github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 15:08:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden archive extraction (#16203)

Browse Source 
* fix(browser): confine upload paths for file chooser

* fix(browser): sanitize suggested download filenames

* chore(lint): avoid control regex in download sanitizer

* test(browser): cover absolute escape paths

* docs(browser): update upload example path

* refactor(browser): centralize upload path confinement

* fix(infra): harden tmp dir selection

* fix(security): harden archive extraction

* fix(infra): harden tar extraction filter
This commit is contained in:
Peter Steinberger
2026-02-14 14:42:08 +01:00
committed by GitHub
parent 9a134c8a10
commit 3aa94afcfd
19 changed files with 1179 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

402
src/agents/skills-install.e2e.test.ts
View File

@@ -1,16 +1,23 @@
import JSZip from "jszip";
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import * as tar from "tar";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { installSkill } from "./skills-install.js";
const runCommandWithTimeoutMock = vi.fn();
const scanDirectoryWithSummaryMock = vi.fn();
const fetchWithSsrFGuardMock = vi.fn();
vi.mock("../process/exec.js", () => ({
runCommandWithTimeout: (...args: unknown[]) => runCommandWithTimeoutMock(...args),
}));
vi.mock("../infra/net/fetch-guard.js", () => ({
fetchWithSsrFGuard: (...args: unknown[]) => fetchWithSsrFGuardMock(...args),
}));
vi.mock("../security/skill-scanner.js", async (importOriginal) => {
const actual = await importOriginal<typeof import("../security/skill-scanner.js")>();
return {
@@ -38,10 +45,62 @@ metadata: {"openclaw":{"install":[{"id":"deps","kind":"node","package":"example-
return skillDir;
}
async function writeDownloadSkill(params: {
workspaceDir: string;
name: string;
installId: string;
url: string;
archive: "tar.gz" | "tar.bz2" | "zip";
stripComponents?: number;
targetDir: string;
}): Promise<string> {
const skillDir = path.join(params.workspaceDir, "skills", params.name);
await fs.mkdir(skillDir, { recursive: true });
const meta = {
openclaw: {
install: [
{
id: params.installId,
kind: "download",
url: params.url,
archive: params.archive,
extract: true,
stripComponents: params.stripComponents,
targetDir: params.targetDir,
},
],
},
};
await fs.writeFile(
path.join(skillDir, "SKILL.md"),
`---
name: ${params.name}
description: test skill
metadata: ${JSON.stringify(meta)}
---
# ${params.name}
`,
"utf-8",
);
await fs.writeFile(path.join(skillDir, "runner.js"), "export {};\n", "utf-8");
return skillDir;
}
async function fileExists(filePath: string): Promise<boolean> {
try {
await fs.stat(filePath);
return true;
} catch {
return false;
}
}
describe("installSkill code safety scanning", () => {
beforeEach(() => {
runCommandWithTimeoutMock.mockReset();
scanDirectoryWithSummaryMock.mockReset();
fetchWithSsrFGuardMock.mockReset();
runCommandWithTimeoutMock.mockResolvedValue({
code: 0,
stdout: "ok",
@@ -112,3 +171,346 @@ describe("installSkill code safety scanning", () => {
}
});
});
describe("installSkill download extraction safety", () => {
beforeEach(() => {
runCommandWithTimeoutMock.mockReset();
scanDirectoryWithSummaryMock.mockReset();
fetchWithSsrFGuardMock.mockReset();
scanDirectoryWithSummaryMock.mockResolvedValue({
scannedFiles: 0,
critical: 0,
warn: 0,
info: 0,
findings: [],
});
});
it("rejects zip slip traversal", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const outsideWriteDir = path.join(workspaceDir, "outside-write");
const outsideWritePath = path.join(outsideWriteDir, "pwned.txt");
const url = "https://example.invalid/evil.zip";
const zip = new JSZip();
zip.file("../outside-write/pwned.txt", "pwnd");
const buffer = await zip.generateAsync({ type: "nodebuffer" });
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(buffer, { status: 200 }),
release: async () => undefined,
});
await writeDownloadSkill({
workspaceDir,
name: "zip-slip",
installId: "dl",
url,
archive: "zip",
targetDir,
});
const result = await installSkill({ workspaceDir, skillName: "zip-slip", installId: "dl" });
expect(result.ok).toBe(false);
expect(await fileExists(outsideWritePath)).toBe(false);
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
it("rejects tar.gz traversal", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const insideDir = path.join(workspaceDir, "inside");
const outsideWriteDir = path.join(workspaceDir, "outside-write");
const outsideWritePath = path.join(outsideWriteDir, "pwned.txt");
const archivePath = path.join(workspaceDir, "evil.tgz");
const url = "https://example.invalid/evil";
await fs.mkdir(insideDir, { recursive: true });
await fs.mkdir(outsideWriteDir, { recursive: true });
await fs.writeFile(outsideWritePath, "pwnd", "utf-8");
await tar.c({ cwd: insideDir, file: archivePath, gzip: true }, [
"../outside-write/pwned.txt",
]);
await fs.rm(outsideWriteDir, { recursive: true, force: true });
const buffer = await fs.readFile(archivePath);
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(buffer, { status: 200 }),
release: async () => undefined,
});
await writeDownloadSkill({
workspaceDir,
name: "tar-slip",
installId: "dl",
url,
archive: "tar.gz",
targetDir,
});
const result = await installSkill({ workspaceDir, skillName: "tar-slip", installId: "dl" });
expect(result.ok).toBe(false);
expect(await fileExists(outsideWritePath)).toBe(false);
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
it("extracts zip with stripComponents safely", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const url = "https://example.invalid/good.zip";
const zip = new JSZip();
zip.file("package/hello.txt", "hi");
const buffer = await zip.generateAsync({ type: "nodebuffer" });
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(buffer, { status: 200 }),
release: async () => undefined,
});
await writeDownloadSkill({
workspaceDir,
name: "zip-good",
installId: "dl",
url,
archive: "zip",
stripComponents: 1,
targetDir,
});
const result = await installSkill({ workspaceDir, skillName: "zip-good", installId: "dl" });
expect(result.ok).toBe(true);
expect(await fs.readFile(path.join(targetDir, "hello.txt"), "utf-8")).toBe("hi");
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
it("rejects tar.bz2 traversal before extraction", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const url = "https://example.invalid/evil.tbz2";
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(new Uint8Array([1, 2, 3]), { status: 200 }),
release: async () => undefined,
});
runCommandWithTimeoutMock.mockImplementation(async (argv: unknown[]) => {
const cmd = argv as string[];
if (cmd[0] === "tar" && cmd[1] === "tf") {
return { code: 0, stdout: "../outside.txt\n", stderr: "", signal: null, killed: false };
}
if (cmd[0] === "tar" && cmd[1] === "tvf") {
return {
code: 0,
stdout: "-rw-r--r-- 0 0 0 0 Jan 1 00:00 ../outside.txt\n",
stderr: "",
signal: null,
killed: false,
};
}
if (cmd[0] === "tar" && cmd[1] === "xf") {
throw new Error("should not extract");
}
return { code: 0, stdout: "", stderr: "", signal: null, killed: false };
});
await writeDownloadSkill({
workspaceDir,
name: "tbz2-slip",
installId: "dl",
url,
archive: "tar.bz2",
targetDir,
});
const result = await installSkill({ workspaceDir, skillName: "tbz2-slip", installId: "dl" });
expect(result.ok).toBe(false);
expect(
runCommandWithTimeoutMock.mock.calls.some((call) => (call[0] as string[])[1] === "xf"),
).toBe(false);
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
it("rejects tar.bz2 archives containing symlinks", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const url = "https://example.invalid/evil.tbz2";
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(new Uint8Array([1, 2, 3]), { status: 200 }),
release: async () => undefined,
});
runCommandWithTimeoutMock.mockImplementation(async (argv: unknown[]) => {
const cmd = argv as string[];
if (cmd[0] === "tar" && cmd[1] === "tf") {
return {
code: 0,
stdout: "link\nlink/pwned.txt\n",
stderr: "",
signal: null,
killed: false,
};
}
if (cmd[0] === "tar" && cmd[1] === "tvf") {
return {
code: 0,
stdout: "lrwxr-xr-x 0 0 0 0 Jan 1 00:00 link -> ../outside\n",
stderr: "",
signal: null,
killed: false,
};
}
if (cmd[0] === "tar" && cmd[1] === "xf") {
throw new Error("should not extract");
}
return { code: 0, stdout: "", stderr: "", signal: null, killed: false };
});
await writeDownloadSkill({
workspaceDir,
name: "tbz2-symlink",
installId: "dl",
url,
archive: "tar.bz2",
targetDir,
});
const result = await installSkill({
workspaceDir,
skillName: "tbz2-symlink",
installId: "dl",
});
expect(result.ok).toBe(false);
expect(result.stderr.toLowerCase()).toContain("link");
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
it("extracts tar.bz2 with stripComponents safely (preflight only)", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const url = "https://example.invalid/good.tbz2";
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(new Uint8Array([1, 2, 3]), { status: 200 }),
release: async () => undefined,
});
runCommandWithTimeoutMock.mockImplementation(async (argv: unknown[]) => {
const cmd = argv as string[];
if (cmd[0] === "tar" && cmd[1] === "tf") {
return {
code: 0,
stdout: "package/hello.txt\n",
stderr: "",
signal: null,
killed: false,
};
}
if (cmd[0] === "tar" && cmd[1] === "tvf") {
return {
code: 0,
stdout: "-rw-r--r-- 0 0 0 0 Jan 1 00:00 package/hello.txt\n",
stderr: "",
signal: null,
killed: false,
};
}
if (cmd[0] === "tar" && cmd[1] === "xf") {
return { code: 0, stdout: "ok", stderr: "", signal: null, killed: false };
}
return { code: 0, stdout: "", stderr: "", signal: null, killed: false };
});
await writeDownloadSkill({
workspaceDir,
name: "tbz2-ok",
installId: "dl",
url,
archive: "tar.bz2",
stripComponents: 1,
targetDir,
});
const result = await installSkill({ workspaceDir, skillName: "tbz2-ok", installId: "dl" });
expect(result.ok).toBe(true);
expect(
runCommandWithTimeoutMock.mock.calls.some((call) => (call[0] as string[])[1] === "xf"),
).toBe(true);
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
it("rejects tar.bz2 stripComponents escape", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-skills-install-"));
try {
const targetDir = path.join(workspaceDir, "target");
const url = "https://example.invalid/evil.tbz2";
fetchWithSsrFGuardMock.mockResolvedValue({
response: new Response(new Uint8Array([1, 2, 3]), { status: 200 }),
release: async () => undefined,
});
runCommandWithTimeoutMock.mockImplementation(async (argv: unknown[]) => {
const cmd = argv as string[];
if (cmd[0] === "tar" && cmd[1] === "tf") {
return { code: 0, stdout: "a/../b.txt\n", stderr: "", signal: null, killed: false };
}
if (cmd[0] === "tar" && cmd[1] === "tvf") {
return {
code: 0,
stdout: "-rw-r--r-- 0 0 0 0 Jan 1 00:00 a/../b.txt\n",
stderr: "",
signal: null,
killed: false,
};
}
if (cmd[0] === "tar" && cmd[1] === "xf") {
throw new Error("should not extract");
}
return { code: 0, stdout: "", stderr: "", signal: null, killed: false };
});
await writeDownloadSkill({
workspaceDir,
name: "tbz2-strip-escape",
installId: "dl",
url,
archive: "tar.bz2",
stripComponents: 1,
targetDir,
});
const result = await installSkill({
workspaceDir,
skillName: "tbz2-strip-escape",
installId: "dl",
});
expect(result.ok).toBe(false);
expect(
runCommandWithTimeoutMock.mock.calls.some((call) => (call[0] as string[])[1] === "xf"),
).toBe(false);
} finally {
await fs.rm(workspaceDir, { recursive: true, force: true }).catch(() => undefined);
}
});
});

166
src/agents/skills-install.ts
View File

@@ -4,6 +4,7 @@ import path from "node:path";
import { Readable } from "node:stream";
import { pipeline } from "node:stream/promises";
import type { OpenClawConfig } from "../config/config.js";
import { extractArchive as extractArchiveSafe } from "../infra/archive.js";
import { resolveBrewExecutable } from "../infra/brew.js";
import { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
import { runCommandWithTimeout } from "../process/exec.js";
@@ -225,6 +226,66 @@ function resolveArchiveType(spec: SkillInstallSpec, filename: string): string |
return undefined;
}
function normalizeArchiveEntryPath(raw: string): string {
return raw.replaceAll("\\", "/");
}
function isWindowsDrivePath(p: string): boolean {
return /^[a-zA-Z]:[\\/]/.test(p);
}
function validateArchiveEntryPath(entryPath: string): void {
if (!entryPath || entryPath === "." || entryPath === "./") {
return;
}
if (isWindowsDrivePath(entryPath)) {
throw new Error(`archive entry uses a drive path: ${entryPath}`);
}
const normalized = path.posix.normalize(normalizeArchiveEntryPath(entryPath));
if (normalized === ".." || normalized.startsWith("../")) {
throw new Error(`archive entry escapes targetDir: ${entryPath}`);
}
if (path.posix.isAbsolute(normalized) || normalized.startsWith("//")) {
throw new Error(`archive entry is absolute: ${entryPath}`);
}
}
function resolveSafeBaseDir(rootDir: string): string {
const resolved = path.resolve(rootDir);
return resolved.endsWith(path.sep) ? resolved : `${resolved}${path.sep}`;
}
function stripArchivePath(entryPath: string, stripComponents: number): string | null {
const raw = normalizeArchiveEntryPath(entryPath);
if (!raw || raw === "." || raw === "./") {
return null;
}
// Important: tar's --strip-components semantics operate on raw path segments,
// before any normalization that would collapse "..". We mimic that so we
// can detect strip-induced escapes like "a/../b" with stripComponents=1.
const parts = raw.split("/").filter((part) => part.length > 0 && part !== ".");
const strip = Math.max(0, Math.floor(stripComponents));
const stripped = strip === 0 ? parts.join("/") : parts.slice(strip).join("/");
const result = path.posix.normalize(stripped);
if (!result || result === "." || result === "./") {
return null;
}
return result;
}
function validateExtractedPathWithinRoot(params: {
rootDir: string;
relPath: string;
originalPath: string;
}): void {
const safeBase = resolveSafeBaseDir(params.rootDir);
const outPath = path.resolve(params.rootDir, params.relPath);
if (!outPath.startsWith(safeBase)) {
throw new Error(`archive entry escapes targetDir: ${params.originalPath}`);
}
}
async function downloadFile(
url: string,
destPath: string,
@@ -260,22 +321,99 @@ async function extractArchive(params: {
timeoutMs: number;
}): Promise<{ stdout: string; stderr: string; code: number | null }> {
const { archivePath, archiveType, targetDir, stripComponents, timeoutMs } = params;
if (archiveType === "zip") {
if (!hasBinary("unzip")) {
return { stdout: "", stderr: "unzip not found on PATH", code: null };
}
const argv = ["unzip", "-q", archivePath, "-d", targetDir];
return await runCommandWithTimeout(argv, { timeoutMs });
}
const strip =
typeof stripComponents === "number" && Number.isFinite(stripComponents)
? Math.max(0, Math.floor(stripComponents))
: 0;
if (!hasBinary("tar")) {
return { stdout: "", stderr: "tar not found on PATH", code: null };
try {
if (archiveType === "zip") {
await extractArchiveSafe({
archivePath,
destDir: targetDir,
timeoutMs,
kind: "zip",
stripComponents: strip,
});
return { stdout: "", stderr: "", code: 0 };
}
if (archiveType === "tar.gz") {
await extractArchiveSafe({
archivePath,
destDir: targetDir,
timeoutMs,
kind: "tar",
stripComponents: strip,
tarGzip: true,
});
return { stdout: "", stderr: "", code: 0 };
}
if (archiveType === "tar.bz2") {
if (!hasBinary("tar")) {
return { stdout: "", stderr: "tar not found on PATH", code: null };
}
// Preflight list to prevent zip-slip style traversal before extraction.
const listResult = await runCommandWithTimeout(["tar", "tf", archivePath], { timeoutMs });
if (listResult.code !== 0) {
return {
stdout: listResult.stdout,
stderr: listResult.stderr || "tar list failed",
code: listResult.code,
};
}
const entries = listResult.stdout
.split("\n")
.map((line) => line.trim())
.filter(Boolean);
const verboseResult = await runCommandWithTimeout(["tar", "tvf", archivePath], { timeoutMs });
if (verboseResult.code !== 0) {
return {
stdout: verboseResult.stdout,
stderr: verboseResult.stderr || "tar verbose list failed",
code: verboseResult.code,
};
}
for (const line of verboseResult.stdout.split("\n")) {
const trimmed = line.trim();
if (!trimmed) {
continue;
}
const typeChar = trimmed[0];
if (typeChar === "l" || typeChar === "h" || trimmed.includes(" -> ")) {
return {
stdout: verboseResult.stdout,
stderr: "tar archive contains link entries; refusing to extract for safety",
code: 1,
};
}
}
for (const entry of entries) {
validateArchiveEntryPath(entry);
const relPath = stripArchivePath(entry, strip);
if (!relPath) {
continue;
}
validateArchiveEntryPath(relPath);
validateExtractedPathWithinRoot({ rootDir: targetDir, relPath, originalPath: entry });
}
const argv = ["tar", "xf", archivePath, "-C", targetDir];
if (strip > 0) {
argv.push("--strip-components", String(strip));
}
return await runCommandWithTimeout(argv, { timeoutMs });
}
return { stdout: "", stderr: `unsupported archive type: ${archiveType}`, code: null };
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
return { stdout: "", stderr: message, code: 1 };
}
const argv = ["tar", "xf", archivePath, "-C", targetDir];
if (typeof stripComponents === "number" && Number.isFinite(stripComponents)) {
argv.push("--strip-components", String(Math.max(0, Math.floor(stripComponents))));
}
return await runCommandWithTimeout(argv, { timeoutMs });
}
async function installDownloadSpec(params: {

14
src/agents/tools/browser-tool.ts
View File

@@ -21,6 +21,7 @@ import {
} from "../../browser/client.js";
import { resolveBrowserConfig } from "../../browser/config.js";
import { DEFAULT_AI_SNAPSHOT_MAX_CHARS } from "../../browser/constants.js";
import { DEFAULT_UPLOAD_DIR, resolvePathsWithinRoot } from "../../browser/paths.js";
import { loadConfig } from "../../config/config.js";
import { saveMediaBuffer } from "../../media/store.js";
import { wrapExternalContent } from "../../security/external-content.js";
@@ -724,6 +725,15 @@ export function createBrowserTool(opts?: {
if (paths.length === 0) {
throw new Error("paths required");
}
const uploadPathsResult = resolvePathsWithinRoot({
rootDir: DEFAULT_UPLOAD_DIR,
requestedPaths: paths,
scopeLabel: `uploads directory (${DEFAULT_UPLOAD_DIR})`,
});
if (!uploadPathsResult.ok) {
throw new Error(uploadPathsResult.error);
}
const normalizedPaths = uploadPathsResult.paths;
const ref = readStringParam(params, "ref");
const inputRef = readStringParam(params, "inputRef");
const element = readStringParam(params, "element");
@@ -738,7 +748,7 @@ export function createBrowserTool(opts?: {
path: "/hooks/file-chooser",
profile,
body: {
paths,
paths: normalizedPaths,
ref,
inputRef,
element,
@@ -750,7 +760,7 @@ export function createBrowserTool(opts?: {
}
return jsonResult(
await browserArmFileChooser(baseUrl, {
paths,
paths: normalizedPaths,
ref,
inputRef,
element,