github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 08:01:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
18,950 Commits 702 Branches 79 Tags
42d6e35cb45f753fc2f4f3b4050cb42e2f3eb7a7
Commit Graph

4865 Commits

Author SHA1 Message Date
Tak Hoffman
9bc265f379 Cron: clean run-log write queue entries (#23968) 
* Cron: clean run-log write queue entries

* Changelog: add cron run-log write-queue cleanup note
 2026-02-22 17:16:42 -06:00
Johann Zahlmann
22c9018303 WhatsApp: enforce allowFrom for explicit outbound sends (#20921) 
* whatsapp: enforce allowFrom in explicit outbound mode

* Update CHANGELOG.md

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-22 18:13:23 -05:00
Vignesh Natarajan
d7747148d0 fix(memory): reindex when sources change 2026-02-22 15:12:07 -08:00
Robin Waslander
44727dc3a1 security(web_fetch): strip hidden content to prevent indirect prompt injection (#21074) 
* security(web_fetch): strip hidden content to prevent indirect prompt injection

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* security(web_fetch): address review feedback and credit author

* chore(changelog): credit reporter for web_fetch security fix

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-22 18:10:26 -05:00
Tak Hoffman
73e5bb7635 Cron: apply timeout to startup catch-up runs (#23966) 
* Cron: apply timeout to startup catch-up runs

* Changelog: add cron startup timeout catch-up note
 2026-02-22 17:04:30 -06:00
Lewis
26644c4b89 fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation (#23598) 
* fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation

The attachment download flow in fetchWithAuthFallback() followed
redirects automatically on the initial fetch without any allowlist
or IP validation. This allowed DNS rebinding attacks where an
allowlisted domain (e.g. evil.trafficmanager.net) could redirect
or resolve to a private IP like 169.254.169.254, bypassing the
hostname allowlist entirely (issue #11811).

This commit adds three layers of SSRF protection:

1. safeFetch() in shared.ts: a redirect-safe fetch wrapper that uses
   redirect: "manual" and validates every redirect hop against the
   hostname allowlist AND DNS-resolved IP before following it.

2. isPrivateOrReservedIP() + resolveAndValidateIP() in shared.ts:
   rejects RFC 1918, loopback, link-local, and IPv6 private ranges
   for both initial URLs and redirect targets.

3. graph.ts SharePoint redirect handling now also uses redirect:
   "manual" and validates resolved IPs, not just hostnames.

The initial fetch in fetchWithAuthFallback now goes through safeFetch
instead of a bare fetch(), ensuring redirects are never followed
without validation.

Includes 38 new tests covering IP validation, DNS resolution checks,
redirect following, DNS rebinding attacks, redirect loops, and
protocol downgrade blocking.

* fix: address review feedback on SSRF protection

- Replace hand-rolled isPrivateOrReservedIP with SDK's isPrivateIpAddress
  which handles IPv4-mapped IPv6, expanded notation, NAT64, 6to4, Teredo,
  octal IPv4, and fails closed on parse errors
- Add redirect: "manual" to auth retry redirect fetch in download.ts to
  prevent chained redirect attacks bypassing SSRF checks
- Add redirect: "manual" to SharePoint redirect fetch in graph.ts to
  prevent the same chained redirect bypass
- Update test expectations for SDK's fail-closed behavior on malformed IPs
- Add expanded IPv6 loopback (0:0:0:0:0:0:0:1) test case

* fix: type fetchMock as typeof fetch to fix TS tuple index error

* msteams: harden attachment auth and graph redirect fetch flow

* changelog(msteams): credit redirect-safeFetch hardening contributors

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-22 18:00:54 -05:00
Vignesh Natarajan
82d34b4b06 fix(memory): harden qmd collection recovery 2026-02-22 14:40:04 -08:00
Peter Steinberger
5858de6078 docs: reorder 2026.2.22 changelog by user impact 2026-02-22 23:37:44 +01:00
Peter Steinberger
3b0e62d5bf fix(doctor): warn that approvals.exec.enabled only disables forwarding 
Co-authored-by: nomadonwheels196 <nomadonwheels196@users.noreply.github.com>
 2026-02-22 23:33:15 +01:00
Peter Steinberger
a30f9c8673 fix(sandbox): fallback docker user to workspace owner uid/gid 
Co-authored-by: LucasAIBuilder <LucasAIBuilder@users.noreply.github.com>
 2026-02-22 23:33:15 +01:00
Peter Steinberger
394a1af70f fix(exec): apply per-agent exec defaults for opaque session keys 
Co-authored-by: brin-tapcart <brin-tapcart@users.noreply.github.com>
 2026-02-22 23:33:14 +01:00
Peter Steinberger
1d8968c8a8 fix(voice-call): harden media stream pre-start websocket handling 2026-02-22 23:25:32 +01:00
Vignesh Natarajan
1ad9f9af5a fix(memory): resolve qmd Windows shim commands 2026-02-22 14:24:49 -08:00
mudrii
3645420a33 perf: skip cache-busting for bundled hooks, use mtime for workspace hooks (openclaw#16960) thanks @mudrii 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: mudrii <220262+mudrii@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-22 16:14:51 -06:00
Peter Steinberger
fe58839ed1 docs(changelog): thank ghsa reporter for exec fix 2026-02-22 23:04:29 +01:00
Peter Steinberger
498138e77e docs(changelog): record avatar security hardening 2026-02-22 23:04:23 +01:00
Peter Steinberger
9a6a4131ba docs(changelog): note shell-wrapper line-continuation exec hardening 2026-02-22 23:03:53 +01:00
Peter Steinberger
c677be9d5f fix(exec): skip default timeout for background sessions 2026-02-22 23:03:44 +01:00
Peter Steinberger
24c954d972 fix(security): harden allow-always wrapper persistence 2026-02-22 22:55:33 +01:00
Peter Steinberger
4adfe80027 fix(extensions): preserve mediaLocalRoots in telegram/discord sendMedia 2026-02-22 22:53:57 +01:00
Peter Steinberger
64b273a71c fix(exec): harden safe-bin trust and add explicit trusted dirs 2026-02-22 22:43:18 +01:00
Vignesh Natarajan
d75b594e07 Agents/Replies: scope done fallback to direct sessions 2026-02-22 13:30:30 -08:00
Peter Steinberger
e4d67137db fix(node): default mac headless system.run to local host 
Co-authored-by: aethnova <262512133+aethnova@users.noreply.github.com>
 2026-02-22 22:24:28 +01:00
Peter Steinberger
d24f5c1e3a fix(gateway): fail fast exec approvals when no approvers are reachable 
Co-authored-by: fanxian831-netizen <262880470+fanxian831-netizen@users.noreply.github.com>
 2026-02-22 22:24:27 +01:00
Peter Steinberger
73fab7e445 fix(agents): map container workdir paths in workspace guard 
Co-authored-by: Explorer1092 <32663226+Explorer1092@users.noreply.github.com>
 2026-02-22 22:24:27 +01:00
Peter Steinberger
7bbd597383 fix(media): enforce agent media roots in plugin send actions 
Co-authored-by: Oliver Drobnik <333270+odrobnik@users.noreply.github.com>
Co-authored-by: thisischappy <257418353+thisischappy@users.noreply.github.com>
 2026-02-22 22:24:27 +01:00
Tak Hoffman
f8171ffcdc Config UI: tag filters and complete schema help/labels coverage (#23796) 
* Config UI: add tag filters and complete schema help/labels

* Config UI: finalize tags/help polish and unblock test suite

* Protocol: regenerate Swift gateway models
 2026-02-22 15:17:07 -06:00
Peter Steinberger
ffb12397a8 fix(cron): direct-deliver thread and topic announce targets 
Co-authored-by: Andrei Aratmonov <247877121+AndrewArto@users.noreply.github.com>
 2026-02-22 22:11:52 +01:00
Peter Steinberger
320cf8eb3e fix(subagents): restore configurable announce timeout 
Co-authored-by: Valadon <20071960+Valadon@users.noreply.github.com>
 2026-02-22 22:11:52 +01:00
Peter Steinberger
3820ad77ba fix(cron): pass agentDir into embedded follow-up runs 
Co-authored-by: seilk <88271769+seilk@users.noreply.github.com>
 2026-02-22 22:11:52 +01:00
Peter Steinberger
34fef3ae60 fix(delivery): quarantine permanent recovery failures 
Co-authored-by: Aldo <17973757+aldoeliacim@users.noreply.github.com>
 2026-02-22 22:11:51 +01:00
Peter Steinberger
e6383a2c13 fix(gateway): probe port liveness for stale lock recovery 
Co-authored-by: Operative-001 <261882263+Operative-001@users.noreply.github.com>
 2026-02-22 22:11:51 +01:00
Peter Steinberger
9165bd7f37 fix(gateway): auto-approve loopback scope upgrades 
Co-authored-by: Marcus Widing <245375637+widingmarcus-cyber@users.noreply.github.com>
 2026-02-22 22:11:50 +01:00
Peter Steinberger
6817c0ec7b fix(security): tighten elevated allowFrom sender matching 2026-02-22 22:00:08 +01:00
Peter Steinberger
d574056761 fix(control-ui): send stable websocket instance IDs (#23616) 
Co-authored-by: zq58855371-ui <248869919+zq58855371-ui@users.noreply.github.com>
 2026-02-22 21:37:19 +01:00
Peter Steinberger
dc6afeb4f8 perf(webchat): skip unnecessary full history reloads on final events (#20588) 
Co-authored-by: amzzzzzzz <154392693+amzzzzzzz@users.noreply.github.com>
 2026-02-22 21:37:19 +01:00
Peter Steinberger
f2e9986813 fix(webchat): append out-of-band final payloads in active chat (#11139) 
Co-authored-by: AkshayNavle <110360+AkshayNavle@users.noreply.github.com>
 2026-02-22 21:37:19 +01:00
Peter Steinberger
8264d4521b fix(webchat): render final assistant payloads without history wait (#14928) 
Co-authored-by: BradGroux <3053586+BradGroux@users.noreply.github.com>
 2026-02-22 21:37:19 +01:00
Peter Steinberger
02dc0c8752 fix(control-ui): stop websocket client on lifecycle teardown (#23422) 
Co-authored-by: floatinggball-design <262259579+floatinggball-design@users.noreply.github.com>
 2026-02-22 21:37:19 +01:00
Peter Steinberger
19046e0cfc fix(webchat): preserve session labels across /new resets (#23755) 
Co-authored-by: ThunderStormer <16649514+ThunderStormer@users.noreply.github.com>
 2026-02-22 21:37:19 +01:00
Peter Steinberger
8a83ca54a1 fix(webchat): preserve session channel routing on internal turns (#23258) 
Co-authored-by: binary64 <1680627+binary64@users.noreply.github.com>
 2026-02-22 21:37:18 +01:00
Peter Steinberger
5547a2275c fix(security): harden toolsBySender sender-key matching 2026-02-22 21:04:37 +01:00
Vincent Koc
5e73f33448 fix(slack): keep thread session fork/history context after first turn (#23843) 
* Slack thread sessions: keep forking and history context after first turn

* Update CHANGELOG.md
 2026-02-22 14:39:00 -05:00
Peter Steinberger
02772b029d fix(security): require sender-only matching for elevated allowFrom 
Co-authored-by: coygeek <coygeek@users.noreply.github.com>
 2026-02-22 20:37:22 +01:00
Peter Steinberger
51b0772e14 fix(exec-approvals): harden forwarding target and resolve delivery paths 
Co-authored-by: bubmiller <bubmiller@users.noreply.github.com>
 2026-02-22 20:37:22 +01:00
Peter Steinberger
6f895eb831 fix(sandbox): honor explicit bind mounts over workspace defaults 
Co-authored-by: tasaankaeris <tasaankaeris@users.noreply.github.com>
 2026-02-22 20:37:22 +01:00
Peter Steinberger
eefbf3dc5a fix(sandbox): normalize /workspace media paths to host sandbox root 
Co-authored-by: echo931 <echo931@users.noreply.github.com>
 2026-02-22 20:37:21 +01:00
Peter Steinberger
0932adf361 fix(config): fail closed allowlist-only group policy 
Co-authored-by: etereo <etereo@users.noreply.github.com>
 2026-02-22 20:37:21 +01:00
Vincent Koc
71c2c59c6c fix(slack): enforce replyToMode for auto-thread_ts and inline reply tags (#23839) 
* Slack: respect replyToMode for auto-thread_ts and inline reply tags

* Update CHANGELOG.md
 2026-02-22 14:36:46 -05:00
Vincent Koc
9f7c1686b4 fix(slack extension): preserve thread IDs for read + outbound delivery (#23836) 
* Slack Extension: preserve thread IDs in reads and outbound sends

* Slack extension: fix threadTs typing and action test context

* Update CHANGELOG.md
 2026-02-22 14:34:32 -05:00