github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 02:31:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): enforce sandbox bridge auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 13:17:41 +01:00
parent 4711a943e3
commit 6dd6bce997
8 changed files with 108 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/agents/sandbox/browser.ts
View File

@@ -1,3 +1,4 @@
import crypto from "node:crypto";
import type { SandboxBrowserContext, SandboxConfig } from "./types.js";
import { startBrowserBridgeServer, stopBrowserBridgeServer } from "../../browser/bridge-server.js";
import { type ResolvedBrowserConfig, resolveProfile } from "../../browser/config.js";
@@ -149,13 +150,24 @@ export async function ensureSandboxBrowser(params: {
? await readDockerPort(containerName, params.cfg.browser.noVncPort)
: null;
const desiredAuthToken = params.bridgeAuth?.token?.trim() || undefined;
const desiredAuthPassword = params.bridgeAuth?.password?.trim() || undefined;
const existing = BROWSER_BRIDGES.get(params.scopeKey);
const existingProfile = existing
? resolveProfile(existing.bridge.state.resolved, DEFAULT_OPENCLAW_BROWSER_PROFILE_NAME)
: null;
let desiredAuthToken = params.bridgeAuth?.token?.trim() || undefined;
let desiredAuthPassword = params.bridgeAuth?.password?.trim() || undefined;
if (!desiredAuthToken && !desiredAuthPassword) {
// Always require auth for the sandbox bridge server, even if gateway auth
// mode doesn't produce a shared secret (e.g. trusted-proxy).
// Keep it stable across calls by reusing the existing bridge auth.
desiredAuthToken = existing?.authToken;
desiredAuthPassword = existing?.authPassword;
if (!desiredAuthToken && !desiredAuthPassword) {
desiredAuthToken = crypto.randomBytes(24).toString("hex");
}
}
const shouldReuse =
existing && existing.containerName === containerName && existingProfile?.cdpPort === mappedCdp;
const authMatches =