admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
16,619 Commits 1 Branch 0 Tags
e290f4ca4162dbcd07d4b101d71d6bdbcb2aa56a
Commit Graph

17 Commits

Author SHA1 Message Date
Peter Steinberger
242188b7b1 refactor: unify boundary-safe reads for bootstrap and includes 2026-02-26 12:42:14 +01:00
Peter Steinberger
9925ac6a2d fix(config): harden include file loading path checks 2026-02-26 12:23:31 +01:00
Peter Steinberger
08e020881d refactor(security): unify command gating and blocked-key guards 2026-02-21 13:04:37 +01:00
David Rudduck
e0aaf2d399 fix(security): block prototype-polluting keys in deepMerge (#20853) 
Reject __proto__, prototype, and constructor keys during deep-merge
to prevent prototype pollution when merging untrusted config objects.
 2026-02-19 03:47:48 -08:00
Peter Steinberger
d1c00dbb7c fix: harden include confinement edge cases (#18652) (thanks @aether-ai-agent) 2026-02-18 03:27:16 +01:00
aether-ai-agent
b5f551d716 fix(security): OC-06 prevent path traversal in config includes 
Fixed CWE-22 path traversal vulnerability allowing arbitrary file reads
through the $include directive in OpenClaw configuration files.

Security Impact:
- CVSS 8.6 (High) - Arbitrary file read vulnerability
- Attack vector: Malicious config files with path traversal sequences
- Impact: Exposure of /etc/passwd, SSH keys, cloud credentials, secrets

Implementation:
- Added path boundary validation in resolvePath() (lines 169-198)
- Implemented symlink resolution to prevent bypass attacks
- Restrict includes to config directory only
- Throw ConfigIncludeError for escaping paths

Testing:
- Added 23 comprehensive security tests
- 48/48 includes.test.ts tests passing
- 5,063/5,063 full suite tests passing
- 95.55% coverage on includes.ts
- Zero regressions, zero breaking changes

Attack Vectors Blocked:
✓ Absolute paths (/etc/passwd, /etc/shadow)
✓ Relative traversal (../../etc/passwd)
✓ Symlink bypass attempts
✓ Home directory access (~/.ssh/id_rsa)

Legitimate Use Cases Preserved:
✓ Same directory includes (./config.json)
✓ Subdirectory includes (./clients/config.json)
✓ Deep nesting (./a/b/c/config.json)

Aether AI Agent Security Research
 2026-02-18 03:27:16 +01:00
Peter Steinberger
b8b43175c5 style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
Peter Steinberger
31f9be126c style: run oxfmt and fix gate failures 2026-02-18 01:29:02 +00:00
cpojer
d0cb8c19b2 chore: wtf. 2026-02-17 13:36:48 +09:00
Sebastian
ed11e93cf2 chore(format) 2026-02-16 23:20:16 -05:00
cpojer
90ef2d6bdf chore: Update formatting. 2026-02-17 09:18:40 +09:00
max
8d75a496bf refactor: centralize isPlainObject, isRecord, isErrno, isLoopbackHost utilities (#12926) 2026-02-09 17:02:55 -08:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
Peter Steinberger
c379191f80 chore: migrate to oxlint and oxfmt 
Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com>
 2026-01-14 15:02:19 +00:00
Peter Steinberger
e3e3498a4b fix: guard config includes (#731) (thanks @pasogott) 2026-01-12 00:12:03 +00:00
sheeek
53d3134fe8 refactor(config): simplify includes with class-based processor 
- Replace free functions with IncludeProcessor class
- Simplify IncludeResolver interface: { readFile, parseJson }
- Break down loadFile into focused private methods
- Use reduce() for array include merging
- Cleaner separation of concerns
 2026-01-12 00:08:27 +00:00
sheeek
e6400b0b0f refactor(config): extract includes logic to separate module 
- Move $include resolution to src/config/includes.ts
- Simplify io.ts by importing from includes module
- Cleaner API: resolveConfigIncludes(obj, configPath, resolver?)
- Re-export errors from io.ts for backwards compatibility
- Rename test file to match module name
 2026-01-12 00:08:27 +00:00