github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-13 02:12:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden sandbox novnc observer flow

Browse Source
This commit is contained in:
Agent
2026-03-01 22:44:15 +00:00
parent 4ab13eca4d
commit 002539c01e
10 changed files with 128 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/agents/sandbox/browser.novnc-url.test.ts
View File

@@ -2,45 +2,55 @@ import { describe, expect, it } from "vitest";
import {
buildNoVncDirectUrl,
buildNoVncObserverTokenUrl,
buildNoVncObserverTargetUrl,
consumeNoVncObserverToken,
generateNoVncPassword,
issueNoVncObserverToken,
resetNoVncObserverTokensForTests,
} from "./novnc-auth.js";
describe("noVNC auth helpers", () => {
it("builds the default observer URL without password", () => {
expect(buildNoVncDirectUrl(45678)).toBe(
"http://127.0.0.1:45678/vnc.html?autoconnect=1&resize=remote",
);
expect(buildNoVncDirectUrl(45678)).toBe("http://127.0.0.1:45678/vnc.html");
});
it("adds an encoded password query parameter when provided", () => {
expect(buildNoVncDirectUrl(45678, "a+b c&d")).toBe(
"http://127.0.0.1:45678/vnc.html?autoconnect=1&resize=remote&password=a%2Bb+c%26d",
it("builds a fragment-based observer target URL with password", () => {
expect(buildNoVncObserverTargetUrl({ port: 45678, password: "a+b c&d" })).toBe(
"http://127.0.0.1:45678/vnc.html#autoconnect=1&resize=remote&password=a%2Bb+c%26d",
);
});
it("issues one-time short-lived observer tokens", () => {
resetNoVncObserverTokensForTests();
const token = issueNoVncObserverToken({
url: "http://127.0.0.1:50123/vnc.html?autoconnect=1&resize=remote&password=abcd1234",
noVncPort: 50123,
password: "abcd1234",
nowMs: 1000,
ttlMs: 100,
});
expect(buildNoVncObserverTokenUrl("http://127.0.0.1:19999", token)).toBe(
`http://127.0.0.1:19999/sandbox/novnc?token=${token}`,
);
expect(consumeNoVncObserverToken(token, 1050)).toContain("/vnc.html?");
expect(consumeNoVncObserverToken(token, 1050)).toEqual({
noVncPort: 50123,
password: "abcd1234",
});
expect(consumeNoVncObserverToken(token, 1050)).toBeNull();
});
it("expires observer tokens", () => {
resetNoVncObserverTokensForTests();
const token = issueNoVncObserverToken({
url: "http://127.0.0.1:50123/vnc.html?autoconnect=1&resize=remote&password=abcd1234",
noVncPort: 50123,
password: "abcd1234",
nowMs: 1000,
ttlMs: 100,
});
expect(consumeNoVncObserverToken(token, 1200)).toBeNull();
});
it("generates 8-char alphanumeric passwords", () => {
const password = generateNoVncPassword();
expect(password).toMatch(/^[a-zA-Z0-9]{8}$/);
});
});