github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 22:58:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): share sandbox tool policy picker

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-15 13:10:07 +00:00
parent 428b6e0dee
commit d7079b5578
3 changed files with 37 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/security/audit-extra.async.ts
View File

@@ -31,6 +31,7 @@ import {
inspectPathPermissions,
safeStat,
} from "./audit-fs.js";
import { pickSandboxToolPolicy } from "./audit-tool-policy.js";
import { extensionUsesSkippedScannerPath, isPathInside } from "./scan-paths.js";
import * as skillScanner from "./skill-scanner.js";
@@ -108,36 +109,6 @@ function formatCodeSafetyDetails(findings: SkillScanFinding[], rootDir: string):
.join("\n");
}
function unionAllow(base?: string[], extra?: string[]): string[] | undefined {
if (!Array.isArray(extra) || extra.length === 0) {
return base;
}
if (!Array.isArray(base) || base.length === 0) {
return Array.from(new Set(["*", ...extra]));
}
return Array.from(new Set([...base, ...extra]));
}
function pickToolPolicy(config?: {
allow?: string[];
alsoAllow?: string[];
deny?: string[];
}): SandboxToolPolicy | undefined {
if (!config) {
return undefined;
}
const allow = Array.isArray(config.allow)
? unionAllow(config.allow, config.alsoAllow)
: Array.isArray(config.alsoAllow) && config.alsoAllow.length > 0
? unionAllow(undefined, config.alsoAllow)
: undefined;
const deny = Array.isArray(config.deny) ? config.deny : undefined;
if (!allow && !deny) {
return undefined;
}
return { allow, deny };
}
function resolveToolPolicies(params: {
cfg: OpenClawConfig;
agentTools?: AgentToolsConfig;
@@ -148,8 +119,8 @@ function resolveToolPolicies(params: {
const profilePolicy = resolveToolProfilePolicy(profile);
const policies: Array<SandboxToolPolicy | undefined> = [
profilePolicy,
pickToolPolicy(params.cfg.tools ?? undefined),
pickToolPolicy(params.agentTools),
pickSandboxToolPolicy(params.cfg.tools ?? undefined),
pickSandboxToolPolicy(params.agentTools),
];
if (params.sandboxMode === "all") {
policies.push(resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? undefined));