github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 18:18:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02)

Browse Source 
Two critical RCE vectors patched:

Vector 1 - Gateway HTTP /tools/invoke:
- Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn,
  sessions_send, gateway, whatsapp_login from HTTP invocation
- Apply deny filter after existing policy cascade, before tool lookup
- Add gateway.tools.{allow,deny} config override in GatewayConfig

Vector 2 - ACP client auto-approval:
- Replace blind allow_once selection with danger-aware permission handler
- Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation
- Safe tools retain auto-approve behavior (backward compatible)
- Empty options array now denied (was hardcoded "allow")
- 30s timeout auto-denies to prevent hung sessions

CWE-78 | CVSS:3.1 9.8 Critical
This commit is contained in:
aether-ai-agent
2026-02-13 22:28:43 +11:00
committed by Peter Steinberger
parent 8899f9e94a
commit 749e28dec7
5 changed files with 237 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/gateway/tools-invoke-http.ts
View File

@@ -34,6 +34,22 @@ import { getBearerToken, getHeader } from "./http-utils.js";
const DEFAULT_BODY_BYTES = 2 * 1024 * 1024;
const MEMORY_TOOL_NAMES = new Set(["memory_search", "memory_get"]);
/**
* Tools denied via HTTP /tools/invoke regardless of session policy.
* Prevents RCE and privilege escalation from HTTP API surface.
* Configurable via gateway.tools.{deny,allow} in openclaw.json.
*/
const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
// Session orchestration — spawning agents remotely is RCE
"sessions_spawn",
// Cross-session injection — message injection across sessions
"sessions_send",
// Gateway control plane — prevents gateway reconfiguration via HTTP
"gateway",
// Interactive setup — requires terminal QR scan, hangs on HTTP
"whatsapp_login",
];
type ToolsInvokeBody = {
tool?: unknown;
action?: unknown;
@@ -297,7 +313,15 @@ export async function handleToolsInvokeHttpRequest(
? filterToolsByPolicy(groupFiltered, subagentPolicyExpanded)
: groupFiltered;
const tool = subagentFiltered.find((t) => t.name === toolName);
// Gateway HTTP-specific deny list — applies to ALL sessions via HTTP.
const gatewayToolsCfg = cfg.gateway?.tools;
const gatewayDenyNames = DEFAULT_GATEWAY_HTTP_TOOL_DENY
.filter((name) => !gatewayToolsCfg?.allow?.includes(name))
.concat(Array.isArray(gatewayToolsCfg?.deny) ? gatewayToolsCfg.deny : []);
const gatewayDenySet = new Set(gatewayDenyNames);
const gatewayFiltered = subagentFiltered.filter((t) => !gatewayDenySet.has(t.name));
const tool = gatewayFiltered.find((t) => t.name === toolName);
if (!tool) {
sendJson(res, 404, {
ok: false,