github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 10:27:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden browser SSRF defaults and migrate legacy key

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 01:51:44 +00:00
parent 8779b523dc
commit 5eb72ab769
24 changed files with 334 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/browser/pw-session.ts
View File

@@ -12,7 +12,11 @@ import type { SsrFPolicy } from "../infra/net/ssrf.js";
import { appendCdpPath, fetchJson, getHeadersWithAuth, withCdpSocket } from "./cdp.helpers.js";
import { normalizeCdpWsUrl } from "./cdp.js";
import { getChromeWebSocketUrl } from "./chrome.js";
import { assertBrowserNavigationAllowed, withBrowserNavigationPolicy } from "./navigation-guard.js";
import {
assertBrowserNavigationAllowed,
assertBrowserNavigationResultAllowed,
withBrowserNavigationPolicy,
} from "./navigation-guard.js";
export type BrowserConsoleMessage = {
type: string;
@@ -738,13 +742,18 @@ export async function createPageViaPlaywright(opts: {
// Navigate to the URL
const targetUrl = opts.url.trim() || "about:blank";
if (targetUrl !== "about:blank") {
const navigationPolicy = withBrowserNavigationPolicy(opts.ssrfPolicy);
await assertBrowserNavigationAllowed({
url: targetUrl,
...withBrowserNavigationPolicy(opts.ssrfPolicy),
...navigationPolicy,
});
await page.goto(targetUrl, { timeout: 30_000 }).catch(() => {
// Navigation might fail for some URLs, but page is still created
});
await assertBrowserNavigationResultAllowed({
url: page.url(),
...navigationPolicy,
});
}
// Get the targetId for this page