github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 14:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden regex compilation for filters and redaction

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-23 23:54:46 +00:00
parent e6484cb65f
commit a2dfe9879f
8 changed files with 238 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/infra/exec-approval-forwarder.ts
View File

@@ -7,6 +7,7 @@ import type {
} from "../config/types.approvals.js";
import { createSubsystemLogger } from "../logging/subsystem.js";
import { normalizeAccountId, parseAgentSessionKey } from "../routing/session-key.js";
import { compileSafeRegex } from "../security/safe-regex.js";
import { isDeliverableMessageChannel, normalizeMessageChannel } from "../utils/message-channel.js";
import type {
ExecApprovalDecision,
@@ -52,11 +53,11 @@ function normalizeMode(mode?: ExecApprovalForwardingConfig["mode"]) {
function matchSessionFilter(sessionKey: string, patterns: string[]): boolean {
return patterns.some((pattern) => {
try {
return sessionKey.includes(pattern) || new RegExp(pattern).test(sessionKey);
} catch {
return sessionKey.includes(pattern);
if (sessionKey.includes(pattern)) {
return true;
}
const regex = compileSafeRegex(pattern);
return regex ? regex.test(sessionKey) : false;
});
}