fix(sandbox): use one-time noVNC observer tokens

2026-05-08 03:11:25 +00:00 · 2026-02-21 13:56:49 +01:00
parent b43aadc34c
commit 8c1518f0f3
11 changed files with 463 additions and 27 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -498,6 +498,57 @@ describe("security audit", () => {
    expect(hasFinding(res, "sandbox.browser_container.hash_epoch_stale")).toBe(false);
  });

+  it("flags sandbox browser containers with non-loopback published ports", async () => {
+    const tmp = await makeTmpDir("browser-non-loopback-publish");
+    const stateDir = path.join(tmp, "state");
+    await fs.mkdir(stateDir, { recursive: true, mode: 0o700 });
+    const configPath = path.join(stateDir, "openclaw.json");
+    await fs.writeFile(configPath, "{}\n", "utf-8");
+    await fs.chmod(configPath, 0o600);
+
+    const execDockerRawFn = (async (args: string[]) => {
+      if (args[0] === "ps") {
+        return {
+          stdout: Buffer.from("openclaw-sbx-browser-exposed\n"),
+          stderr: Buffer.alloc(0),
+          code: 0,
+        };
+      }
+      if (args[0] === "inspect" && args.at(-1) === "openclaw-sbx-browser-exposed") {
+        return {
+          stdout: Buffer.from("hash123\t2026-02-21-novnc-auth-default\n"),
+          stderr: Buffer.alloc(0),
+          code: 0,
+        };
+      }
+      if (args[0] === "port" && args.at(-1) === "openclaw-sbx-browser-exposed") {
+        return {
+          stdout: Buffer.from("6080/tcp -> 0.0.0.0:49101\n9222/tcp -> 127.0.0.1:49100\n"),
+          stderr: Buffer.alloc(0),
+          code: 0,
+        };
+      }
+      return {
+        stdout: Buffer.alloc(0),
+        stderr: Buffer.from("not found"),
+        code: 1,
+      };
+    }) as NonNullable<SecurityAuditOptions["execDockerRawFn"]>;
+
+    const res = await runSecurityAudit({
+      config: {},
+      includeFilesystem: true,
+      includeChannelSecurity: false,
+      stateDir,
+      configPath,
+      execDockerRawFn,
+    });
+
+    expect(hasFinding(res, "sandbox.browser_container.non_loopback_publish", "critical")).toBe(
+      true,
+    );
+  });
+
  it("uses symlink target permissions for config checks", async () => {
    if (isWindows) {
      return;