github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 23:41:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): restrict default safe-bin trusted dirs

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:12:52 +00:00
parent 2d159e5e87
commit b67e600bff
6 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/infra/exec-safe-bin-runtime-policy.test.ts
View File

@@ -89,4 +89,18 @@ describe("exec safe-bin runtime policy", () => {
expect(policy.trustedSafeBinDirs.has(path.resolve(customDir))).toBe(true);
expect(policy.trustedSafeBinDirs.has(path.resolve(agentDir))).toBe(true);
});
it("does not trust package-manager bin dirs unless explicitly configured", () => {
const defaultPolicy = resolveExecSafeBinRuntimePolicy({});
expect(defaultPolicy.trustedSafeBinDirs.has(path.resolve("/opt/homebrew/bin"))).toBe(false);
expect(defaultPolicy.trustedSafeBinDirs.has(path.resolve("/usr/local/bin"))).toBe(false);
const optedIn = resolveExecSafeBinRuntimePolicy({
global: {
safeBinTrustedDirs: ["/opt/homebrew/bin", "/usr/local/bin"],
},
});
expect(optedIn.trustedSafeBinDirs.has(path.resolve("/opt/homebrew/bin"))).toBe(true);
expect(optedIn.trustedSafeBinDirs.has(path.resolve("/usr/local/bin"))).toBe(true);
});
});

9
src/infra/exec-safe-bin-trust.test.ts
View File

@@ -8,6 +8,15 @@ import {
} from "./exec-safe-bin-trust.js";
describe("exec safe bin trust", () => {
it("keeps default trusted dirs limited to immutable system paths", () => {
const dirs = getTrustedSafeBinDirs({ refresh: true });
expect(dirs.has(path.resolve("/bin"))).toBe(true);
expect(dirs.has(path.resolve("/usr/bin"))).toBe(true);
expect(dirs.has(path.resolve("/usr/local/bin"))).toBe(false);
expect(dirs.has(path.resolve("/opt/homebrew/bin"))).toBe(false);
});
it("builds trusted dirs from defaults and explicit extra dirs", () => {
const dirs = buildTrustedSafeBinDirs({
baseDirs: ["/usr/bin"],

12
src/infra/exec-safe-bin-trust.ts
View File

@@ -1,14 +1,8 @@
import path from "node:path";
const DEFAULT_SAFE_BIN_TRUSTED_DIRS = [
"/bin",
"/usr/bin",
"/usr/local/bin",
"/opt/homebrew/bin",
"/opt/local/bin",
"/snap/bin",
"/run/current-system/sw/bin",
];
// Keep defaults to OS-managed immutable bins only.
// User/package-manager bins must be opted in via tools.exec.safeBinTrustedDirs.
const DEFAULT_SAFE_BIN_TRUSTED_DIRS = ["/bin", "/usr/bin"];
type TrustedSafeBinDirsParams = {
baseDirs?: readonly string[];