negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
2a18cbb1101f77d64be3a57e520e9bdea33e48f0
openclaw/src/gateway/server-methods
History
Robin Waslander dafd61b5c1 fix(gateway): enforce caller-scope subsetting in device.token.rotate 
device.token.rotate accepted attacker-controlled scopes and forwarded
them to rotateDeviceToken without verifying the caller held those
scopes. A pairing-scoped token could rotate up to operator.admin on
any already-paired device whose approvedScopes included admin.

Add a caller-scope subsetting check before rotateDeviceToken: the
requested scopes must be a subset of client.connect.scopes via the
existing roleScopesAllow helper. Reject with missing scope: <scope>
if not.

Also add server.device-token-rotate-authz.test.ts covering both the
priv-esc path and the admin-to-node-invoke chain.

Fixes GHSA-4jpw-hj22-2xmc
2026-03-11 14:16:59 +01:00
..
agent-job.ts
fix: kill stuck ACP child processes on startup and harden sessions in discord threads (#33699)
2026-03-04 10:52:28 +01:00
agent-timestamp.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
agent-wait-dedupe.test.ts
fix: kill stuck ACP child processes on startup and harden sessions in discord threads (#33699)
2026-03-04 10:52:28 +01:00
agent-wait-dedupe.ts
fix: kill stuck ACP child processes on startup and harden sessions in discord threads (#33699)
2026-03-04 10:52:28 +01:00
agent.test.ts
fix(gateway): split conversation reset from admin reset
2026-03-11 02:50:44 +00:00
agent.ts
fix(gateway): split conversation reset from admin reset
2026-03-11 02:50:44 +00:00
agents-mutate.test.ts
refactor(core): extract shared dedup helpers
2026-03-07 10:41:05 +00:00
AGENTS.md
Gateway: fix post-compaction amnesia for injected messages (#12283)
2026-02-08 23:07:31 -06:00
agents.ts
refactor(core): extract shared dedup helpers
2026-03-07 10:41:05 +00:00
attachment-normalize.ts
refactor(gateway): share rpc attachment normalization
2026-02-15 13:30:42 +00:00
base-hash.ts
refactor(gateway): reuse shared validators + baseHash
2026-02-16 01:19:01 +00:00
browser.profile-from-body.test.ts
fix: test browser.request profile body fallback (#28852) (thanks @Sid-Qin)
2026-03-02 06:26:35 +00:00
browser.ts
fix(gateway): honor browser profile from request body for node proxy calls
2026-03-02 06:26:35 +00:00
channels.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
chat-transcript-inject.ts
refactor: extract gateway transcript append helper
2026-02-22 14:44:19 +00:00
chat.abort-persistence.test.ts
test(gateway): dedupe update and chat abort persistence fixtures
2026-02-18 12:43:54 +00:00
chat.directive-tags.test.ts
ACP: add optional ingress provenance receipts (#40473)
2026-03-09 04:19:03 +01:00
chat.inject.parentid.test.ts
refactor: extract gateway transcript append helper
2026-02-22 14:44:19 +00:00
chat.test-helpers.ts
fix: stabilize flaky tests and sanitize directive-only chat tags
2026-02-22 12:19:33 +01:00
chat.ts
Revert "feat(ui): add chat infrastructure modules (slice 1 of dashboard-v2)"
2026-03-09 18:47:44 -05:00
CLAUDE.md
fix: remove trailing newline from CLAUDE.md symlink target (#21160)
2026-02-22 12:40:06 -05:00
config.ts
fix: resolve live config paths in status and gateway metadata (#39952)
2026-03-08 09:59:32 -05:00
connect.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
cron.ts
fix(cron): consolidate announce delivery, fire-and-forget trigger, and minimal prompt mode (#40204)
2026-03-08 14:46:33 -07:00
devices.ts
fix(gateway): enforce caller-scope subsetting in device.token.rotate
2026-03-11 14:16:59 +01:00
doctor.test.ts
refactor: deduplicate shared helpers and test setup
2026-02-23 20:40:44 +00:00
doctor.ts
fix(doctor): use gateway health status for memory search key check (#22327)
2026-02-23 14:07:16 -05:00
exec-approval.ts
refactor(security): simplify system.run approval model
2026-03-11 01:43:06 +00:00
exec-approvals.ts
refactor(gateway): dedupe exec approvals node validation
2026-02-18 23:09:09 +00:00
health.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
logs.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
models.ts
TUI: filter model picker to allowlisted models
2026-02-21 19:03:15 -08:00
nodes-pending.test.ts
Gateway: add pending node work primitives (#41409)
2026-03-09 21:42:57 +01:00
nodes-pending.ts
Gateway: add pending node work primitives (#41409)
2026-03-09 21:42:57 +01:00
nodes.canvas-capability-refresh.test.ts
feat(gateway): add node canvas capability refresh flow
2026-02-27 12:16:36 +05:30
nodes.handlers.invoke-result.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
nodes.helpers.ts
feat(gateway): add node canvas capability refresh flow
2026-02-27 12:16:36 +05:30
nodes.invoke-wake.test.ts
Gateway/iOS: replay queued foreground actions safely after resume (#40281)
2026-03-08 22:46:54 +01:00
nodes.ts
Gateway: add pending node work primitives (#41409)
2026-03-09 21:42:57 +01:00
push.test.ts
CI: restore main detect-secrets scan (#38438)
2026-03-07 10:06:35 -08:00
push.ts
Gateway: add APNs push test pipeline (#20307)
2026-02-18 19:32:42 +00:00
restart-request.ts
refactor(gateway): share restart request parsing
2026-02-16 01:21:54 +00:00
secrets.test.ts
refactor(core): extract shared dedup helpers
2026-03-07 10:41:05 +00:00
secrets.ts
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580)
2026-03-03 02:58:20 +00:00
send.test.ts
refactor: dedupe channel and gateway surfaces
2026-03-02 19:57:33 +00:00
send.ts
mattermost: fix DM media upload for unprefixed user IDs (#29925)
2026-03-10 14:22:24 +05:30
server-methods.test.ts
refactor(security): simplify system.run approval model
2026-03-11 01:43:06 +00:00
sessions.ts
fix(gateway): split conversation reset from admin reset
2026-03-11 02:50:44 +00:00
skills.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
skills.update.normalizes-api-key.test.ts
chore: Fix types in tests 38/N.
2026-02-17 15:50:07 +09:00
system.ts
refactor: centralize presence routing and version precedence coverage (#19609)
2026-02-18 00:02:51 -05:00
talk.ts
feat(talk): add provider-agnostic config with legacy compatibility
2026-02-24 15:02:52 +00:00
tools-catalog.test.ts
Gateway/UI: data-driven agents tools catalog with provenance (openclaw#24199) thanks @Takhoffman
2026-02-22 23:55:59 -06:00
tools-catalog.ts
Gateway: suppress tools.catalog plugin conflict diagnostics
2026-02-23 00:05:57 -06:00
tts.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
types.ts
feat(gateway): add node canvas capability refresh flow
2026-02-27 12:16:36 +05:30
update.test.ts
test(core): use lightweight clears in update, child adapter, and copilot token setup
2026-02-22 08:01:16 +00:00
update.ts
style: format gateway server methods
2026-02-19 13:32:58 +00:00
usage.sessions-usage.test.ts
test: dedupe gateway browser discord and channel coverage
2026-02-22 17:11:54 +00:00
usage.test.ts
Issue 17774 - Usage - Local - Show data from midnight to midnight of selected dates for browser time zone (AI assisted) (openclaw#19357) thanks @huntharo
2026-02-20 20:09:03 -06:00
usage.ts
refactor(core): extract shared usage, auth, and display helpers
2026-03-02 08:54:20 +00:00
validation.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
voicewake.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
web.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
wizard.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00