admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
14,365 Commits 1 Branch 0 Tags
ef1ffacfb2bc2b3e790ab0aaa4fd3bd6e243a678
Commit Graph

18 Commits

Author SHA1 Message Date
Peter Steinberger
cd5f3fe0c1 test(config): consolidate env/include scenario coverage 2026-02-23 22:16:30 +00:00
Peter Steinberger
71c17da2ba test(config): dedupe traversal include assertions 2026-02-22 07:44:57 +00:00
Peter Steinberger
98790339ef test: dedupe repeated validation and throw assertions 2026-02-21 23:28:07 +00:00
Peter Steinberger
b97691f3a7 test(config): avoid duplicate include resolution in throw assertions 2026-02-21 23:28:06 +00:00
Peter Steinberger
861718e4dc test: group remaining suite cleanups 2026-02-21 21:44:57 +00:00
David Rudduck
e0aaf2d399 fix(security): block prototype-polluting keys in deepMerge (#20853) 
Reject __proto__, prototype, and constructor keys during deep-merge
to prevent prototype pollution when merging untrusted config objects.
 2026-02-19 03:47:48 -08:00
Peter Steinberger
d1c00dbb7c fix: harden include confinement edge cases (#18652) (thanks @aether-ai-agent) 2026-02-18 03:27:16 +01:00
aether-ai-agent
b5f551d716 fix(security): OC-06 prevent path traversal in config includes 
Fixed CWE-22 path traversal vulnerability allowing arbitrary file reads
through the $include directive in OpenClaw configuration files.

Security Impact:
- CVSS 8.6 (High) - Arbitrary file read vulnerability
- Attack vector: Malicious config files with path traversal sequences
- Impact: Exposure of /etc/passwd, SSH keys, cloud credentials, secrets

Implementation:
- Added path boundary validation in resolvePath() (lines 169-198)
- Implemented symlink resolution to prevent bypass attacks
- Restrict includes to config directory only
- Throw ConfigIncludeError for escaping paths

Testing:
- Added 23 comprehensive security tests
- 48/48 includes.test.ts tests passing
- 5,063/5,063 full suite tests passing
- 95.55% coverage on includes.ts
- Zero regressions, zero breaking changes

Attack Vectors Blocked:
✓ Absolute paths (/etc/passwd, /etc/shadow)
✓ Relative traversal (../../etc/passwd)
✓ Symlink bypass attempts
✓ Home directory access (~/.ssh/id_rsa)

Legitimate Use Cases Preserved:
✓ Same directory includes (./config.json)
✓ Subdirectory includes (./clients/config.json)
✓ Deep nesting (./a/b/c/config.json)

Aether AI Agent Security Research
 2026-02-18 03:27:16 +01:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
Peter Steinberger
9a7160786a refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
Peter Steinberger
6d16a658e5 refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
Peter Steinberger
c379191f80 chore: migrate to oxlint and oxfmt 
Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com>
 2026-01-14 15:02:19 +00:00
Peter Steinberger
90342a4f3a refactor!: rename chat providers to channels 2026-01-13 08:40:39 +00:00
Peter Steinberger
cb095c8606 test: fix includes tests on windows 2026-01-12 00:39:14 +00:00
Peter Steinberger
9f9f6b75e7 test: expand include coverage 2026-01-12 00:30:26 +00:00
Peter Steinberger
e3e3498a4b fix: guard config includes (#731) (thanks @pasogott) 2026-01-12 00:12:03 +00:00
sheeek
53d3134fe8 refactor(config): simplify includes with class-based processor 
- Replace free functions with IncludeProcessor class
- Simplify IncludeResolver interface: { readFile, parseJson }
- Break down loadFile into focused private methods
- Use reduce() for array include merging
- Cleaner separation of concerns
 2026-01-12 00:08:27 +00:00
sheeek
e6400b0b0f refactor(config): extract includes logic to separate module 
- Move $include resolution to src/config/includes.ts
- Simplify io.ts by importing from includes module
- Cleaner API: resolveConfigIncludes(obj, configPath, resolver?)
- Re-export errors from io.ts for backwards compatibility
- Rename test file to match module name
 2026-01-12 00:08:27 +00:00