github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 21:14:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(exec): split host flows and harden safe-bin trust

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 14:21:07 +01:00
parent b45bb6801c
commit fec48a5006
10 changed files with 834 additions and 616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/infra/exec-approvals-allowlist.ts
View File

@@ -357,6 +357,7 @@ function evaluateSegments(
allowlist: ExecAllowlistEntry[];
safeBins: Set<string>;
cwd?: string;
trustedSafeBinDirs?: ReadonlySet<string>;
skillBins?: Set<string>;
autoAllowSkills?: boolean;
},
@@ -384,6 +385,7 @@ function evaluateSegments(
resolution: segment.resolution,
safeBins: params.safeBins,
cwd: params.cwd,
trustedSafeBinDirs: params.trustedSafeBinDirs,
});
const skillAllow =
allowSkills && segment.resolution?.executableName
@@ -408,6 +410,7 @@ export function evaluateExecAllowlist(params: {
allowlist: ExecAllowlistEntry[];
safeBins: Set<string>;
cwd?: string;
trustedSafeBinDirs?: ReadonlySet<string>;
skillBins?: Set<string>;
autoAllowSkills?: boolean;
}): ExecAllowlistEvaluation {
@@ -424,6 +427,7 @@ export function evaluateExecAllowlist(params: {
allowlist: params.allowlist,
safeBins: params.safeBins,
cwd: params.cwd,
trustedSafeBinDirs: params.trustedSafeBinDirs,
skillBins: params.skillBins,
autoAllowSkills: params.autoAllowSkills,
});
@@ -441,6 +445,7 @@ export function evaluateExecAllowlist(params: {
allowlist: params.allowlist,
safeBins: params.safeBins,
cwd: params.cwd,
trustedSafeBinDirs: params.trustedSafeBinDirs,
skillBins: params.skillBins,
autoAllowSkills: params.autoAllowSkills,
});
@@ -468,6 +473,7 @@ export function evaluateShellAllowlist(params: {
safeBins: Set<string>;
cwd?: string;
env?: NodeJS.ProcessEnv;
trustedSafeBinDirs?: ReadonlySet<string>;
skillBins?: Set<string>;
autoAllowSkills?: boolean;
platform?: string | null;
@@ -496,6 +502,7 @@ export function evaluateShellAllowlist(params: {
allowlist: params.allowlist,
safeBins: params.safeBins,
cwd: params.cwd,
trustedSafeBinDirs: params.trustedSafeBinDirs,
skillBins: params.skillBins,
autoAllowSkills: params.autoAllowSkills,
});
@@ -529,6 +536,7 @@ export function evaluateShellAllowlist(params: {
allowlist: params.allowlist,
safeBins: params.safeBins,
cwd: params.cwd,
trustedSafeBinDirs: params.trustedSafeBinDirs,
skillBins: params.skillBins,
autoAllowSkills: params.autoAllowSkills,
});