github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 02:07:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(macos): block quoted shell substitution in allowlist checks

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 22:51:38 +01:00
parent 861718e4dc
commit 90a378ca3a
9 changed files with 53 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
apps/macos/Sources/OpenClaw/ExecCommandResolution.swift
View File

@@ -194,11 +194,13 @@ struct ExecCommandResolution: Sendable {
continue
}
if !inSingle, self.shouldFailClosedForShell(ch: ch, next: next) {
// Fail closed on command/process substitution in allowlist mode,
// including inside double-quoted shell strings.
return nil
}
if !inSingle, !inDouble {
if self.shouldFailClosedForUnquotedShell(ch: ch, next: next) {
// Fail closed on command/process substitution in allowlist mode.
return nil
}
let prev: Character? = idx > 0 ? chars[idx - 1] : nil
if let delimiterStep = self.chainDelimiterStep(ch: ch, prev: prev, next: next) {
guard appendCurrent() else { return nil }
@@ -216,7 +218,7 @@ struct ExecCommandResolution: Sendable {
return segments
}
private static func shouldFailClosedForUnquotedShell(ch: Character, next: Character?) -> Bool {
private static func shouldFailClosedForShell(ch: Character, next: Character?) -> Bool {
if ch == "`" {
return true
}