negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b5f551d71698b96a6849f26cf280ab88bc24188c
openclaw/src
History
aether-ai-agent b5f551d716 fix(security): OC-06 prevent path traversal in config includes 
Fixed CWE-22 path traversal vulnerability allowing arbitrary file reads
through the $include directive in OpenClaw configuration files.

Security Impact:
- CVSS 8.6 (High) - Arbitrary file read vulnerability
- Attack vector: Malicious config files with path traversal sequences
- Impact: Exposure of /etc/passwd, SSH keys, cloud credentials, secrets

Implementation:
- Added path boundary validation in resolvePath() (lines 169-198)
- Implemented symlink resolution to prevent bypass attacks
- Restrict includes to config directory only
- Throw ConfigIncludeError for escaping paths

Testing:
- Added 23 comprehensive security tests
- 48/48 includes.test.ts tests passing
- 5,063/5,063 full suite tests passing
- 95.55% coverage on includes.ts
- Zero regressions, zero breaking changes

Attack Vectors Blocked:
✓ Absolute paths (/etc/passwd, /etc/shadow)
✓ Relative traversal (../../etc/passwd)
✓ Symlink bypass attempts
✓ Home directory access (~/.ssh/id_rsa)

Legitimate Use Cases Preserved:
✓ Same directory includes (./config.json)
✓ Subdirectory includes (./clients/config.json)
✓ Deep nesting (./a/b/c/config.json)

Aether AI Agent Security Research
2026-02-18 03:27:16 +01:00
..
acp
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
agents
test: expand subagent announce completion coverage
2026-02-18 03:21:52 +01:00
auto-reply
style: format subagent command files
2026-02-18 01:50:11 +00:00
browser
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
canvas-host
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
channels
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
cli
chore: format imports in gateway and session tools
2026-02-17 21:10:38 -05:00
commands
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
compat
config
fix(security): OC-06 prevent path traversal in config includes
2026-02-18 03:27:16 +01:00
cron
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
daemon
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
discord
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
docs
gateway
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
hooks
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
imessage
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
infra
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
line
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
link-understanding
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
logging
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
macos
test: tighten relay smoke + slack token validation
2026-02-16 02:45:00 +00:00
markdown
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
media
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
media-understanding
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
memory
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
node-host
perf(test): fold node-host runner tests into sanitize env suite
2026-02-16 02:45:00 +00:00
pairing
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
plugin-sdk
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
plugins
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
process
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
providers
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
routing
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
scripts
security
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
sessions
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
shared
refactor(shared): reuse chat content extractor for assistant text
2026-02-17 00:53:44 +00:00
signal
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
slack
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
telegram
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
terminal
test: strengthen ports, tool policy, and note wrapping
2026-02-16 02:45:00 +00:00
test-helpers
refactor(test): simplify state dir env helpers
2026-02-16 00:08:00 +00:00
test-utils
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
tts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
tui
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
types
utils
chore: Fix types in tests 34/N.
2026-02-17 15:50:07 +09:00
web
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
whatsapp
Whatsapp/add resolve outbound target tests (#19345)
2026-02-18 01:05:36 +01:00
wizard
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
channel-web.ts
docker-setup.test.ts
perf(test): avoid env cloning in docker-setup suite
2026-02-15 00:56:20 +00:00
dockerfile.test.ts
test(docker): cover browser install build arg
2026-02-16 22:35:27 -05:00
entry.ts
extensionAPI.ts
globals.ts
index.ts
logger.test.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
logger.ts
logging.ts
style: align formatting with oxfmt 0.33
2026-02-18 01:34:35 +00:00
polls.test.ts
polls.ts
runtime.ts
chore: chore: Fix types in tests 12/N.
2026-02-17 11:22:49 +09:00
utils.test.ts
perf(test): drop redundant index entrypoint tests
2026-02-16 02:45:00 +00:00
utils.ts
version.test.ts
version.ts