github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 11:37:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): restrict skill download target paths

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:46:32 +01:00
parent c6c53437f7
commit 2363e1b085
9 changed files with 442 additions and 324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/infra/state-migrations.ts
View File

@@ -20,6 +20,7 @@ import {
DEFAULT_MAIN_KEY,
normalizeAgentId,
} from "../routing/session-key.js";
import { isWithinDir } from "./path-safety.js";
import {
ensureDir,
existsDir,
@@ -360,11 +361,6 @@ function isDirPath(filePath: string): boolean {
}
}
function isWithinDir(targetPath: string, rootDir: string): boolean {
const relative = path.relative(path.resolve(rootDir), path.resolve(targetPath));
return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
}
function isLegacyTreeSymlinkMirror(currentDir: string, realTargetDir: string): boolean {
let entries: fs.Dirent[];
try {
@@ -395,7 +391,7 @@ function isLegacyTreeSymlinkMirror(currentDir: string, realTargetDir: string): b
} catch {
return false;
}
if (!isWithinDir(resolvedRealTarget, realTargetDir)) {
if (!isWithinDir(realTargetDir, resolvedRealTarget)) {
return false;
}
continue;