github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 10:41:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden discovery routing and TLS pins

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 17:17:46 +01:00
parent 61d59a8028
commit d583782ee3
17 changed files with 503 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/commands/onboard-remote.ts
View File

@@ -8,12 +8,14 @@ import { detectBinary } from "./onboard-helpers.js";
const DEFAULT_GATEWAY_URL = "ws://127.0.0.1:18789";
function pickHost(beacon: GatewayBonjourBeacon): string | undefined {
return beacon.tailnetDns || beacon.lanHost || beacon.host;
// Security: TXT is unauthenticated. Prefer the resolved service endpoint host.
return beacon.host || beacon.tailnetDns || beacon.lanHost;
}
function buildLabel(beacon: GatewayBonjourBeacon): string {
const host = pickHost(beacon);
const port = beacon.gatewayPort ?? beacon.port ?? 18789;
// Security: Prefer the resolved service endpoint port.
const port = beacon.port ?? beacon.gatewayPort ?? 18789;
const title = beacon.displayName ?? beacon.instanceName;
const hint = host ? `${host}:${port}` : "host unknown";
return `${title} (${hint})`;
@@ -80,7 +82,7 @@ export async function promptRemoteGatewayConfig(
if (selectedBeacon) {
const host = pickHost(selectedBeacon);
const port = selectedBeacon.gatewayPort ?? 18789;
const port = selectedBeacon.port ?? selectedBeacon.gatewayPort ?? 18789;
if (host) {
const mode = await prompter.select({
message: "Connection method",