github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 18:44:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): unify root-bound write hardening

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 17:11:04 +00:00
parent be3a62c5e0
commit 104d32bb64
13 changed files with 427 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/agents/sandbox/fs-bridge.ts
View File

@@ -170,6 +170,11 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
Boolean,
);
const rmCommand = flags.length > 0 ? `rm ${flags.join(" ")}` : "rm";
await this.assertPathSafety(target, {
action: "remove files",
requireWritable: true,
aliasPolicy: PATH_ALIAS_POLICIES.unlinkTarget,
});
await this.runCommand(`set -eu; ${rmCommand} -- "$1"`, {
args: [target.containerPath],
signal: params.signal,
@@ -195,6 +200,15 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
action: "rename files",
requireWritable: true,
});
await this.assertPathSafety(from, {
action: "rename files",
requireWritable: true,
aliasPolicy: PATH_ALIAS_POLICIES.unlinkTarget,
});
await this.assertPathSafety(to, {
action: "rename files",
requireWritable: true,
});
await this.runCommand(
'set -eu; dir=$(dirname -- "$2"); if [ "$dir" != "." ]; then mkdir -p -- "$dir"; fi; mv -- "$1" "$2"',
{

83
src/agents/skills-install-download.ts
View File

@@ -1,4 +1,4 @@
import { createHash } from "node:crypto";
import { createHash, randomUUID } from "node:crypto";
import fs from "node:fs";
import path from "node:path";
import { Readable } from "node:stream";
@@ -9,6 +9,8 @@ import {
createTarEntrySafetyChecker,
extractArchive as extractArchiveSafe,
} from "../infra/archive.js";
import { writeFileFromPathWithinRoot } from "../infra/fs-safe.js";
import { assertCanonicalPathWithinBase } from "../infra/install-safe-path.js";
import { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
import { isWithinDir } from "../infra/path-safety.js";
import { runCommandWithTimeout } from "../process/exec.js";
@@ -157,29 +159,44 @@ async function hashFileSha256(filePath: string): Promise<string> {
});
}
async function downloadFile(
url: string,
destPath: string,
timeoutMs: number,
): Promise<{ bytes: number }> {
async function downloadFile(params: {
url: string;
rootDir: string;
relativePath: string;
timeoutMs: number;
}): Promise<{ bytes: number }> {
const destPath = path.resolve(params.rootDir, params.relativePath);
const stagingDir = path.join(params.rootDir, ".openclaw-download-staging");
await ensureDir(stagingDir);
await assertCanonicalPathWithinBase({
baseDir: params.rootDir,
candidatePath: stagingDir,
boundaryLabel: "skill tools directory",
});
const tempPath = path.join(stagingDir, `${randomUUID()}.tmp`);
const { response, release } = await fetchWithSsrFGuard({
url,
timeoutMs: Math.max(1_000, timeoutMs),
url: params.url,
timeoutMs: Math.max(1_000, params.timeoutMs),
});
try {
if (!response.ok || !response.body) {
throw new Error(`Download failed (${response.status} ${response.statusText})`);
}
await ensureDir(path.dirname(destPath));
const file = fs.createWriteStream(destPath);
const file = fs.createWriteStream(tempPath);
const body = response.body as unknown;
const readable = isNodeReadableStream(body)
? body
: Readable.fromWeb(body as NodeReadableStream);
await pipeline(readable, file);
await writeFileFromPathWithinRoot({
rootDir: params.rootDir,
relativePath: params.relativePath,
sourcePath: tempPath,
});
const stat = await fs.promises.stat(destPath);
return { bytes: stat.size };
} finally {
await fs.promises.rm(tempPath, { force: true }).catch(() => undefined);
await release();
}
}
@@ -309,6 +326,7 @@ export async function installDownloadSpec(params: {
timeoutMs: number;
}): Promise<SkillInstallResult> {
const { entry, spec, timeoutMs } = params;
const safeRoot = resolveSkillToolsRootDir(entry);
const url = spec.url?.trim();
if (!url) {
return {
@@ -335,22 +353,40 @@ export async function installDownloadSpec(params: {
try {
targetDir = resolveDownloadTargetDir(entry, spec);
await ensureDir(targetDir);
const stat = await fs.promises.lstat(targetDir);
if (stat.isSymbolicLink()) {
throw new Error(`targetDir is a symlink: ${targetDir}`);
}
if (!stat.isDirectory()) {
throw new Error(`targetDir is not a directory: ${targetDir}`);
}
await assertCanonicalPathWithinBase({
baseDir: safeRoot,
candidatePath: targetDir,
boundaryLabel: "skill tools directory",
});
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
return { ok: false, message, stdout: "", stderr: message, code: null };
}
const archivePath = path.join(targetDir, filename);
const archiveRelativePath = path.relative(safeRoot, archivePath);
if (
!archiveRelativePath ||
archiveRelativePath === ".." ||
archiveRelativePath.startsWith(`..${path.sep}`) ||
path.isAbsolute(archiveRelativePath)
) {
return {
ok: false,
message: "invalid download archive path",
stdout: "",
stderr: "invalid download archive path",
code: null,
};
}
let downloaded = 0;
try {
const result = await downloadFile(url, archivePath, timeoutMs);
const result = await downloadFile({
url,
rootDir: safeRoot,
relativePath: archiveRelativePath,
timeoutMs,
});
downloaded = result.bytes;
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
@@ -379,6 +415,17 @@ export async function installDownloadSpec(params: {
};
}
try {
await assertCanonicalPathWithinBase({
baseDir: safeRoot,
candidatePath: targetDir,
boundaryLabel: "skill tools directory",
});
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
return { ok: false, message, stdout: "", stderr: message, code: null };
}
const extractResult = await extractArchive({
archivePath,
archiveType,