github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 03:51:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
12,715 Commits 702 Branches 79 Tags
baa335f2581b74561134169ac7f2b1faae791d68
Commit Graph

22 Commits

Author SHA1 Message Date
Peter Steinberger
baa335f258 fix(security): harden SSRF IPv4 literal parsing 2026-02-19 15:14:46 +01:00
Peter Steinberger
d05c8eb912 refactor: unify SSRF hostname/ip precheck and add policy regression 2026-02-19 10:25:31 +01:00
Peter Steinberger
d51929ecb5 fix: block ISATAP SSRF bypass via shared host/ip guard 2026-02-19 09:59:47 +01:00
Peter Steinberger
e8154c12e6 refactor(net): table-drive embedded IPv6 decoding and SSRF tests 2026-02-18 04:57:08 +01:00
Peter Steinberger
442fdbf3d8 fix(security): block SSRF IPv6 transition bypasses 2026-02-18 04:53:09 +01:00
cpojer
49bd9f75f4 chore: Fix types in tests 33/N. 2026-02-17 15:50:07 +09:00
cpojer
6e5df1dc0f chore: Fix types in tests 25/N. 2026-02-17 14:31:02 +09:00
Sebastian
f924ab40d8 revert(tools): undo accidental merge of PR #18584 2026-02-16 21:13:48 -05:00
smartprogrammer93
6d2e3685d6 feat(tools): add URL allowlist for web_search and web_fetch 
Add optional urlAllowlist config at tools.web level that restricts which
URLs can be accessed by web tools:

- Config types (types.tools.ts): Add urlAllowlist?: string[] to tools.web
- Zod schema: Add urlAllowlist field to ToolsWebSchema
- Schema help: Add help text for the new config fields
- web_search: Filter Brave search results by allowlist (provider=brave)
- web_fetch: Block URLs not matching allowlist before fetching
- ssrf.ts: Export normalizeHostnameAllowlist and matchesHostnameAllowlist

URL matching supports:
- Exact domain match (example.com)
- Wildcard patterns (*.github.com)

When urlAllowlist is not configured, all URLs are allowed (backwards compatible).

Tests: Add web-tools.url-allowlist.test.ts with 23 tests covering:
- URL allowlist resolution from config
- Wildcard pattern matching
- web_fetch error response format
- Brave search result filtering
 2026-02-16 23:50:18 +01:00
Peter Steinberger
58ab60c0fc perf(test): fold tls fingerprint normalization into ssrf suite 2026-02-16 02:44:59 +00:00
Peter Steinberger
4aaafe5322 refactor(net): share hostname normalization 2026-02-16 01:01:22 +00:00
Peter Steinberger
c0c0e0f9ae fix(security): block full-form IPv4-mapped IPv6 in SSRF guard 2026-02-14 22:58:38 +01:00
Marcus Castro
7ec60d6449 fix: use relayAbort helper for addEventListener to preserve AbortError reason 2026-02-13 18:13:18 +01:00
Marcus Castro
d9c582627c perf: use .abort.bind() instead of arrow closures to prevent memory leaks (#7174) 2026-02-13 18:13:18 +01:00
Peter Steinberger
99f28031e5 fix: harden OpenResponses URL input fetching 2026-02-13 01:38:49 +01:00
Peter Steinberger
9bd64c8a1f fix: expand SSRF guard coverage 2026-02-02 04:58:32 -08:00
Peter Steinberger
81c68f582d fix: guard remote media fetches with SSRF checks 2026-02-02 04:07:29 -08:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer
5ceff756e1 chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
cpojer
15792b153f chore: Enable more lint rules, disable some that trigger a lot. Will clean up later. 2026-01-31 16:04:04 +09:00
Peter Steinberger
b623557a2e fix: harden url fetch dns pinning 2026-01-26 16:05:29 +00:00
Peter Steinberger
5bd55037e4 fix: harden web fetch SSRF and redirects 
Co-authored-by: Eli <fogboots@users.noreply.github.com>
 2026-01-21 02:54:14 +00:00