admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
14,699 Commits 1 Branch 0 Tags
b35d00aaf8b68c77e9d4ef6ef4e6101acf830b7a
Commit Graph

9320 Commits

Author SHA1 Message Date
Gustavo Madeira Santana
4d3403b7ac chore: fix CI errors 2026-02-17 23:46:40 -05:00
Peter Steinberger
308e09c876 perf(test): shorten process timeout fixtures 2026-02-18 04:27:01 +00:00
Peter Steinberger
46278e22cf perf(test): trim telegram duplicates and queue wait delays 2026-02-18 04:22:59 +00:00
Peter Steinberger
fa4772b4ce perf(test): dedupe telegram allowlist and speed twitch probe 2026-02-18 04:16:36 +00:00
Peter Steinberger
fdc6768227 perf(test): stabilize and speed sandbox registry races 2026-02-18 04:10:27 +00:00
Peter Steinberger
5f12334761 refactor: dedupe image, web, and auth profile test fixtures 2026-02-18 04:04:14 +00:00
Peter Steinberger
05b7bd2c22 refactor: dedupe command dispatch and process poll tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
adac9cb67f refactor: dedupe gateway and scheduler test scaffolding 2026-02-18 04:04:14 +00:00
Peter Steinberger
262472ba20 test: remove duplicated scenario scaffolding across runtime tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
e57628165a test: dedupe shared setup in channel and doctor config tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
d1ab852972 test: extract shared e2e helpers for trigger handling and skills 2026-02-18 04:04:14 +00:00
Peter Steinberger
b099171db5 perf(test): dedupe slow discord monitor cases 2026-02-18 04:04:04 +00:00
Peter Steinberger
ac0db68235 refactor(security): extract safeBins trust resolver 2026-02-18 05:01:31 +01:00
Peter Steinberger
e8154c12e6 refactor(net): table-drive embedded IPv6 decoding and SSRF tests 2026-02-18 04:57:08 +01:00
Peter Steinberger
35016a380c fix(sandbox): serialize registry mutations and lock usage 2026-02-18 04:55:40 +01:00
Peter Steinberger
28bac46c92 fix(security): harden safeBins path trust 2026-02-18 04:55:31 +01:00
Peter Steinberger
442fdbf3d8 fix(security): block SSRF IPv6 transition bypasses 2026-02-18 04:53:09 +01:00
Peter Steinberger
50e5553533 fix: align retry backoff semantics and test mock signatures 2026-02-18 04:53:09 +01:00
Gustavo Madeira Santana
0bf1b38cc0 Agents: fix subagent completion thread routing 2026-02-17 22:52:58 -05:00
Peter Steinberger
516046dba8 fix: avoid doctor token regeneration on invalid repairs 2026-02-18 04:51:25 +01:00
Peter Steinberger
797ea7ed27 perf(test): cut slow monitor/subagent test overhead 2026-02-18 03:50:30 +00:00
Peter Steinberger
99db4d13e5 fix(gateway): guard cron webhook delivery against SSRF 2026-02-18 04:48:08 +01:00
Peter Steinberger
bc00c7d156 refactor: dedupe sandbox registry helpers 2026-02-18 04:46:38 +01:00
Ayaan Zaidi
6a5f887b3d test: harden Telegram command menu sanitization coverage (#19703) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 6a41b115902cafb5f5d79666850d4f3cd6b603ec
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-18 09:16:31 +05:30
Peter Steinberger
cc29be8c9b fix: serialize sandbox registry writes 2026-02-18 04:44:56 +01:00
Peter Steinberger
f25bbbc37e feat: switch anthropic onboarding defaults to sonnet 2026-02-18 04:37:58 +01:00
Gustavo Madeira Santana
e8816c554f Agents: fix subagent completion delivery to origin channel 2026-02-17 22:36:14 -05:00
Peter Steinberger
91e9684e8c test: add normalization coverage for shared and slack allow-list 2026-02-18 03:17:54 +00:00
Peter Steinberger
8407eeb33c refactor: extract shared string normalization helpers 2026-02-18 03:17:54 +00:00
Peter Steinberger
8984f31876 fix(agents): correct completion announce retry backoff schedule 2026-02-18 03:07:47 +00:00
Peter Steinberger
a420fa0417 fix(test): align subagent announce chat history mock typing 2026-02-18 03:02:20 +00:00
Peter Steinberger
289f215b31 fix(agents): make manual subagent completion announce deterministic 2026-02-18 03:00:27 +00:00
sebslight
d30492823c chore(auto-reply): format subagent command files 2026-02-17 21:55:47 -05:00
Peter Steinberger
34851a78b2 fix: route manual subagent spawn replies via OriginatingTo fallback 2026-02-18 03:48:18 +01:00
Peter Steinberger
4134875c31 fix: route discord native subagent announce to channel target 2026-02-18 02:42:52 +00:00
Peter Steinberger
c1928845ac fix: route native subagent spawns to target session 2026-02-18 02:35:58 +00:00
Gustavo Madeira Santana
40a6661597 test(cli): fix option-collision mock typings 2026-02-17 21:32:04 -05:00
Peter Steinberger
c90b09cb02 feat(agents): support Anthropic 1M context beta header 2026-02-18 03:29:48 +01:00
Peter Steinberger
d1c00dbb7c fix: harden include confinement edge cases (#18652) (thanks @aether-ai-agent) 2026-02-18 03:27:16 +01:00
aether-ai-agent
b5f551d716 fix(security): OC-06 prevent path traversal in config includes 
Fixed CWE-22 path traversal vulnerability allowing arbitrary file reads
through the $include directive in OpenClaw configuration files.

Security Impact:
- CVSS 8.6 (High) - Arbitrary file read vulnerability
- Attack vector: Malicious config files with path traversal sequences
- Impact: Exposure of /etc/passwd, SSH keys, cloud credentials, secrets

Implementation:
- Added path boundary validation in resolvePath() (lines 169-198)
- Implemented symlink resolution to prevent bypass attacks
- Restrict includes to config directory only
- Throw ConfigIncludeError for escaping paths

Testing:
- Added 23 comprehensive security tests
- 48/48 includes.test.ts tests passing
- 5,063/5,063 full suite tests passing
- 95.55% coverage on includes.ts
- Zero regressions, zero breaking changes

Attack Vectors Blocked:
✓ Absolute paths (/etc/passwd, /etc/shadow)
✓ Relative traversal (../../etc/passwd)
✓ Symlink bypass attempts
✓ Home directory access (~/.ssh/id_rsa)

Legitimate Use Cases Preserved:
✓ Same directory includes (./config.json)
✓ Subdirectory includes (./clients/config.json)
✓ Deep nesting (./a/b/c/config.json)

Aether AI Agent Security Research
 2026-02-18 03:27:16 +01:00
Peter Steinberger
ae3637b23b test: expand subagent announce completion coverage 2026-02-18 03:21:52 +01:00
Peter Steinberger
edf7d6af61 fix: harden subagent completion announce retries 2026-02-18 03:19:50 +01:00
Peter Steinberger
d7c6136c1f test: add sonnet 4.6 and opus 4.6 setup-token model tests 2026-02-18 03:12:32 +01:00
Gustavo Madeira Santana
5a31da8eec chore: format imports in gateway and session tools 2026-02-17 21:10:38 -05:00
Peter Steinberger
81db059627 fix(subagents): always read latest assistant/tool output on subagent completion 2026-02-18 02:59:40 +01:00
Peter Steinberger
0dd97feb41 fix(subagents): include tool role in subagent completion output 2026-02-18 02:57:33 +01:00
Gustavo Madeira Santana
985ec71c55 CLI: resolve parent/subcommand option collisions (#18725) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b7e51cf90950cdd3049ac3c7a3a949717b8ba261
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-17 20:57:09 -05:00
Peter Steinberger
fa4f66255c fix(subagents): return completion message for manual session spawns 2026-02-18 02:52:35 +01:00
Peter Steinberger
f6f5cda6ca style: format subagent command files 2026-02-18 01:50:11 +00:00
Peter Steinberger
e2dd827ca4 fix: guarantee manual subagent spawn sends completion message 2026-02-18 02:45:05 +01:00