github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity
12,306 Commits 404 Branches 56 Tags
fix/heredoc-allowlist-bypass
Commit Graph

12306 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
orlyjamie
a54bba6ee0 fix(security): block command substitution in unquoted heredoc bodies 
The shell command analyzer (splitShellPipeline) skipped all token
validation while parsing heredoc bodies. When the heredoc delimiter
was unquoted, bash performs command substitution on the body content,
allowing $(cmd) and backtick expressions to execute arbitrary commands
that bypass the exec allowlist.

Track whether heredoc delimiters are quoted or unquoted. When unquoted,
scan the body for $( , ${ , and backtick tokens and reject the command.
Quoted heredocs (<<'EOF' / <<"EOF") are safe - the shell treats their
body as literal text.

Ref: https://github.com/openclaw/openclaw/security/advisories/GHSA-65rx-fvh6-r4h2
 2026-02-19 03:22:03 +11:00
Peter Steinberger
29d3bb278f refactor(device-pair): reduce duplicated gateway parsing 2026-02-18 16:08:38 +00:00
Peter Steinberger
95d52b06d5 refactor(mattermost): dedupe reaction flow and test fixtures 2026-02-18 16:08:38 +00:00
Peter Steinberger
c7bc94436b perf(test): fake queue timers and merge telegram reply-mode checks 2026-02-18 16:01:20 +00:00
Peter Steinberger
797a47c3ce docs: harden coding-agent skill guidance example 2026-02-18 16:55:50 +01:00
Pejman Pour-Moezzi
a0d904dc23 docs(discord): replace quick setup and add recommended guild setup (#20088) 
Co-authored-by: Shadow <shadow@openclaw.ai>
 2026-02-18 09:39:09 -06:00
Peter Steinberger
6a19654c4a refactor(core): dedupe browser route signatures and cli watchdog schema 2026-02-18 14:15:20 +00:00
Peter Steinberger
1934eebbf0 refactor(agents): dedupe lifecycle send assertions and stable payload stringify 2026-02-18 14:15:14 +00:00
Peter Steinberger
168d24526e chore(protocol): regenerate Swift models for device pair remove params 2026-02-18 14:01:34 +00:00
Peter Steinberger
42025915db test(agents): dedupe sessions_spawn model preference assertions 2026-02-18 14:01:29 +00:00
Peter Steinberger
33b0b38f65 test(agents): dedupe shared bootstrap and tool-id test setup 2026-02-18 14:01:24 +00:00
Peter Steinberger
33f30367e1 fix(cli): include model and thinking fields in cron edit patch type 2026-02-18 13:39:40 +00:00
Peter Steinberger
41e68c31db test(channels): dedupe slack arg-menu and discord reply chunk assertions 2026-02-18 13:39:40 +00:00
Peter Steinberger
c7bfa818ea test(cli): dedupe cron add/edit assertion harness 2026-02-18 13:39:40 +00:00
Mariano
57083e4220 iOS: add Apple Watch companion message MVP (#20054) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 720791ae6b
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-18 13:37:41 +00:00
Peter Steinberger
e71e9a55ab fix(cli): align runtime capture helper with RuntimeEnv signature 2026-02-18 13:34:03 +00:00
Peter Steinberger
277d524fa3 test(agents): restore stable cron tool gateway mocks 2026-02-18 13:34:03 +00:00
Peter Steinberger
a18f411fb6 test(agents): dedupe cron tool mock wiring 2026-02-18 13:34:03 +00:00
Peter Steinberger
8f866d51c4 test(cli): dedupe runtime capture fixtures across command specs 2026-02-18 13:34:03 +00:00
Peter Steinberger
3af9f704c8 test(cli): dedupe repeated gateway node and slack pairing setup 2026-02-18 13:34:03 +00:00
Peter Steinberger
2d0ce40ed6 test(agents): dedupe tool-result overflow and telegram account helpers 2026-02-18 13:34:03 +00:00
Mariano
1437ed76a0 Gateway/CLI: add paired-device remove and clear flows (#20057) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 26523f8a38
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-18 13:27:31 +00:00
Mariano
fc65f70a9b iOS: stabilize pairing/reconnect loops (#20056) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b01a482a17
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-18 13:23:06 +00:00
Peter Steinberger
ff50d3303d test(memory): dedupe model-auth mock setup 2026-02-18 13:17:44 +00:00
Peter Steinberger
28b8101eef fix(browser): handle IPv6 loopback auth and dedupe fetch auth tests 2026-02-18 13:15:00 +00:00
Peter Steinberger
eb775ff24b test(media): dedupe audio provider request assertions 2026-02-18 13:13:43 +00:00
Peter Steinberger
e1b491d961 test(channels): dedupe inbound contract dispatch capture setup 2026-02-18 13:13:43 +00:00
Mariano
39881a318a Browser: reuse extension relay when relay port is already occupied (#20035) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: b310666d39
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-18 13:13:04 +00:00
Peter Steinberger
f4db58a5fd test(media): dedupe auto-audio fixture wiring 2026-02-18 13:06:21 +00:00
Peter Steinberger
d067618600 test(line): dedupe reply chunk fixture setup 2026-02-18 13:06:08 +00:00
Peter Steinberger
53ad08f319 test(slack): type draft stream harness callbacks 2026-02-18 13:02:59 +00:00
Peter Steinberger
7b46f2c17f test(imessage): dedupe send test scaffolding 2026-02-18 13:01:37 +00:00
Peter Steinberger
7f7fc523cf test(cli): dedupe runMessageAction helper specs 2026-02-18 12:59:36 +00:00
Peter Steinberger
c6d6411378 test(media): dedupe redirect request fixtures 2026-02-18 12:58:35 +00:00
Peter Steinberger
7bca5f5400 test(slack): dedupe block and draft stream test fixtures 2026-02-18 12:57:51 +00:00
Peter Steinberger
3daf730fcc test(gateway): fix send target resolution error typing 2026-02-18 12:54:22 +00:00
Peter Steinberger
56ebbf0eed test(gateway): dedupe sessions usage handler fixtures 2026-02-18 12:52:34 +00:00
Peter Steinberger
fc29588329 test(gateway): dedupe send delivery fixtures 2026-02-18 12:52:25 +00:00
Peter Steinberger
3a09d85cd3 test(gateway): fix typed respond helpers in agent tests 2026-02-18 12:49:15 +00:00
Peter Steinberger
00c2308085 test(gateway): dedupe health status scope test setup 2026-02-18 12:48:10 +00:00
Peter Steinberger
c6da37dfb5 test(gateway): dedupe agent handler request fixtures 2026-02-18 12:48:04 +00:00
Peter Steinberger
396ccf9fb1 test(gateway): dedupe agents.files.list assertions 2026-02-18 12:45:14 +00:00
Peter Steinberger
2aec380fb3 test(gateway): dedupe update and chat abort persistence fixtures 2026-02-18 12:43:54 +00:00
Peter Steinberger
bb84452c62 fix(signal): restore mention-gating helper map typing 2026-02-18 12:43:46 +00:00
Peter Steinberger
37b5c92928 test(signal): dedupe mention-gating handler setup 2026-02-18 12:38:44 +00:00
Peter Steinberger
9b68af5f4f test(signal): dedupe receive event fixtures and add mention clamp case 2026-02-18 12:37:38 +00:00
Peter Steinberger
9c2b82362e test(signal): dedupe monitor tool-result test payload fixtures 2026-02-18 12:28:35 +00:00
Peter Steinberger
1e2b367e1e test(hooks): dedupe session-memory handler test setup 2026-02-18 12:28:30 +00:00
Peter Steinberger
c3472f6c54 test(memory): dedupe embeddings provider test fixtures 2026-02-18 12:28:25 +00:00
Peter Steinberger
87ca2a24bd test(gateway): dedupe call gateway test setup 2026-02-18 12:27:21 +00:00