github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 23:51:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): centralize dangerous tool lists

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 13:25:28 +01:00
parent 0cfea46293
commit 233483d2b9
4 changed files with 43 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/security/audit.ts
View File

@@ -33,6 +33,7 @@ import {
formatPermissionRemediation,
inspectPathPermissions,
} from "./audit-fs.js";
import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools.js";
export type SecurityAuditSeverity = "info" | "warn" | "critical";
@@ -269,8 +270,9 @@ function collectGatewayConfigFindings(
.map((v) => (typeof v === "string" ? v.trim().toLowerCase() : ""))
.filter(Boolean),
);
const defaultHttpDeniedTools = ["sessions_spawn", "sessions_send", "gateway", "whatsapp_login"];
const reenabledOverHttp = defaultHttpDeniedTools.filter((name) => gatewayToolsAllow.has(name));
const reenabledOverHttp = DEFAULT_GATEWAY_HTTP_TOOL_DENY.filter((name) =>
gatewayToolsAllow.has(name),
);
if (reenabledOverHttp.length > 0) {
const extraRisk = bind !== "loopback" || tailscaleMode === "funnel";
findings.push({