + let trimmed = command.trimmingCharacters(in: .whitespacesAndNewlines) + guard !trimmed.isEmpty else { return nil } + + var segments: [String] = [] + var current = "" + var inSingle = false + var inDouble = false + var escaped = false + let chars = Array(trimmed) + var idx = 0 + + func appendCurrent() -> Bool { + let segment = current.trimmingCharacters(in: .whitespacesAndNewlines) + guard !segment.isEmpty else { return false } + segments.append(segment) + current.removeAll(keepingCapacity: true) + return true + } + + while idx < chars.count { + let ch = chars[idx] + let next: Character? = idx + 1 < chars.count ? chars[idx + 1] : nil + + if escaped { + current.append(ch) + escaped = false + idx += 1 + continue + } + + if ch == "\\", !inSingle { + current.append(ch) + escaped = true + idx += 1 + continue + } + + if ch == "'", !inDouble { + inSingle.toggle() + current.append(ch) + idx += 1 + continue + } + + if ch == "\"", !inSingle { + inDouble.toggle() + current.append(ch) + idx += 1 + continue + } + + if !inSingle, !inDouble { + if self.shouldFailClosedForUnquotedShell(ch: ch, next: next) { + // Fail closed on command/process substitution in allowlist mode. + return nil + } + let prev: Character? = idx > 0 ? chars[idx - 1] : nil + if let delimiterStep = self.chainDelimiterStep(ch: ch, prev: prev, next: next) { + guard appendCurrent() else { return nil } + idx += delimiterStep + continue + } + } + + current.append(ch) + idx += 1 + } + + if escaped || inSingle || inDouble { return nil } + guard appendCurrent() else { return nil } + return segments + } + + private static func shouldFailClosedForUnquotedShell(ch: Character, next: Character?) -> Bool { + if ch == "`" { + return true + } + if ch == "$", next == "(" { + return true + } + if ch == "<" || ch == ">", next == "(" { + return true + } + return false + } + + private static func chainDelimiterStep(ch: Character, prev: Character?, next: Character?) -> Int? { + if ch == ";" || ch == "\n" { + return 1 + } + if ch == "&" { + if next == "&" { + return 2 + } + // Keep fd redirections like 2>&1 or &>file intact. + let prevIsRedirect = prev == ">" + let nextIsRedirect = next == ">" + return (!prevIsRedirect && !nextIsRedirect) ? 1 : nil + } + if ch == "|" { + if next == "|" || next == "&" { + return 2 + } + return 1 + } + return nil + } + private static func searchPaths(from env: [String: String]?) -> [String] { let raw = env?["PATH"] if let raw, !raw.isEmpty { @@ -692,6 +876,22 @@ enum ExecAllowlistMatcher { return nil } + static func matchAll( + entries: [ExecAllowlistEntry], + resolutions: [ExecCommandResolution]) -> [ExecAllowlistEntry] + { + guard !entries.isEmpty, !resolutions.isEmpty else { return [] } + var matches: [ExecAllowlistEntry] = [] + matches.reserveCapacity(resolutions.count) + for resolution in resolutions { + guard let match = self.match(entries: entries, resolution: resolution) else { + return [] + } + matches.append(match) + } + return matches + } + private static func matches(pattern: String, target: String) -> Bool { let trimmed = pattern.trimmingCharacters(in: .whitespacesAndNewlines) guard !trimmed.isEmpty else { return false } diff --git a/apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift b/apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift index fdef131ba..90dc6837d 100644 --- a/apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift +++ b/apps/macos/Sources/OpenClaw/ExecApprovalsSocket.swift @@ -360,7 +360,9 @@ private enum ExecHostExecutor { let autoAllowSkills: Bool let env: [String: String]? let resolution: ExecCommandResolution? - let allowlistMatch: ExecAllowlistEntry? + let allowlistResolutions: [ExecCommandResolution] + let allowlistMatches: [ExecAllowlistEntry] + let allowlistSatisfied: Bool let skillAllow: Bool } @@ -393,7 +395,7 @@ private enum ExecHostExecutor { if ExecApprovalHelpers.requiresAsk( ask: context.ask, security: context.security, - allowlistMatch: context.allowlistMatch, + allowlistMatch: context.allowlistSatisfied ? context.allowlistMatches.first : nil, skillAllow: context.skillAllow), approvalDecision == nil { @@ -425,7 +427,7 @@ private enum ExecHostExecutor { self.persistAllowlistEntry(decision: approvalDecision, context: context) if context.security == .allowlist, - context.allowlistMatch == nil, + !context.allowlistSatisfied, !context.skillAllow, !approvedByAsk { @@ -435,12 +437,21 @@ private enum ExecHostExecutor { reason: "allowlist-miss") } - if let match = context.allowlistMatch { - ExecApprovalsStore.recordAllowlistUse( - agentId: context.trimmedAgent, - pattern: match.pattern, - command: context.displayCommand, - resolvedPath: context.resolution?.resolvedPath) + if context.allowlistSatisfied { + var seenPatterns = Set() + for (idx, match) in context.allowlistMatches.enumerated() { + if !seenPatterns.insert(match.pattern).inserted { + continue + } + let resolvedPath = idx < context.allowlistResolutions.count + ? context.allowlistResolutions[idx].resolvedPath + : nil + ExecApprovalsStore.recordAllowlistUse( + agentId: context.trimmedAgent, + pattern: match.pattern, + command: context.displayCommand, + resolvedPath: resolvedPath) + } } if let errorResponse = await self.ensureScreenRecordingAccess(request.needsScreenRecording) { @@ -465,18 +476,22 @@ private enum ExecHostExecutor { let ask = approvals.agent.ask let autoAllowSkills = approvals.agent.autoAllowSkills let env = self.sanitizedEnv(request.env) - let resolution = ExecCommandResolution.resolve( + let allowlistResolutions = ExecCommandResolution.resolveForAllowlist( command: command, rawCommand: request.rawCommand, cwd: request.cwd, env: env) - let allowlistMatch = security == .allowlist - ? ExecAllowlistMatcher.match(entries: approvals.allowlist, resolution: resolution) - : nil + let resolution = allowlistResolutions.first + let allowlistMatches = security == .allowlist + ? ExecAllowlistMatcher.matchAll(entries: approvals.allowlist, resolutions: allowlistResolutions) + : [] + let allowlistSatisfied = security == .allowlist && + !allowlistResolutions.isEmpty && + allowlistMatches.count == allowlistResolutions.count let skillAllow: Bool - if autoAllowSkills, let name = resolution?.executableName { + if autoAllowSkills, !allowlistResolutions.isEmpty { let bins = await SkillBinsCache.shared.currentBins() - skillAllow = bins.contains(name) + skillAllow = allowlistResolutions.allSatisfy { bins.contains($0.executableName) } } else { skillAllow = false } @@ -490,7 +505,9 @@ private enum ExecHostExecutor { autoAllowSkills: autoAllowSkills, env: env, resolution: resolution, - allowlistMatch: allowlistMatch, + allowlistResolutions: allowlistResolutions, + allowlistMatches: allowlistMatches, + allowlistSatisfied: allowlistSatisfied, skillAllow: skillAllow) } @@ -499,13 +516,18 @@ private enum ExecHostExecutor { context: ExecApprovalContext) { guard decision == .allowAlways, context.security == .allowlist else { return } - guard let pattern = ExecApprovalHelpers.allowlistPattern( - command: context.command, - resolution: context.resolution) - else { - return + var seenPatterns = Set() + for candidate in context.allowlistResolutions { + guard let pattern = ExecApprovalHelpers.allowlistPattern( + command: context.command, + resolution: candidate) + else { + continue + } + if seenPatterns.insert(pattern).inserted { + ExecApprovalsStore.addAllowlistEntry(agentId: context.trimmedAgent, pattern: pattern) + } } - ExecApprovalsStore.addAllowlistEntry(agentId: context.trimmedAgent, pattern: pattern) } private static func ensureScreenRecordingAccess(_ needsScreenRecording: Bool?) async -> ExecHostResponse? { diff --git a/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift b/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift index 330e5b3b6..0171de793 100644 --- a/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift +++ b/apps/macos/Sources/OpenClaw/HostEnvSanitizer.swift @@ -1,8 +1,8 @@ import Foundation enum HostEnvSanitizer { - // Keep in sync with src/infra/host-env-security-policy.json. - // Parity is validated by src/infra/host-env-security.policy-parity.test.ts. + /// Keep in sync with src/infra/host-env-security-policy.json. + /// Parity is validated by src/infra/host-env-security.policy-parity.test.ts. private static let blockedKeys: Set = [ "NODE_OPTIONS", "NODE_PATH", diff --git a/apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift b/apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift index 0d096a1ef..52af7c4d1 100644 --- a/apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift +++ b/apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift @@ -454,18 +454,23 @@ actor MacNodeRuntime { : self.mainSessionKey let runId = UUID().uuidString let env = Self.sanitizedEnv(params.env) - let resolution = ExecCommandResolution.resolve( + let allowlistResolutions = ExecCommandResolution.resolveForAllowlist( command: command, rawCommand: params.rawCommand, cwd: params.cwd, env: env) - let allowlistMatch = security == .allowlist - ? ExecAllowlistMatcher.match(entries: approvals.allowlist, resolution: resolution) - : nil + let resolution = allowlistResolutions.first + let allowlistMatches = security == .allowlist + ? ExecAllowlistMatcher.matchAll(entries: approvals.allowlist, resolutions: allowlistResolutions) + : [] + let allowlistSatisfied = security == .allowlist && + !allowlistResolutions.isEmpty && + allowlistMatches.count == allowlistResolutions.count + let allowlistMatch = allowlistSatisfied ? allowlistMatches.first : nil let skillAllow: Bool - if autoAllowSkills, let name = resolution?.executableName { + if autoAllowSkills, !allowlistResolutions.isEmpty { let bins = await SkillBinsCache.shared.currentBins() - skillAllow = bins.contains(name) + skillAllow = allowlistResolutions.allSatisfy { bins.contains($0.executableName) } } else { skillAllow = false } @@ -501,13 +506,14 @@ actor MacNodeRuntime { if let response = approval.response { return response } let approvedByAsk = approval.approvedByAsk let persistAllowlist = approval.persistAllowlist - if persistAllowlist, security == .allowlist, - let pattern = ExecApprovalHelpers.allowlistPattern(command: command, resolution: resolution) - { - ExecApprovalsStore.addAllowlistEntry(agentId: agentId, pattern: pattern) - } + self.persistAllowlistPatterns( + persistAllowlist: persistAllowlist, + security: security, + agentId: agentId, + command: command, + allowlistResolutions: allowlistResolutions) - if security == .allowlist, allowlistMatch == nil, !skillAllow, !approvedByAsk { + if security == .allowlist, !allowlistSatisfied, !skillAllow, !approvedByAsk { await self.emitExecEvent( "exec.denied", payload: ExecEventPayload( @@ -522,79 +528,32 @@ actor MacNodeRuntime { message: "SYSTEM_RUN_DENIED: allowlist miss") } - if let match = allowlistMatch { - ExecApprovalsStore.recordAllowlistUse( - agentId: agentId, - pattern: match.pattern, - command: displayCommand, - resolvedPath: resolution?.resolvedPath) + self.recordAllowlistMatches( + security: security, + allowlistSatisfied: allowlistSatisfied, + agentId: agentId, + allowlistMatches: allowlistMatches, + allowlistResolutions: allowlistResolutions, + displayCommand: displayCommand) + + if let permissionResponse = await self.validateScreenRecordingIfNeeded( + req: req, + needsScreenRecording: params.needsScreenRecording, + sessionKey: sessionKey, + runId: runId, + displayCommand: displayCommand) + { + return permissionResponse } - if params.needsScreenRecording == true { - let authorized = await PermissionManager - .status([.screenRecording])[.screenRecording] ?? false - if !authorized { - await self.emitExecEvent( - "exec.denied", - payload: ExecEventPayload( - sessionKey: sessionKey, - runId: runId, - host: "node", - command: displayCommand, - reason: "permission:screenRecording")) - return Self.errorResponse( - req, - code: .unavailable, - message: "PERMISSION_MISSING: screenRecording") - } - } - - let timeoutSec = params.timeoutMs.flatMap { Double($0) / 1000.0 } - await self.emitExecEvent( - "exec.started", - payload: ExecEventPayload( - sessionKey: sessionKey, - runId: runId, - host: "node", - command: displayCommand)) - let result = await ShellExecutor.runDetailed( + return try await self.executeSystemRun( + req: req, + params: params, command: command, - cwd: params.cwd, env: env, - timeout: timeoutSec) - let combined = [result.stdout, result.stderr, result.errorMessage] - .compactMap(\.self) - .filter { !$0.isEmpty } - .joined(separator: "\n") - await self.emitExecEvent( - "exec.finished", - payload: ExecEventPayload( - sessionKey: sessionKey, - runId: runId, - host: "node", - command: displayCommand, - exitCode: result.exitCode, - timedOut: result.timedOut, - success: result.success, - output: ExecEventPayload.truncateOutput(combined))) - - struct RunPayload: Encodable { - var exitCode: Int? - var timedOut: Bool - var success: Bool - var stdout: String - var stderr: String - var error: String? - } - - let payload = try Self.encodePayload(RunPayload( - exitCode: result.exitCode, - timedOut: result.timedOut, - success: result.success, - stdout: result.stdout, - stderr: result.stderr, - error: result.errorMessage)) - return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload) + sessionKey: sessionKey, + runId: runId, + displayCommand: displayCommand) } private func handleSystemWhich(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse { @@ -835,6 +794,132 @@ actor MacNodeRuntime { } extension MacNodeRuntime { + private func persistAllowlistPatterns( + persistAllowlist: Bool, + security: ExecSecurity, + agentId: String?, + command: [String], + allowlistResolutions: [ExecCommandResolution]) + { + guard persistAllowlist, security == .allowlist else { return } + var seenPatterns = Set() + for candidate in allowlistResolutions { + guard let pattern = ExecApprovalHelpers.allowlistPattern(command: command, resolution: candidate) else { + continue + } + if seenPatterns.insert(pattern).inserted { + ExecApprovalsStore.addAllowlistEntry(agentId: agentId, pattern: pattern) + } + } + } + + private func recordAllowlistMatches( + security: ExecSecurity, + allowlistSatisfied: Bool, + agentId: String?, + allowlistMatches: [ExecAllowlistEntry], + allowlistResolutions: [ExecCommandResolution], + displayCommand: String) + { + guard security == .allowlist, allowlistSatisfied else { return } + var seenPatterns = Set() + for (idx, match) in allowlistMatches.enumerated() { + if !seenPatterns.insert(match.pattern).inserted { + continue + } + let resolvedPath = idx < allowlistResolutions.count ? allowlistResolutions[idx].resolvedPath : nil + ExecApprovalsStore.recordAllowlistUse( + agentId: agentId, + pattern: match.pattern, + command: displayCommand, + resolvedPath: resolvedPath) + } + } + + private func validateScreenRecordingIfNeeded( + req: BridgeInvokeRequest, + needsScreenRecording: Bool?, + sessionKey: String, + runId: String, + displayCommand: String) async -> BridgeInvokeResponse? + { + guard needsScreenRecording == true else { return nil } + let authorized = await PermissionManager + .status([.screenRecording])[.screenRecording] ?? false + if authorized { + return nil + } + await self.emitExecEvent( + "exec.denied", + payload: ExecEventPayload( + sessionKey: sessionKey, + runId: runId, + host: "node", + command: displayCommand, + reason: "permission:screenRecording")) + return Self.errorResponse( + req, + code: .unavailable, + message: "PERMISSION_MISSING: screenRecording") + } + + private func executeSystemRun( + req: BridgeInvokeRequest, + params: OpenClawSystemRunParams, + command: [String], + env: [String: String], + sessionKey: String, + runId: String, + displayCommand: String) async throws -> BridgeInvokeResponse + { + let timeoutSec = params.timeoutMs.flatMap { Double($0) / 1000.0 } + await self.emitExecEvent( + "exec.started", + payload: ExecEventPayload( + sessionKey: sessionKey, + runId: runId, + host: "node", + command: displayCommand)) + let result = await ShellExecutor.runDetailed( + command: command, + cwd: params.cwd, + env: env, + timeout: timeoutSec) + let combined = [result.stdout, result.stderr, result.errorMessage] + .compactMap(\.self) + .filter { !$0.isEmpty } + .joined(separator: "\n") + await self.emitExecEvent( + "exec.finished", + payload: ExecEventPayload( + sessionKey: sessionKey, + runId: runId, + host: "node", + command: displayCommand, + exitCode: result.exitCode, + timedOut: result.timedOut, + success: result.success, + output: ExecEventPayload.truncateOutput(combined))) + + struct RunPayload: Encodable { + var exitCode: Int? + var timedOut: Bool + var success: Bool + var stdout: String + var stderr: String + var error: String? + } + let runPayload = RunPayload( + exitCode: result.exitCode, + timedOut: result.timedOut, + success: result.success, + stdout: result.stdout, + stderr: result.stderr, + error: result.errorMessage) + let payload = try Self.encodePayload(runPayload) + return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload) + } + private static func decodeParams(_ type: T.Type, from json: String?) throws -> T { guard let json, let data = json.data(using: .utf8) else { throw NSError(domain: "Gateway", code: 20, userInfo: [ diff --git a/apps/macos/Sources/OpenClawDiscovery/TailscaleNetwork.swift b/apps/macos/Sources/OpenClawDiscovery/TailscaleNetwork.swift index 60b11306d..ef78e6f40 100644 --- a/apps/macos/Sources/OpenClawDiscovery/TailscaleNetwork.swift +++ b/apps/macos/Sources/OpenClawDiscovery/TailscaleNetwork.swift @@ -44,4 +44,3 @@ public enum TailscaleNetwork { return nil } } - diff --git a/apps/macos/Tests/OpenClawIPCTests/ExecAllowlistTests.swift b/apps/macos/Tests/OpenClawIPCTests/ExecAllowlistTests.swift index 7da886ea7..7ac0dff1d 100644 --- a/apps/macos/Tests/OpenClawIPCTests/ExecAllowlistTests.swift +++ b/apps/macos/Tests/OpenClawIPCTests/ExecAllowlistTests.swift @@ -46,4 +46,72 @@ struct ExecAllowlistTests { let match = ExecAllowlistMatcher.match(entries: [entry], resolution: resolution) #expect(match?.pattern == entry.pattern) } + + @Test func resolveForAllowlistSplitsShellChains() { + let command = ["/bin/sh", "-lc", "echo allowlisted && /usr/bin/touch /tmp/openclaw-allowlist-test"] + let resolutions = ExecCommandResolution.resolveForAllowlist( + command: command, + rawCommand: "echo allowlisted && /usr/bin/touch /tmp/openclaw-allowlist-test", + cwd: nil, + env: ["PATH": "/usr/bin:/bin"]) + #expect(resolutions.count == 2) + #expect(resolutions[0].executableName == "echo") + #expect(resolutions[1].executableName == "touch") + } + + @Test func resolveForAllowlistKeepsQuotedOperatorsInSingleSegment() { + let command = ["/bin/sh", "-lc", "echo \"a && b\""] + let resolutions = ExecCommandResolution.resolveForAllowlist( + command: command, + rawCommand: "echo \"a && b\"", + cwd: nil, + env: ["PATH": "/usr/bin:/bin"]) + #expect(resolutions.count == 1) + #expect(resolutions[0].executableName == "echo") + } + + @Test func resolveForAllowlistFailsClosedOnCommandSubstitution() { + let command = ["/bin/sh", "-lc", "echo $(/usr/bin/touch /tmp/openclaw-allowlist-test-subst)"] + let resolutions = ExecCommandResolution.resolveForAllowlist( + command: command, + rawCommand: "echo $(/usr/bin/touch /tmp/openclaw-allowlist-test-subst)", + cwd: nil, + env: ["PATH": "/usr/bin:/bin"]) + #expect(resolutions.isEmpty) + } + + @Test func resolveForAllowlistTreatsPlainShInvocationAsDirectExec() { + let command = ["/bin/sh", "./script.sh"] + let resolutions = ExecCommandResolution.resolveForAllowlist( + command: command, + rawCommand: nil, + cwd: "/tmp", + env: ["PATH": "/usr/bin:/bin"]) + #expect(resolutions.count == 1) + #expect(resolutions[0].executableName == "sh") + } + + @Test func matchAllRequiresEverySegmentToMatch() { + let first = ExecCommandResolution( + rawExecutable: "echo", + resolvedPath: "/usr/bin/echo", + executableName: "echo", + cwd: nil) + let second = ExecCommandResolution( + rawExecutable: "/usr/bin/touch", + resolvedPath: "/usr/bin/touch", + executableName: "touch", + cwd: nil) + let resolutions = [first, second] + + let partial = ExecAllowlistMatcher.matchAll( + entries: [ExecAllowlistEntry(pattern: "echo")], + resolutions: resolutions) + #expect(partial.isEmpty) + + let full = ExecAllowlistMatcher.matchAll( + entries: [ExecAllowlistEntry(pattern: "echo"), ExecAllowlistEntry(pattern: "touch")], + resolutions: resolutions) + #expect(full.count == 2) + } }