github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 00:41:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden hooks module loading

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 14:04:29 +01:00
parent 3d0a41b584
commit 35c0e66ed0
11 changed files with 145 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/gateway/server/ws-connection/message-handler.ts
View File

@@ -298,7 +298,9 @@ export function attachGatewayWsMessageHandler(params: {
return;
}
// Default-deny: scopes must be explicit. Empty/missing scopes means no permissions.
const scopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
// Note: If the client does not present a device identity, we can't bind scopes to a paired
// device/token, so we will clear scopes after auth to avoid self-declared permissions.
let scopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
connectParams.role = role;
connectParams.scopes = scopes;
@@ -428,6 +430,10 @@ export function attachGatewayWsMessageHandler(params: {
close(1008, truncateCloseReason(authMessage));
};
if (!device) {
if (scopes.length > 0) {
scopes = [];
connectParams.scopes = scopes;
}
const canSkipDevice = sharedAuthOk;
if (isControlUi && !allowControlUiBypass) {