github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 20:11:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden hooks module loading

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 14:04:29 +01:00
parent 3d0a41b584
commit 35c0e66ed0
11 changed files with 145 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/hooks/loader.ts
View File

@@ -116,10 +116,25 @@ export async function loadInternalHooks(
const handlers = cfg.hooks.internal.handlers ?? [];
for (const handlerConfig of handlers) {
try {
// Resolve module path (absolute or relative to cwd)
const modulePath = path.isAbsolute(handlerConfig.module)
? handlerConfig.module
: path.join(process.cwd(), handlerConfig.module);
// Legacy handler paths: keep them workspace-relative.
const rawModule = handlerConfig.module.trim();
if (!rawModule) {
log.error("Handler module path is empty");
continue;
}
if (path.isAbsolute(rawModule)) {
log.error(
`Handler module path must be workspace-relative (got absolute path): ${rawModule}`,
);
continue;
}
const baseDir = path.resolve(workspaceDir);
const modulePath = path.resolve(baseDir, rawModule);
const rel = path.relative(baseDir, modulePath);
if (!rel || rel.startsWith("..") || path.isAbsolute(rel)) {
log.error(`Handler module path must stay within workspaceDir: ${rawModule}`);
continue;
}
// Import the module with cache-busting to ensure fresh reload
const url = pathToFileURL(modulePath).href;