github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 11:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security/Gateway: harden Control UI static path containment (#21203)

Browse Source 
* Security/Gateway: harden Control UI static path containment

* gateway: block control-ui symlink escapes

* CI: retrigger flaky node test lane

---------

Co-authored-by: Brian Mendonca <brianmendonca@Brians-MacBook-Air.local>
This commit is contained in:
bmendonca3
2026-02-21 15:47:51 -07:00
committed by GitHub
parent 71bd15bb42
commit 6ac89757ba
2 changed files with 77 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/gateway/control-ui.ts
View File

@@ -3,6 +3,7 @@ import type { IncomingMessage, ServerResponse } from "node:http";
import path from "node:path";
import type { OpenClawConfig } from "../config/config.js";
import { resolveControlUiRootSync } from "../infra/control-ui-assets.js";
import { isWithinDir } from "../infra/path-safety.js";
import { DEFAULT_ASSISTANT_IDENTITY, resolveAssistantIdentity } from "./assistant-identity.js";
import {
CONTROL_UI_BOOTSTRAP_CONFIG_PATH,
@@ -264,6 +265,9 @@ function isSafeRelativePath(relPath: string) {
return false;
}
const normalized = path.posix.normalize(relPath);
if (path.posix.isAbsolute(normalized) || path.win32.isAbsolute(normalized)) {
return false;
}
if (normalized.startsWith("../") || normalized === "..") {
return false;
}
@@ -418,8 +422,8 @@ export function handleControlUiHttpRequest(
return true;
}
const filePath = path.join(root, fileRel);
if (!filePath.startsWith(root)) {
const filePath = path.resolve(root, fileRel);
if (!isWithinDir(root, filePath)) {
respondNotFound(res);
return true;
}