fix: harden exec PATH handling

2026-05-07 18:31:26 +00:00 · 2026-02-14 19:50:33 +01:00
parent 53af46ffb8
commit 013e8f6b3b
6 changed files with 169 additions and 51 deletions
--- a/src/infra/path-env.test.ts
+++ b/src/infra/path-env.test.ts
@@ -75,12 +75,6 @@ describe("ensureOpenClawCliOnPath", () => {
      await fs.writeFile(appCli, "#!/bin/sh\necho ok\n", "utf-8");
      await fs.chmod(appCli, 0o755);

-      const localBinDir = path.join(tmp, "node_modules", ".bin");
-      await fs.mkdir(localBinDir, { recursive: true });
-      const localCli = path.join(localBinDir, "openclaw");
-      await fs.writeFile(localCli, "#!/bin/sh\necho ok\n", "utf-8");
-      await fs.chmod(localCli, 0o755);
-
      const miseDataDir = path.join(tmp, "mise");
      const shimsDir = path.join(miseDataDir, "shims");
      await fs.mkdir(shimsDir, { recursive: true });
@@ -98,11 +92,9 @@ describe("ensureOpenClawCliOnPath", () => {
      const updated = process.env.PATH ?? "";
      const parts = updated.split(path.delimiter);
      const appBinIndex = parts.indexOf(appBinDir);
-      const localIndex = parts.indexOf(localBinDir);
      const shimsIndex = parts.indexOf(shimsDir);
      expect(appBinIndex).toBeGreaterThanOrEqual(0);
-      expect(localIndex).toBeGreaterThan(appBinIndex);
-      expect(shimsIndex).toBeGreaterThan(localIndex);
+      expect(shimsIndex).toBeGreaterThan(appBinIndex);
    } finally {
      process.env.PATH = originalPath;
      if (originalFlag === undefined) {
@@ -119,6 +111,61 @@ describe("ensureOpenClawCliOnPath", () => {
    }
  });

+  it("only appends project-local node_modules/.bin when explicitly enabled", async () => {
+    const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-path-"));
+    const originalPath = process.env.PATH;
+    const originalFlag = process.env.OPENCLAW_PATH_BOOTSTRAPPED;
+    try {
+      const appBinDir = path.join(tmp, "AppBin");
+      await fs.mkdir(appBinDir, { recursive: true });
+      const appCli = path.join(appBinDir, "openclaw");
+      await fs.writeFile(appCli, "#!/bin/sh\necho ok\n", "utf-8");
+      await fs.chmod(appCli, 0o755);
+
+      const localBinDir = path.join(tmp, "node_modules", ".bin");
+      await fs.mkdir(localBinDir, { recursive: true });
+      const localCli = path.join(localBinDir, "openclaw");
+      await fs.writeFile(localCli, "#!/bin/sh\necho ok\n", "utf-8");
+      await fs.chmod(localCli, 0o755);
+
+      process.env.PATH = "/usr/bin";
+      delete process.env.OPENCLAW_PATH_BOOTSTRAPPED;
+
+      ensureOpenClawCliOnPath({
+        execPath: appCli,
+        cwd: tmp,
+        homeDir: tmp,
+        platform: "darwin",
+      });
+      const withoutOptIn = (process.env.PATH ?? "").split(path.delimiter);
+      expect(withoutOptIn.includes(localBinDir)).toBe(false);
+
+      process.env.PATH = "/usr/bin";
+      delete process.env.OPENCLAW_PATH_BOOTSTRAPPED;
+
+      ensureOpenClawCliOnPath({
+        execPath: appCli,
+        cwd: tmp,
+        homeDir: tmp,
+        platform: "darwin",
+        allowProjectLocalBin: true,
+      });
+      const withOptIn = (process.env.PATH ?? "").split(path.delimiter);
+      const usrBinIndex = withOptIn.indexOf("/usr/bin");
+      const localIndex = withOptIn.indexOf(localBinDir);
+      expect(usrBinIndex).toBeGreaterThanOrEqual(0);
+      expect(localIndex).toBeGreaterThan(usrBinIndex);
+    } finally {
+      process.env.PATH = originalPath;
+      if (originalFlag === undefined) {
+        delete process.env.OPENCLAW_PATH_BOOTSTRAPPED;
+      } else {
+        process.env.OPENCLAW_PATH_BOOTSTRAPPED = originalFlag;
+      }
+      await fs.rm(tmp, { recursive: true, force: true });
+    }
+  });
+
  it("prepends Linuxbrew dirs when present", async () => {
    const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-path-"));
    const originalPath = process.env.PATH;
--- a/src/infra/path-env.ts
+++ b/src/infra/path-env.ts
@@ -10,6 +10,7 @@ type EnsureOpenClawPathOpts = {
  homeDir?: string;
  platform?: NodeJS.Platform;
  pathEnv?: string;
+  allowProjectLocalBin?: boolean;
 };

 function isExecutable(filePath: string): boolean {
@@ -29,16 +30,17 @@ function isDirectory(dirPath: string): boolean {
  }
 }

-function mergePath(params: { existing: string; prepend: string[] }): string {
+function mergePath(params: { existing: string; prepend?: string[]; append?: string[] }): string {
  const partsExisting = params.existing
    .split(path.delimiter)
    .map((part) => part.trim())
    .filter(Boolean);
-  const partsPrepend = params.prepend.map((part) => part.trim()).filter(Boolean);
+  const partsPrepend = (params.prepend ?? []).map((part) => part.trim()).filter(Boolean);
+  const partsAppend = (params.append ?? []).map((part) => part.trim()).filter(Boolean);

  const seen = new Set<string>();
  const merged: string[] = [];
-  for (const part of [...partsPrepend, ...partsExisting]) {
+  for (const part of [...partsPrepend, ...partsExisting, ...partsAppend]) {
    if (!seen.has(part)) {
      seen.add(part);
      merged.push(part);
@@ -47,54 +49,60 @@ function mergePath(params: { existing: string; prepend: string[] }): string {
  return merged.join(path.delimiter);
 }

-function candidateBinDirs(opts: EnsureOpenClawPathOpts): string[] {
+function candidateBinDirs(opts: EnsureOpenClawPathOpts): { prepend: string[]; append: string[] } {
  const execPath = opts.execPath ?? process.execPath;
  const cwd = opts.cwd ?? process.cwd();
  const homeDir = opts.homeDir ?? os.homedir();
  const platform = opts.platform ?? process.platform;

-  const candidates: string[] = [];
+  const prepend: string[] = [];
+  const append: string[] = [];

  // Bundled macOS app: `openclaw` lives next to the executable (process.execPath).
  try {
    const execDir = path.dirname(execPath);
    const siblingCli = path.join(execDir, "openclaw");
    if (isExecutable(siblingCli)) {
-      candidates.push(execDir);
+      prepend.push(execDir);
    }
  } catch {
    // ignore
  }

-  // Project-local installs (best effort): if a `node_modules/.bin/openclaw` exists near cwd,
-  // include it. This helps when running under launchd or other minimal PATH environments.
-  const localBinDir = path.join(cwd, "node_modules", ".bin");
-  if (isExecutable(path.join(localBinDir, "openclaw"))) {
-    candidates.push(localBinDir);
+  // Project-local installs are a common repo-based attack vector (bin hijacking). Keep this
+  // disabled by default; if an operator explicitly enables it, only append (never prepend).
+  const allowProjectLocalBin =
+    opts.allowProjectLocalBin === true ||
+    isTruthyEnvValue(process.env.OPENCLAW_ALLOW_PROJECT_LOCAL_BIN);
+  if (allowProjectLocalBin) {
+    const localBinDir = path.join(cwd, "node_modules", ".bin");
+    if (isExecutable(path.join(localBinDir, "openclaw"))) {
+      append.push(localBinDir);
+    }
  }

  const miseDataDir = process.env.MISE_DATA_DIR ?? path.join(homeDir, ".local", "share", "mise");
  const miseShims = path.join(miseDataDir, "shims");
  if (isDirectory(miseShims)) {
-    candidates.push(miseShims);
+    prepend.push(miseShims);
  }

-  candidates.push(...resolveBrewPathDirs({ homeDir }));
+  prepend.push(...resolveBrewPathDirs({ homeDir }));

  // Common global install locations (macOS first).
  if (platform === "darwin") {
-    candidates.push(path.join(homeDir, "Library", "pnpm"));
+    prepend.push(path.join(homeDir, "Library", "pnpm"));
  }
  if (process.env.XDG_BIN_HOME) {
-    candidates.push(process.env.XDG_BIN_HOME);
+    prepend.push(process.env.XDG_BIN_HOME);
  }
-  candidates.push(path.join(homeDir, ".local", "bin"));
-  candidates.push(path.join(homeDir, ".local", "share", "pnpm"));
-  candidates.push(path.join(homeDir, ".bun", "bin"));
-  candidates.push(path.join(homeDir, ".yarn", "bin"));
-  candidates.push("/opt/homebrew/bin", "/usr/local/bin", "/usr/bin", "/bin");
+  prepend.push(path.join(homeDir, ".local", "bin"));
+  prepend.push(path.join(homeDir, ".local", "share", "pnpm"));
+  prepend.push(path.join(homeDir, ".bun", "bin"));
+  prepend.push(path.join(homeDir, ".yarn", "bin"));
+  prepend.push("/opt/homebrew/bin", "/usr/local/bin", "/usr/bin", "/bin");

-  return candidates.filter(isDirectory);
+  return { prepend: prepend.filter(isDirectory), append: append.filter(isDirectory) };
 }

 /**
@@ -108,12 +116,12 @@ export function ensureOpenClawCliOnPath(opts: EnsureOpenClawPathOpts = {}) {
  process.env.OPENCLAW_PATH_BOOTSTRAPPED = "1";

  const existing = opts.pathEnv ?? process.env.PATH ?? "";
-  const prepend = candidateBinDirs(opts);
-  if (prepend.length === 0) {
+  const { prepend, append } = candidateBinDirs(opts);
+  if (prepend.length === 0 && append.length === 0) {
    return;
  }

-  const merged = mergePath({ existing, prepend });
+  const merged = mergePath({ existing, prepend, append });
  if (merged) {
    process.env.PATH = merged;
  }