github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 17:04:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden sandbox browser network defaults

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 14:01:40 +01:00
parent cf82614259
commit f48698a50b
19 changed files with 224 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/agents/sandbox/config.ts
View File

@@ -4,6 +4,7 @@ import {
DEFAULT_SANDBOX_BROWSER_AUTOSTART_TIMEOUT_MS,
DEFAULT_SANDBOX_BROWSER_CDP_PORT,
DEFAULT_SANDBOX_BROWSER_IMAGE,
DEFAULT_SANDBOX_BROWSER_NETWORK,
DEFAULT_SANDBOX_BROWSER_NOVNC_PORT,
DEFAULT_SANDBOX_BROWSER_PREFIX,
DEFAULT_SANDBOX_BROWSER_VNC_PORT,
@@ -27,10 +28,11 @@ export function resolveSandboxBrowserDockerCreateConfig(params: {
docker: SandboxDockerConfig;
browser: SandboxBrowserConfig;
}): SandboxDockerConfig {
const browserNetwork = params.browser.network.trim();
const base: SandboxDockerConfig = {
...params.docker,
// Browser container needs network access for Chrome, downloads, etc.
network: "bridge",
network: browserNetwork || DEFAULT_SANDBOX_BROWSER_NETWORK,
// For hashing and consistency, treat browser image as the docker image even though we
// pass it separately as the final `docker create` argument.
image: params.browser.image,
@@ -113,7 +115,9 @@ export function resolveSandboxBrowserConfig(params: {
agentBrowser?.containerPrefix ??
globalBrowser?.containerPrefix ??
DEFAULT_SANDBOX_BROWSER_PREFIX,
network: agentBrowser?.network ?? globalBrowser?.network ?? DEFAULT_SANDBOX_BROWSER_NETWORK,
cdpPort: agentBrowser?.cdpPort ?? globalBrowser?.cdpPort ?? DEFAULT_SANDBOX_BROWSER_CDP_PORT,
cdpSourceRange: agentBrowser?.cdpSourceRange ?? globalBrowser?.cdpSourceRange,
vncPort: agentBrowser?.vncPort ?? globalBrowser?.vncPort ?? DEFAULT_SANDBOX_BROWSER_VNC_PORT,
noVncPort:
agentBrowser?.noVncPort ?? globalBrowser?.noVncPort ?? DEFAULT_SANDBOX_BROWSER_NOVNC_PORT,