github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 06:27:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden account-key handling against prototype pollution

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 01:09:23 +00:00
parent 12cc754332
commit f97c0922e1
24 changed files with 141 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/routing/account-id.ts
View File

@@ -1,3 +1,5 @@
import { isBlockedObjectKey } from "../infra/prototype-keys.js";
export const DEFAULT_ACCOUNT_ID = "default";
const VALID_ID_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/i;
@@ -17,12 +19,20 @@ function canonicalizeAccountId(value: string): string {
.slice(0, 64);
}
function normalizeCanonicalAccountId(value: string): string | undefined {
const canonical = canonicalizeAccountId(value);
if (!canonical || isBlockedObjectKey(canonical)) {
return undefined;
}
return canonical;
}
export function normalizeAccountId(value: string | undefined | null): string {
const trimmed = (value ?? "").trim();
if (!trimmed) {
return DEFAULT_ACCOUNT_ID;
}
return canonicalizeAccountId(trimmed) || DEFAULT_ACCOUNT_ID;
return normalizeCanonicalAccountId(trimmed) || DEFAULT_ACCOUNT_ID;
}
export function normalizeOptionalAccountId(value: string | undefined | null): string | undefined {
@@ -30,5 +40,5 @@ export function normalizeOptionalAccountId(value: string | undefined | null): st
if (!trimmed) {
return undefined;
}
return canonicalizeAccountId(trimmed) || undefined;
return normalizeCanonicalAccountId(trimmed) || undefined;
}