refactor(security): unify dangerous name matching handling

2026-05-10 23:54:42 +00:00 · 2026-02-24 01:32:23 +00:00
parent 6a7c303dcc
commit 161d9841dc
17 changed files with 671 additions and 471 deletions
--- a/src/config/dangerous-name-matching.ts
+++ b/src/config/dangerous-name-matching.ts
@@ -0,0 +1,84 @@
+import type { OpenClawConfig } from "./config.js";
+
+export type DangerousNameMatchingConfig = {
+  dangerouslyAllowNameMatching?: boolean;
+};
+
+export type ProviderDangerousNameMatchingScope = {
+  prefix: string;
+  account: Record<string, unknown>;
+  dangerousNameMatchingEnabled: boolean;
+  dangerousFlagPath: string;
+};
+
+function asObjectRecord(value: unknown): Record<string, unknown> | null {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  return value as Record<string, unknown>;
+}
+
+function asOptionalBoolean(value: unknown): boolean | undefined {
+  return typeof value === "boolean" ? value : undefined;
+}
+
+export function isDangerousNameMatchingEnabled(
+  config: DangerousNameMatchingConfig | null | undefined,
+): boolean {
+  return config?.dangerouslyAllowNameMatching === true;
+}
+
+export function collectProviderDangerousNameMatchingScopes(
+  cfg: OpenClawConfig,
+  provider: string,
+): ProviderDangerousNameMatchingScope[] {
+  const scopes: ProviderDangerousNameMatchingScope[] = [];
+  const channels = asObjectRecord(cfg.channels);
+  if (!channels) {
+    return scopes;
+  }
+
+  const providerCfg = asObjectRecord(channels[provider]);
+  if (!providerCfg) {
+    return scopes;
+  }
+
+  const providerPrefix = `channels.${provider}`;
+  const providerDangerousFlagPath = `${providerPrefix}.dangerouslyAllowNameMatching`;
+  const providerDangerousNameMatchingEnabled = isDangerousNameMatchingEnabled(providerCfg);
+
+  scopes.push({
+    prefix: providerPrefix,
+    account: providerCfg,
+    dangerousNameMatchingEnabled: providerDangerousNameMatchingEnabled,
+    dangerousFlagPath: providerDangerousFlagPath,
+  });
+
+  const accounts = asObjectRecord(providerCfg.accounts);
+  if (!accounts) {
+    return scopes;
+  }
+
+  for (const key of Object.keys(accounts)) {
+    const account = asObjectRecord(accounts[key]);
+    if (!account) {
+      continue;
+    }
+
+    const accountPrefix = `${providerPrefix}.accounts.${key}`;
+    const accountDangerousNameMatching = asOptionalBoolean(account.dangerouslyAllowNameMatching);
+
+    scopes.push({
+      prefix: accountPrefix,
+      account,
+      dangerousNameMatchingEnabled:
+        accountDangerousNameMatching ?? providerDangerousNameMatchingEnabled,
+      dangerousFlagPath:
+        accountDangerousNameMatching == null
+          ? providerDangerousFlagPath
+          : `${accountPrefix}.dangerouslyAllowNameMatching`,
+    });
+  }
+
+  return scopes;
+}