github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 09:01:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): warn on dangerous config flags at startup

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 10:11:03 +01:00
parent de2e5c7b74
commit f101d59d57
4 changed files with 81 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
src/gateway/server-startup-log.test.ts Normal file
View File

@@ -0,0 +1,45 @@
import { describe, expect, it, vi } from "vitest";
import { logGatewayStartup } from "./server-startup-log.js";
describe("gateway startup log", () => {
it("warns when dangerous config flags are enabled", () => {
const info = vi.fn();
const warn = vi.fn();
logGatewayStartup({
cfg: {
gateway: {
controlUi: {
dangerouslyDisableDeviceAuth: true,
},
},
},
bindHost: "127.0.0.1",
port: 18789,
log: { info, warn },
isNixMode: false,
});
expect(warn).toHaveBeenCalledTimes(1);
expect(warn).toHaveBeenCalledWith(expect.stringContaining("dangerous config flags enabled"));
expect(warn).toHaveBeenCalledWith(
expect.stringContaining("gateway.controlUi.dangerouslyDisableDeviceAuth=true"),
);
expect(warn).toHaveBeenCalledWith(expect.stringContaining("openclaw security audit"));
});
it("does not warn when dangerous config flags are disabled", () => {
const info = vi.fn();
const warn = vi.fn();
logGatewayStartup({
cfg: {},
bindHost: "127.0.0.1",
port: 18789,
log: { info, warn },
isNixMode: false,
});
expect(warn).not.toHaveBeenCalled();
});
});

11
src/gateway/server-startup-log.ts
View File

@@ -3,6 +3,7 @@ import { DEFAULT_MODEL, DEFAULT_PROVIDER } from "../agents/defaults.js";
import { resolveConfiguredModelRef } from "../agents/model-selection.js";
import type { loadConfig } from "../config/config.js";
import { getResolvedLoggerSettings } from "../logging.js";
import { collectEnabledInsecureOrDangerousFlags } from "../security/dangerous-config-flags.js";
export function logGatewayStartup(params: {
cfg: ReturnType<typeof loadConfig>;
@@ -10,7 +11,7 @@ export function logGatewayStartup(params: {
bindHosts?: string[];
port: number;
tlsEnabled?: boolean;
log: { info: (msg: string, meta?: Record<string, unknown>) => void };
log: { info: (msg: string, meta?: Record<string, unknown>) => void; warn: (msg: string) => void };
isNixMode: boolean;
}) {
const { provider: agentProvider, model: agentModel } = resolveConfiguredModelRef({
@@ -37,4 +38,12 @@ export function logGatewayStartup(params: {
if (params.isNixMode) {
params.log.info("gateway: running in Nix mode (config managed externally)");
}
const enabledDangerousFlags = collectEnabledInsecureOrDangerousFlags(params.cfg);
if (enabledDangerousFlags.length > 0) {
const warning =
`security warning: dangerous config flags enabled: ${enabledDangerousFlags.join(", ")}. ` +
"Run `openclaw security audit`.";
params.log.warn(warning);
}
}