github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 09:11:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden sms.send dangerous-node defaults

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 16:06:36 +00:00
parent c4711a9b69
commit 3e5762c288
5 changed files with 116 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/wizard/onboarding.gateway-config.test.ts
View File

@@ -1,5 +1,6 @@
import { describe, expect, it, vi } from "vitest";
import { createWizardPrompter as buildWizardPrompter } from "../../test/helpers/wizard-prompter.js";
import { DEFAULT_DANGEROUS_NODE_COMMANDS } from "../gateway/node-command-policy.js";
import type { RuntimeEnv } from "../runtime.js";
import type { WizardPrompter, WizardSelectParams } from "./prompts.js";
@@ -89,14 +90,7 @@ describe("configureGatewayForOnboarding", () => {
const result = await runGatewayConfig();
expect(result.settings.gatewayToken).toBe("generated-token");
expect(result.nextConfig.gateway?.nodes?.denyCommands).toEqual([
"camera.snap",
"camera.clip",
"screen.record",
"calendar.add",
"contacts.add",
"reminders.add",
]);
expect(result.nextConfig.gateway?.nodes?.denyCommands).toEqual(DEFAULT_DANGEROUS_NODE_COMMANDS);
});
it("prefers OPENCLAW_GATEWAY_TOKEN during quickstart token setup", async () => {

17
src/wizard/onboarding.gateway-config.ts
View File

@@ -12,6 +12,7 @@ import {
TAILSCALE_EXPOSURE_OPTIONS,
TAILSCALE_MISSING_BIN_NOTE_LINES,
} from "../gateway/gateway-config-prompts.shared.js";
import { DEFAULT_DANGEROUS_NODE_COMMANDS } from "../gateway/node-command-policy.js";
import { findTailscaleBinary } from "../infra/tailscale.js";
import type { RuntimeEnv } from "../runtime.js";
import { validateIPv4AddressInput } from "../shared/net/ipv4.js";
@@ -22,20 +23,6 @@ import type {
} from "./onboarding.types.js";
import type { WizardPrompter } from "./prompts.js";
// These commands are "high risk" (privacy writes/recording) and should be
// explicitly armed by the user when they want to use them.
//
// This only affects what the gateway will accept via node.invoke; the iOS app
// still prompts for OS permissions (camera/photos/contacts/etc) on first use.
const DEFAULT_DANGEROUS_NODE_DENY_COMMANDS = [
"camera.snap",
"camera.clip",
"screen.record",
"calendar.add",
"contacts.add",
"reminders.add",
];
type ConfigureGatewayOptions = {
flow: WizardFlow;
baseConfig: OpenClawConfig;
@@ -250,7 +237,7 @@ export async function configureGatewayForOnboarding(
...nextConfig.gateway,
nodes: {
...nextConfig.gateway?.nodes,
denyCommands: [...DEFAULT_DANGEROUS_NODE_DENY_COMMANDS],
denyCommands: [...DEFAULT_DANGEROUS_NODE_COMMANDS],
},
},
};