github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-13 02:42:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
16,447 Commits 702 Branches 79 Tags
6a42d09129839de6548124a7ae72739777659f02
Commit Graph

17 Commits

Author SHA1 Message Date
Peter Steinberger
c20ee11348 fix: harden fs-safe write boundary checks 2026-03-02 23:36:23 +00:00
Peter Steinberger
34daed1d1e refactor(core): dedupe infra, media, pairing, and plugin helpers 2026-03-02 21:32:11 +00:00
Peter Steinberger
dbbd41a2ed fix(security): harden file installs and race-path tests 2026-03-02 19:30:02 +00:00
Peter Steinberger
7dac9b05dd fix(security): harden zip write race handling 2026-03-02 17:38:11 +00:00
Peter Steinberger
104d32bb64 fix(security): unify root-bound write hardening 2026-03-02 17:12:33 +00:00
Peter Steinberger
4a80311628 refactor(security): split sandbox media staging and stream safe copies 2026-03-02 16:53:14 +00:00
cygaar
127217612c fix(CI/CD): use path.resolve in expandHomePrefix test for Windows compat (#30961) 
Merged via squash.

Prepared head SHA: 26bc118517
Co-authored-by: cygaar <97691933+cygaar@users.noreply.github.com>
Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com>
Reviewed-by: @velvet-shark
 2026-03-02 14:18:11 +01:00
Peter Steinberger
00dcd931cb test(fs-safe): assert directory-read errors never leak EISDIR text 2026-03-02 03:35:20 +00:00
倪汉杰0668001185
6398a0ba8f fix(infra): avoid EISDIR leak to messaging when Read targets directory (Closes #31186) 2026-03-02 03:35:20 +00:00
Peter Steinberger
710004e011 fix(security): harden root-scoped writes against symlink races 2026-03-02 01:27:46 +00:00
Peter Steinberger
c823a85302 fix: harden sandbox media reads against TOCTOU escapes 2026-03-02 01:04:01 +00:00
Onur
ac5d7ee4cd Tests: normalize HOME expansion assertion on Windows 2026-03-01 20:39:24 +01:00
Glucksberg
645d963954 feat: expand ~ (tilde) to home directory in file tools (read/write/edit) (openclaw#29779) thanks @Glucksberg 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Glucksberg <80581902+Glucksberg@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-01 07:00:52 -06:00
YuzuruS
f5c2be1910 fix: distinguish outside-workspace errors from not-found in fs-safe 
When editing a file outside the workspace root, SafeOpenError previously
used the "invalid-path" code with the message "path escapes root". This
was indistinguishable from other invalid-path errors (hardlinks, symlinks,
non-files) and consumers often fell back to a generic "not found" message,
which was misleading.

Add a new "outside-workspace" error code with the message "file is outside
workspace root" so consumers can surface a clear, accurate error message.

- fs-safe.ts: add "outside-workspace" to SafeOpenErrorCode, use it for
  all path-escapes-root checks in openFileWithinRoot/writeFileWithinRoot
- pi-tools.read.ts: map "outside-workspace" to EACCES instead of rethrowing
- browser/paths.ts: return specific "File is outside {scopeLabel}" message
- media/server.ts: return 400 with descriptive message for outside-workspace
- fs-safe.test.ts: update traversal test expectations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 18:08:10 +05:30
Peter Steinberger
e3385a6578 fix(security): harden root file guards and host writes 2026-02-26 13:32:58 +01:00
Peter Steinberger
ad1c07e7c0 refactor: eliminate remaining duplicate blocks across draft streams and tests 2026-02-22 07:44:57 +00:00
Peter Steinberger
bf3f8ec428 refactor(media): unify safe local file reads 2026-02-19 10:21:20 +01:00