github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity
12,238 Commits 404 Branches 56 Tags
5c69e625f58dd012c0765430becdffc4dc175f03
Commit Graph

12238 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robby
5c69e625f5 fix(cli): display correct model for sub-agents in sessions list (#18660) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: ba54c5a351
Co-authored-by: robbyczgw-cla <239660374+robbyczgw-cla@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-17 23:59:20 -05:00
Peter Steinberger
a69e7682c1 refactor(test): dedupe channel and monitor action suites 2026-02-18 04:49:22 +00:00
Peter Steinberger
31f83c86b2 refactor(test): dedupe agent harnesses and routing fixtures 2026-02-18 04:49:22 +00:00
Peter Steinberger
8a9fddedc9 refactor: extract shared install and embedding utilities 2026-02-18 04:49:22 +00:00
Gustavo Madeira Santana
4d3403b7ac chore: fix CI errors 2026-02-17 23:46:40 -05:00
Peter Steinberger
308e09c876 perf(test): shorten process timeout fixtures 2026-02-18 04:27:01 +00:00
Peter Steinberger
46278e22cf perf(test): trim telegram duplicates and queue wait delays 2026-02-18 04:22:59 +00:00
Peter Steinberger
fa4772b4ce perf(test): dedupe telegram allowlist and speed twitch probe 2026-02-18 04:16:36 +00:00
Peter Steinberger
fdc6768227 perf(test): stabilize and speed sandbox registry races 2026-02-18 04:10:27 +00:00
Peter Steinberger
5f12334761 refactor: dedupe image, web, and auth profile test fixtures 2026-02-18 04:04:14 +00:00
Peter Steinberger
05b7bd2c22 refactor: dedupe command dispatch and process poll tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
adac9cb67f refactor: dedupe gateway and scheduler test scaffolding 2026-02-18 04:04:14 +00:00
Peter Steinberger
262472ba20 test: remove duplicated scenario scaffolding across runtime tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
e57628165a test: dedupe shared setup in channel and doctor config tests 2026-02-18 04:04:14 +00:00
Peter Steinberger
d1ab852972 test: extract shared e2e helpers for trigger handling and skills 2026-02-18 04:04:14 +00:00
Peter Steinberger
b099171db5 perf(test): dedupe slow discord monitor cases 2026-02-18 04:04:04 +00:00
Peter Steinberger
ac0db68235 refactor(security): extract safeBins trust resolver 2026-02-18 05:01:31 +01:00
Peter Steinberger
e8154c12e6 refactor(net): table-drive embedded IPv6 decoding and SSRF tests 2026-02-18 04:57:08 +01:00
Peter Steinberger
35016a380c fix(sandbox): serialize registry mutations and lock usage 2026-02-18 04:55:40 +01:00
Peter Steinberger
28bac46c92 fix(security): harden safeBins path trust 2026-02-18 04:55:31 +01:00
Peter Steinberger
42d2a61888 chore(changelog): move SSRF transition fix to 2026.2.18 2026-02-18 04:53:50 +01:00
Peter Steinberger
442fdbf3d8 fix(security): block SSRF IPv6 transition bypasses 2026-02-18 04:53:09 +01:00
Peter Steinberger
50e5553533 fix: align retry backoff semantics and test mock signatures 2026-02-18 04:53:09 +01:00
Gustavo Madeira Santana
0bf1b38cc0 Agents: fix subagent completion thread routing 2026-02-17 22:52:58 -05:00
Peter Steinberger
35851cdaff chore(changelog): move cron SSRF fix into 2026.2.18 2026-02-18 04:52:13 +01:00
Peter Steinberger
516046dba8 fix: avoid doctor token regeneration on invalid repairs 2026-02-18 04:51:25 +01:00
Peter Steinberger
797ea7ed27 perf(test): cut slow monitor/subagent test overhead 2026-02-18 03:50:30 +00:00
Peter Steinberger
99db4d13e5 fix(gateway): guard cron webhook delivery against SSRF 2026-02-18 04:48:08 +01:00
Peter Steinberger
bc00c7d156 refactor: dedupe sandbox registry helpers 2026-02-18 04:46:38 +01:00
Ayaan Zaidi
6a5f887b3d test: harden Telegram command menu sanitization coverage (#19703) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 6a41b11590
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-18 09:16:31 +05:30
Peter Steinberger
cc29be8c9b fix: serialize sandbox registry writes 2026-02-18 04:44:56 +01:00
Peter Steinberger
8278903f0a fix: update deep links handling 2026-02-18 04:40:42 +01:00
Peter Steinberger
4bf3338834 chore: bump version to 2026.2.18 unreleased 2026-02-18 04:40:06 +01:00
Peter Steinberger
f25bbbc37e feat: switch anthropic onboarding defaults to sonnet 2026-02-18 04:37:58 +01:00
Gustavo Madeira Santana
e8816c554f Agents: fix subagent completion delivery to origin channel 2026-02-17 22:36:14 -05:00
Peter Steinberger
ca43efa965 fix(ci): force npm install path in smoke docker tests 2026-02-18 03:25:14 +00:00
Peter Steinberger
91e9684e8c test: add normalization coverage for shared and slack allow-list 2026-02-18 03:17:54 +00:00
Peter Steinberger
8407eeb33c refactor: extract shared string normalization helpers 2026-02-18 03:17:54 +00:00
Peter Steinberger
8984f31876 fix(agents): correct completion announce retry backoff schedule 2026-02-18 03:07:47 +00:00
Peter Steinberger
a420fa0417 fix(test): align subagent announce chat history mock typing 2026-02-18 03:02:20 +00:00
Peter Steinberger
289f215b31 fix(agents): make manual subagent completion announce deterministic 2026-02-18 03:00:27 +00:00
sebslight
d30492823c chore(auto-reply): format subagent command files 2026-02-17 21:55:47 -05:00
Peter Steinberger
34851a78b2 fix: route manual subagent spawn replies via OriginatingTo fallback 2026-02-18 03:48:18 +01:00
Peter Steinberger
4134875c31 fix: route discord native subagent announce to channel target v2026.2.17 2026-02-18 02:42:52 +00:00
Peter Steinberger
c1928845ac fix: route native subagent spawns to target session 2026-02-18 02:35:58 +00:00
Gustavo Madeira Santana
40a6661597 test(cli): fix option-collision mock typings 2026-02-17 21:32:04 -05:00
Peter Steinberger
c90b09cb02 feat(agents): support Anthropic 1M context beta header 2026-02-18 03:29:48 +01:00
Peter Steinberger
d1c00dbb7c fix: harden include confinement edge cases (#18652) (thanks @aether-ai-agent) 2026-02-18 03:27:16 +01:00
aether-ai-agent
b5f551d716 fix(security): OC-06 prevent path traversal in config includes 
Fixed CWE-22 path traversal vulnerability allowing arbitrary file reads
through the $include directive in OpenClaw configuration files.

Security Impact:
- CVSS 8.6 (High) - Arbitrary file read vulnerability
- Attack vector: Malicious config files with path traversal sequences
- Impact: Exposure of /etc/passwd, SSH keys, cloud credentials, secrets

Implementation:
- Added path boundary validation in resolvePath() (lines 169-198)
- Implemented symlink resolution to prevent bypass attacks
- Restrict includes to config directory only
- Throw ConfigIncludeError for escaping paths

Testing:
- Added 23 comprehensive security tests
- 48/48 includes.test.ts tests passing
- 5,063/5,063 full suite tests passing
- 95.55% coverage on includes.ts
- Zero regressions, zero breaking changes

Attack Vectors Blocked:
✓ Absolute paths (/etc/passwd, /etc/shadow)
✓ Relative traversal (../../etc/passwd)
✓ Symlink bypass attempts
✓ Home directory access (~/.ssh/id_rsa)

Legitimate Use Cases Preserved:
✓ Same directory includes (./config.json)
✓ Subdirectory includes (./clients/config.json)
✓ Deep nesting (./a/b/c/config.json)

Aether AI Agent Security Research
 2026-02-18 03:27:16 +01:00
Peter Steinberger
ae3637b23b test: expand subagent announce completion coverage 2026-02-18 03:21:52 +01:00