admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
ec44e262bef864b5c2e099465692b9c4e7368a5a
Moltbot/src
History
Marcus Castro ec44e262be fix(security): prevent String(undefined) coercion in credential inputs (#12287) 
* fix(security): prevent String(undefined) coercion in credential inputs

When a prompter returns undefined (due to cancel, timeout, or bug),
String(undefined).trim() produces the literal string "undefined" instead
of "". This truthy string prevents secure fallbacks from triggering,
allowing predictable credential values (e.g., gateway password = "undefined").

Fix all 8 occurrences by using String(value ?? "").trim(), which correctly
yields "" for null/undefined inputs and triggers downstream validation or
fallback logic.

Fixes #8054

* fix(security): also fix String(undefined) in api-provider credential inputs

Address codex review feedback: 4 additional occurrences of the unsafe
String(variable).trim() pattern in auth-choice.apply.api-providers.ts
(Cloudflare Account ID, Gateway ID, synthetic API key inputs + validators).

* fix(test): strengthen password coercion test per review feedback

* fix(security): harden credential prompt coercion

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-13 04:25:05 +01:00
..
acp
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
agents
fix: add adapter-path after_tool_call coverage (follow-up to #15012) (#15105)
2026-02-12 19:39:23 -06:00
auto-reply
fix(session): preserve verbose/thinking/tts overrides across /new and /reset (openclaw#10881) thanks @mcaxtr
2026-02-12 20:27:12 -06:00
browser
fix(browser): hide navigator.webdriver from reCAPTCHA v3 detection (openclaw#10735) thanks @Milofax
2026-02-12 20:16:28 -06:00
canvas-host
fix: use STATE_DIR instead of hardcoded ~/.openclaw for identity and canvas (#4824)
2026-02-07 22:16:59 -05:00
channels
Signal: harden E.164 validation
2026-02-12 15:28:31 -08:00
cli
fix(update): repair daemon-cli compat exports after self-update
2026-02-13 04:08:13 +01:00
commands
fix(security): prevent String(undefined) coercion in credential inputs (#12287)
2026-02-13 04:25:05 +01:00
compat
refactor: rename to openclaw
2026-01-30 03:16:21 +01:00
config
fix: add discord role allowlists (#10650) (thanks @Minidoracat)
2026-02-12 19:52:24 -06:00
cron
fix(agents): stabilize overflow compaction retries and session context accounting (openclaw#14102) thanks @vpesh
2026-02-12 17:53:13 -06:00
daemon
fix(daemon): suppress EPIPE error in restartLaunchAgent stdout write (#14343)
2026-02-12 07:55:29 -06:00
discord
Discord: honor Administrator in permission checks
2026-02-12 19:53:22 -06:00
docs
Docs: landing page revamp (#8885)
2026-02-04 10:37:14 -05:00
gateway
fix(ci): resolve windows test path assertion and sync protocol swift models
2026-02-13 02:39:34 +01:00
hooks
fix: preserve inter-session input provenance (thanks @anbecker)
2026-02-13 02:02:01 +01:00
imessage
fix(auto-reply): prevent sender spoofing in group prompts
2026-02-10 00:44:38 -06:00
infra
fix: emit message_sent hook for all successful outbound paths (#15104)
2026-02-12 19:39:09 -06:00
line
fix(auto-reply): prevent sender spoofing in group prompts
2026-02-10 00:44:38 -06:00
link-understanding
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
logging
Browser/Logging: share default openclaw tmp dir resolver
2026-02-12 16:44:04 -05:00
macos
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
markdown
feat(telegram): render blockquotes as native <blockquote> tags (#14608) (#14626)
2026-02-12 08:11:57 -05:00
media
fix: harden OpenResponses URL input fetching
2026-02-13 01:38:49 +01:00
media-understanding
fix: fix: transcribe audio before mention check in groups with requireMention (openclaw#9973) thanks @mcinteerj
2026-02-12 09:58:01 -06:00
memory
(fix): handle Cloudflare 521 and transient 5xx errors gracefully (#13500)
2026-02-11 21:42:33 -06:00
node-host
fix: prevent act:evaluate hangs from getting browser tool stuck/killed (#13498)
2026-02-11 07:54:48 +08:00
pairing
fix(pairing): use actual code in pairing approval text
2026-02-10 19:48:02 -05:00
plugin-sdk
Update contributing, deduplicate more functions
2026-02-09 19:21:33 -08:00
plugins
CLI: add plugins uninstall command (#5985) (openclaw#6141) thanks @JustasMonkev
2026-02-12 20:11:26 -06:00
process
fix(gateway): drain active turns before restart to prevent message loss (#13931)
2026-02-12 07:55:19 -06:00
providers
chore: Fix failing test.
2026-02-09 09:58:58 +09:00
routing
fix: add discord role allowlists (#10650) (thanks @Minidoracat)
2026-02-12 19:52:24 -06:00
scripts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
security
fix: harden hook session key routing defaults
2026-02-13 02:09:14 +01:00
sessions
fix: preserve inter-session input provenance (thanks @anbecker)
2026-02-13 02:02:01 +01:00
shared/text
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
signal
Signal: satisfy lint
2026-02-12 14:37:55 -08:00
slack
fix(discord): replyToMode first behaviour
2026-02-12 18:50:36 -06:00
telegram
test: stabilize telegram media timing tests
2026-02-13 02:13:15 +01:00
terminal
fix(onboarding): exit cleanly after web ui hatch
2026-02-13 03:20:32 +01:00
test-helpers
fix: use STATE_DIR instead of hardcoded ~/.openclaw for identity and canvas (#4824)
2026-02-07 22:16:59 -05:00
test-utils
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
tts
fix(tts): strip markdown before sending text to TTS engines (#13237)
2026-02-12 10:46:57 -05:00
tui
Centralize date/time formatting utilities (#11831)
2026-02-08 04:53:31 -08:00
types
fix: update pi packages to 0.51.0, remove bogus type augmentation
2026-02-02 01:52:33 +01:00
utils
refactor: consolidate fetchWithTimeout into shared utility
2026-02-09 20:34:56 -08:00
web
fix: default MIME type for WhatsApp voice messages when Baileys omits it (#14444)
2026-02-11 23:09:09 -06:00
whatsapp
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
wizard
fix(security): prevent String(undefined) coercion in credential inputs (#12287)
2026-02-13 04:25:05 +01:00
channel-web.barrel.test.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
channel-web.ts
docker-setup.test.ts
fix(tts): strip markdown before sending text to TTS engines (#13237)
2026-02-12 10:46:57 -05:00
entry.ts
Centralize date/time formatting utilities (#11831)
2026-02-08 04:53:31 -08:00
extensionAPI.ts
chore: Migrate to tsdown, speed up JS bundling by ~10x (thanks @hyf0).
2026-02-03 20:18:16 +09:00
globals.test.ts
globals.ts
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
index.test.ts
index.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
logger.test.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
logger.ts
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
logging.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
polls.test.ts
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
polls.ts
runtime.ts
CLI: restore terminal state on exit
2026-02-03 06:10:19 +00:00
utils.test.ts
fix(paths): structurally resolve home dir to prevent Windows path bugs (#12125)
2026-02-08 20:06:29 -05:00
utils.ts
Deduplicate more
2026-02-09 18:56:58 -08:00
version.test.ts
fix: CLI harden update restart imports and fix nested bundle version resolution
2026-02-06 00:09:48 -05:00
version.ts
fix: CLI harden update restart imports and fix nested bundle version resolution
2026-02-06 00:09:48 -05:00