github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 09:41:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): bind system.run approvals to argv identity

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 03:40:42 +01:00
parent baf656bc6f
commit 03e689fc89
12 changed files with 102 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/agents/tools/nodes-tool.ts
View File

@@ -18,6 +18,7 @@ import {
} from "../../cli/nodes-screen.js";
import { parseDurationMs } from "../../cli/parse-duration.js";
import type { OpenClawConfig } from "../../config/config.js";
import { formatExecCommand } from "../../infra/system-run-command.js";
import { imageMimeFromFormat } from "../../media/mime.js";
import { resolveSessionAgentId } from "../agent-scope.js";
import { resolveImageSanitizationLimits } from "../image-sanitization.js";
@@ -473,7 +474,7 @@ export function createNodesTool(options?: {
// Node requires approval create a pending approval request on
// the gateway and wait for the user to approve/deny via the UI.
const APPROVAL_TIMEOUT_MS = 120_000;
const cmdText = command.join(" ");
const cmdText = formatExecCommand(command);
const approvalId = crypto.randomUUID();
const approvalResult = await callGatewayTool(
"exec.approval.request",
@@ -481,6 +482,7 @@ export function createNodesTool(options?: {
{
id: approvalId,
command: cmdText,
commandArgv: command,
cwd,
nodeId,
host: "node",