github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 18:24:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): warn on wildcard control-ui origins and feishu owner grants

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 02:23:03 +00:00
parent cc0806dfab
commit 17bae93680
2 changed files with 127 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
src/security/audit.test.ts
View File

@@ -1223,6 +1223,29 @@ describe("security audit", () => {
expectFinding(res, "gateway.control_ui.allowed_origins_required", "critical");
});
it("flags wildcard Control UI origins by exposure level", async () => {
const loopbackCfg: OpenClawConfig = {
gateway: {
bind: "loopback",
controlUi: { allowedOrigins: ["*"] },
},
};
const exposedCfg: OpenClawConfig = {
gateway: {
bind: "lan",
auth: { mode: "token", token: "very-long-browser-token-0123456789" },
controlUi: { allowedOrigins: ["*"] },
},
};
const loopback = await audit(loopbackCfg);
const exposed = await audit(exposedCfg);
expectFinding(loopback, "gateway.control_ui.allowed_origins_wildcard", "warn");
expectFinding(exposed, "gateway.control_ui.allowed_origins_wildcard", "critical");
expectNoFinding(exposed, "gateway.control_ui.allowed_origins_required");
});
it("flags dangerous host-header origin fallback and suppresses missing allowed-origins finding", async () => {
const cfg: OpenClawConfig = {
gateway: {
@@ -1243,6 +1266,35 @@ describe("security audit", () => {
);
});
it("warns when Feishu doc tool is enabled because create supports owner_open_id", async () => {
const cfg: OpenClawConfig = {
channels: {
feishu: {
appId: "cli_test",
appSecret: "secret_test",
},
},
};
const res = await audit(cfg);
expectFinding(res, "channels.feishu.doc_owner_open_id", "warn");
});
it("does not warn for Feishu owner_open_id when doc tools are disabled", async () => {
const cfg: OpenClawConfig = {
channels: {
feishu: {
appId: "cli_test",
appSecret: "secret_test",
tools: { doc: false },
},
},
};
const res = await audit(cfg);
expectNoFinding(res, "channels.feishu.doc_owner_open_id");
});
it("scores X-Real-IP fallback risk by gateway exposure", async () => {
const trustedProxyCfg = (trustedProxies: string[]): OpenClawConfig => ({
gateway: {