fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02)

Two critical RCE vectors patched: Vector 1 - Gateway HTTP /tools/invoke: - Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn, sessions_send, gateway, whatsapp_login from HTTP invocation - Apply deny filter after existing policy cascade, before tool lookup - Add gateway.tools.{allow,deny} config override in GatewayConfig Vector 2 - ACP client auto-approval: - Replace blind allow_once selection with danger-aware permission handler - Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation - Safe tools retain auto-approve behavior (backward compatible) - Empty options array now denied (was hardcoded "allow") - 30s timeout auto-denies to prevent hung sessions CWE-78 | CVSS:3.1 9.8 Critical
2026-05-08 07:31:24 +00:00 · 2026-02-13 22:28:43 +11:00
parent 8899f9e94a
commit 749e28dec7
5 changed files with 237 additions and 10 deletions
--- a/src/gateway/tools-invoke-http.test.ts
+++ b/src/gateway/tools-invoke-http.test.ts
@@ -225,6 +225,72 @@ describe("POST /tools/invoke", () => {
    expect(profileRes.status).toBe(404);
  });

+  it("denies sessions_spawn via HTTP even when agent policy allows", async () => {
+    testState.agentsConfig = {
+      list: [
+        {
+          id: "main",
+          tools: { allow: ["sessions_spawn"] },
+        },
+      ],
+    } as any;
+
+    const port = await getFreePort();
+    const server = await startGatewayServer(port, { bind: "loopback" });
+    const token = resolveGatewayToken();
+
+    const res = await fetch(`http://127.0.0.1:${port}/tools/invoke`, {
+      method: "POST",
+      headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+      body: JSON.stringify({ tool: "sessions_spawn", args: { task: "test" }, sessionKey: "main" }),
+    });
+
+    expect(res.status).toBe(404);
+    const body = await res.json();
+    expect(body.ok).toBe(false);
+    expect(body.error.type).toBe("not_found");
+
+    await server.close();
+  });
+
+  it("denies sessions_send via HTTP gateway", async () => {
+    testState.agentsConfig = {
+      list: [{ id: "main", tools: { allow: ["sessions_send"] } }],
+    } as any;
+
+    const port = await getFreePort();
+    const server = await startGatewayServer(port, { bind: "loopback" });
+    const token = resolveGatewayToken();
+
+    const res = await fetch(`http://127.0.0.1:${port}/tools/invoke`, {
+      method: "POST",
+      headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+      body: JSON.stringify({ tool: "sessions_send", args: {}, sessionKey: "main" }),
+    });
+
+    expect(res.status).toBe(404);
+    await server.close();
+  });
+
+  it("denies gateway tool via HTTP", async () => {
+    testState.agentsConfig = {
+      list: [{ id: "main", tools: { allow: ["gateway"] } }],
+    } as any;
+
+    const port = await getFreePort();
+    const server = await startGatewayServer(port, { bind: "loopback" });
+    const token = resolveGatewayToken();
+
+    const res = await fetch(`http://127.0.0.1:${port}/tools/invoke`, {
+      method: "POST",
+      headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+      body: JSON.stringify({ tool: "gateway", args: {}, sessionKey: "main" }),
+    });
+
+    expect(res.status).toBe(404);
+    await server.close();
+  });
+
  it("uses the configured main session key when sessionKey is missing or main", async () => {
    testState.agentsConfig = {
      list: [
--- a/src/gateway/tools-invoke-http.ts
+++ b/src/gateway/tools-invoke-http.ts
@@ -34,6 +34,22 @@ import { getBearerToken, getHeader } from "./http-utils.js";
 const DEFAULT_BODY_BYTES = 2 * 1024 * 1024;
 const MEMORY_TOOL_NAMES = new Set(["memory_search", "memory_get"]);

+/**
+ * Tools denied via HTTP /tools/invoke regardless of session policy.
+ * Prevents RCE and privilege escalation from HTTP API surface.
+ * Configurable via gateway.tools.{deny,allow} in openclaw.json.
+ */
+const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
+  // Session orchestration — spawning agents remotely is RCE
+  "sessions_spawn",
+  // Cross-session injection — message injection across sessions
+  "sessions_send",
+  // Gateway control plane — prevents gateway reconfiguration via HTTP
+  "gateway",
+  // Interactive setup — requires terminal QR scan, hangs on HTTP
+  "whatsapp_login",
+];
+
 type ToolsInvokeBody = {
  tool?: unknown;
  action?: unknown;
@@ -297,7 +313,15 @@ export async function handleToolsInvokeHttpRequest(
    ? filterToolsByPolicy(groupFiltered, subagentPolicyExpanded)
    : groupFiltered;

-  const tool = subagentFiltered.find((t) => t.name === toolName);
+  // Gateway HTTP-specific deny list — applies to ALL sessions via HTTP.
+  const gatewayToolsCfg = cfg.gateway?.tools;
+  const gatewayDenyNames = DEFAULT_GATEWAY_HTTP_TOOL_DENY
+    .filter((name) => !gatewayToolsCfg?.allow?.includes(name))
+    .concat(Array.isArray(gatewayToolsCfg?.deny) ? gatewayToolsCfg.deny : []);
+  const gatewayDenySet = new Set(gatewayDenyNames);
+  const gatewayFiltered = subagentFiltered.filter((t) => !gatewayDenySet.has(t.name));
+
+  const tool = gatewayFiltered.find((t) => t.name === toolName);
  if (!tool) {
    sendJson(res, 404, {
      ok: false,