github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-30 16:21:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden sandbox browser network defaults

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 14:01:40 +01:00
parent cf82614259
commit f48698a50b
19 changed files with 224 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/config/config.sandbox-docker.test.ts
View File

@@ -177,4 +177,46 @@ describe("sandbox browser binds config", () => {
});
expect(resolved.binds).toBeUndefined();
});
it("defaults browser network to dedicated sandbox network", () => {
const resolved = resolveSandboxBrowserConfig({
scope: "agent",
globalBrowser: {},
agentBrowser: {},
});
expect(resolved.network).toBe("openclaw-sandbox-browser");
});
it("prefers agent browser network over global browser network", () => {
const resolved = resolveSandboxBrowserConfig({
scope: "agent",
globalBrowser: { network: "openclaw-sandbox-browser-global" },
agentBrowser: { network: "openclaw-sandbox-browser-agent" },
});
expect(resolved.network).toBe("openclaw-sandbox-browser-agent");
});
it("merges cdpSourceRange with agent override", () => {
const resolved = resolveSandboxBrowserConfig({
scope: "agent",
globalBrowser: { cdpSourceRange: "172.21.0.1/32" },
agentBrowser: { cdpSourceRange: "172.22.0.1/32" },
});
expect(resolved.cdpSourceRange).toBe("172.22.0.1/32");
});
it("rejects host network mode in sandbox.browser config", () => {
const res = validateConfigObject({
agents: {
defaults: {
sandbox: {
browser: {
network: "host",
},
},
},
},
});
expect(res.ok).toBe(false);
});
});