github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 23:31:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): centralize dangerous tool lists

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 13:25:28 +01:00
parent 0cfea46293
commit 233483d2b9
4 changed files with 43 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/security/audit.ts
View File

@@ -33,6 +33,7 @@ import {
formatPermissionRemediation,
inspectPathPermissions,
} from "./audit-fs.js";
import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools.js";
export type SecurityAuditSeverity = "info" | "warn" | "critical";
@@ -269,8 +270,9 @@ function collectGatewayConfigFindings(
.map((v) => (typeof v === "string" ? v.trim().toLowerCase() : ""))
.filter(Boolean),
);
const defaultHttpDeniedTools = ["sessions_spawn", "sessions_send", "gateway", "whatsapp_login"];
const reenabledOverHttp = defaultHttpDeniedTools.filter((name) => gatewayToolsAllow.has(name));
const reenabledOverHttp = DEFAULT_GATEWAY_HTTP_TOOL_DENY.filter((name) =>
gatewayToolsAllow.has(name),
);
if (reenabledOverHttp.length > 0) {
const extraRisk = bind !== "loopback" || tailscaleMode === "funnel";
findings.push({

37
src/security/dangerous-tools.ts Normal file
View File

@@ -0,0 +1,37 @@
// Shared tool-risk constants.
// Keep these centralized so gateway HTTP restrictions, security audits, and ACP prompts don't drift.
/**
* Tools denied via Gateway HTTP `POST /tools/invoke` by default.
* These are high-risk because they enable session orchestration, control-plane actions,
* or interactive flows that don't make sense over a non-interactive HTTP surface.
*/
export const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
// Session orchestration — spawning agents remotely is RCE
"sessions_spawn",
// Cross-session injection — message injection across sessions
"sessions_send",
// Gateway control plane — prevents gateway reconfiguration via HTTP
"gateway",
// Interactive setup — requires terminal QR scan, hangs on HTTP
"whatsapp_login",
] as const;
/**
* ACP tools that should always require explicit user approval.
* ACP is an automation surface; we never want "silent yes" for mutating/execution tools.
*/
export const DANGEROUS_ACP_TOOL_NAMES = [
"exec",
"spawn",
"shell",
"sessions_spawn",
"sessions_send",
"gateway",
"fs_write",
"fs_delete",
"fs_move",
"apply_patch",
] as const;
export const DANGEROUS_ACP_TOOLS = new Set<string>(DANGEROUS_ACP_TOOL_NAMES);