fix: harden plugin and hook install paths

2026-05-08 03:11:25 +00:00 · 2026-02-02 02:04:50 -08:00
parent be9a2fb134
commit d03eca8450
9 changed files with 307 additions and 14 deletions
--- a/src/hooks/install.test.ts
+++ b/src/hooks/install.test.ts
@@ -118,6 +118,100 @@ describe("installHooksFromArchive", () => {
    expect(result.hooks).toContain("tar-hook");
    expect(result.targetDir).toBe(path.join(stateDir, "hooks", "tar-hooks"));
  });
+
+  it("rejects hook packs with traversal-like ids", async () => {
+    const stateDir = makeTempDir();
+    const workDir = makeTempDir();
+    const archivePath = path.join(workDir, "hooks.tar");
+    const pkgDir = path.join(workDir, "package");
+
+    fs.mkdirSync(path.join(pkgDir, "hooks", "evil-hook"), { recursive: true });
+    fs.writeFileSync(
+      path.join(pkgDir, "package.json"),
+      JSON.stringify({
+        name: "@evil/..",
+        version: "0.0.1",
+        openclaw: { hooks: ["./hooks/evil-hook"] },
+      }),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pkgDir, "hooks", "evil-hook", "HOOK.md"),
+      [
+        "---",
+        "name: evil-hook",
+        "description: Evil hook",
+        'metadata: {"openclaw":{"events":["command:new"]}}',
+        "---",
+        "",
+        "# Evil Hook",
+      ].join("\n"),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pkgDir, "hooks", "evil-hook", "handler.ts"),
+      "export default async () => {};\n",
+      "utf-8",
+    );
+    await tar.c({ cwd: workDir, file: archivePath }, ["package"]);
+
+    const hooksDir = path.join(stateDir, "hooks");
+    const { installHooksFromArchive } = await import("./install.js");
+    const result = await installHooksFromArchive({ archivePath, hooksDir });
+
+    expect(result.ok).toBe(false);
+    if (result.ok) {
+      return;
+    }
+    expect(result.error).toContain("reserved path segment");
+  });
+
+  it("rejects hook packs with reserved ids", async () => {
+    const stateDir = makeTempDir();
+    const workDir = makeTempDir();
+    const archivePath = path.join(workDir, "hooks.tar");
+    const pkgDir = path.join(workDir, "package");
+
+    fs.mkdirSync(path.join(pkgDir, "hooks", "reserved-hook"), { recursive: true });
+    fs.writeFileSync(
+      path.join(pkgDir, "package.json"),
+      JSON.stringify({
+        name: "@evil/.",
+        version: "0.0.1",
+        openclaw: { hooks: ["./hooks/reserved-hook"] },
+      }),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pkgDir, "hooks", "reserved-hook", "HOOK.md"),
+      [
+        "---",
+        "name: reserved-hook",
+        "description: Reserved hook",
+        'metadata: {"openclaw":{"events":["command:new"]}}',
+        "---",
+        "",
+        "# Reserved Hook",
+      ].join("\n"),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pkgDir, "hooks", "reserved-hook", "handler.ts"),
+      "export default async () => {};\n",
+      "utf-8",
+    );
+    await tar.c({ cwd: workDir, file: archivePath }, ["package"]);
+
+    const hooksDir = path.join(stateDir, "hooks");
+    const { installHooksFromArchive } = await import("./install.js");
+    const result = await installHooksFromArchive({ archivePath, hooksDir });
+
+    expect(result.ok).toBe(false);
+    if (result.ok) {
+      return;
+    }
+    expect(result.error).toContain("reserved path segment");
+  });
 });

 describe("installHooksFromPath", () => {
--- a/src/hooks/install.ts
+++ b/src/hooks/install.ts
@@ -49,12 +49,52 @@ function safeDirName(input: string): string {
  if (!trimmed) {
    return trimmed;
  }
-  return trimmed.replaceAll("/", "__");
+  return trimmed.replaceAll("/", "__").replaceAll("\\", "__");
+}
+
+function validateHookId(hookId: string): string | null {
+  if (!hookId) {
+    return "invalid hook name: missing";
+  }
+  if (hookId === "." || hookId === "..") {
+    return "invalid hook name: reserved path segment";
+  }
+  if (hookId.includes("/") || hookId.includes("\\")) {
+    return "invalid hook name: path separators not allowed";
+  }
+  return null;
 }

 export function resolveHookInstallDir(hookId: string, hooksDir?: string): string {
  const hooksBase = hooksDir ? resolveUserPath(hooksDir) : path.join(CONFIG_DIR, "hooks");
-  return path.join(hooksBase, safeDirName(hookId));
+  const hookIdError = validateHookId(hookId);
+  if (hookIdError) {
+    throw new Error(hookIdError);
+  }
+  const targetDirResult = resolveSafeInstallDir(hooksBase, hookId);
+  if (!targetDirResult.ok) {
+    throw new Error(targetDirResult.error);
+  }
+  return targetDirResult.path;
+}
+
+function resolveSafeInstallDir(
+  hooksDir: string,
+  hookId: string,
+): { ok: true; path: string } | { ok: false; error: string } {
+  const targetDir = path.join(hooksDir, safeDirName(hookId));
+  const resolvedBase = path.resolve(hooksDir);
+  const resolvedTarget = path.resolve(targetDir);
+  const relative = path.relative(resolvedBase, resolvedTarget);
+  if (
+    !relative ||
+    relative === ".." ||
+    relative.startsWith(`..${path.sep}`) ||
+    path.isAbsolute(relative)
+  ) {
+    return { ok: false, error: "invalid hook name: path traversal detected" };
+  }
+  return { ok: true, path: targetDir };
 }

 async function ensureOpenClawHooks(manifest: HookPackageManifest) {
@@ -130,6 +170,10 @@ async function installHookPackageFromDir(params: {

  const pkgName = typeof manifest.name === "string" ? manifest.name : "";
  const hookPackId = pkgName ? unscopedPackageName(pkgName) : path.basename(params.packageDir);
+  const hookIdError = validateHookId(hookPackId);
+  if (hookIdError) {
+    return { ok: false, error: hookIdError };
+  }
  if (params.expectedHookPackId && params.expectedHookPackId !== hookPackId) {
    return {
      ok: false,
@@ -142,7 +186,11 @@ async function installHookPackageFromDir(params: {
    : path.join(CONFIG_DIR, "hooks");
  await fs.mkdir(hooksDir, { recursive: true });

-  const targetDir = resolveHookInstallDir(hookPackId, hooksDir);
+  const targetDirResult = resolveSafeInstallDir(hooksDir, hookPackId);
+  if (!targetDirResult.ok) {
+    return { ok: false, error: targetDirResult.error };
+  }
+  const targetDir = targetDirResult.path;
  if (mode === "install" && (await fileExists(targetDir))) {
    return { ok: false, error: `hook pack already exists: ${targetDir} (delete it first)` };
  }
@@ -229,6 +277,10 @@ async function installHookFromDir(params: {

  await validateHookDir(params.hookDir);
  const hookName = await resolveHookNameFromDir(params.hookDir);
+  const hookIdError = validateHookId(hookName);
+  if (hookIdError) {
+    return { ok: false, error: hookIdError };
+  }

  if (params.expectedHookPackId && params.expectedHookPackId !== hookName) {
    return {
@@ -242,7 +294,11 @@ async function installHookFromDir(params: {
    : path.join(CONFIG_DIR, "hooks");
  await fs.mkdir(hooksDir, { recursive: true });

-  const targetDir = resolveHookInstallDir(hookName, hooksDir);
+  const targetDirResult = resolveSafeInstallDir(hooksDir, hookName);
+  if (!targetDirResult.ok) {
+    return { ok: false, error: targetDirResult.error };
+  }
+  const targetDir = targetDirResult.path;
  if (mode === "install" && (await fileExists(targetDir))) {
    return { ok: false, error: `hook already exists: ${targetDir} (delete it first)` };
  }