github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 19:57:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden macos rawCommand allowlist resolution

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 19:16:15 +01:00
parent 5e423b596c
commit 4c1dd9d068
3 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/tools/exec-approvals.md
View File

@@ -142,6 +142,9 @@ Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment satisfi
(including safe bins or skill auto-allow). Redirections remain unsupported in allowlist mode.
Command substitution (`$()` / backticks) is rejected during allowlist parsing, including inside
double quotes; use single quotes if you need literal `$()` text.
On macOS companion-app approvals, raw shell text containing shell control or expansion syntax
(`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is treated as an allowlist miss unless
the shell binary itself is allowlisted.
Default safe bins: `jq`, `cut`, `uniq`, `head`, `tail`, `tr`, `wc`.