github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 02:31:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): restrict skill download target paths

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:46:32 +01:00
parent c6c53437f7
commit 2363e1b085
9 changed files with 442 additions and 324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/infra/install-safe-path.ts
View File

@@ -1,3 +1,4 @@
import { createHash } from "node:crypto";
import path from "node:path";
export function unscopedPackageName(name: string): string {
@@ -16,6 +17,30 @@ export function safeDirName(input: string): string {
return trimmed.replaceAll("/", "__").replaceAll("\\", "__");
}
export function safePathSegmentHashed(input: string): string {
const trimmed = input.trim();
const base = trimmed
.replaceAll(/[\\/]/g, "-")
.replaceAll(/[^a-zA-Z0-9._-]/g, "-")
.replaceAll(/-+/g, "-")
.replaceAll(/^-+/g, "")
.replaceAll(/-+$/g, "");
const normalized = base.length > 0 ? base : "skill";
const safe = normalized === "." || normalized === ".." ? "skill" : normalized;
const hash = createHash("sha256").update(trimmed).digest("hex").slice(0, 10);
if (safe !== trimmed) {
const prefix = safe.length > 50 ? safe.slice(0, 50) : safe;
return `${prefix}-${hash}`;
}
if (safe.length > 60) {
return `${safe.slice(0, 50)}-${hash}`;
}
return safe;
}
export function resolveSafeInstallDir(params: {
baseDir: string;
id: string;