negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Security: add per-wrapper IDs to untrusted-content markers (#19009)

Browse Source 
Fixes #10927

Adds unique per-wrapper IDs to external-content boundary markers to
prevent spoofing attacks where malicious content could inject fake
marker boundaries.

- Generate random 16-char hex ID per wrap operation
- Start/end markers share the same ID for pairing
- Sanitizer strips markers with or without IDs (handles legacy + spoofed)
- Added test for attacker-injected markers with fake IDs

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
This commit is contained in:
C.J. Winslow
2026-02-20 22:16:02 -08:00
committed by GitHub
parent 45fff13b1d
commit 58f7b7638a
4 changed files with 82 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/agents/tools/web-tools.enabled-defaults.e2e.test.ts
View File

@@ -269,7 +269,7 @@ describe("web_search external content wrapping", () => {
results?: Array<{ description?: string }>;
};
expect(details.results?.[0]?.description).toContain("<<<EXTERNAL_UNTRUSTED_CONTENT>>>");
expect(details.results?.[0]?.description).toMatch(/<<<EXTERNAL_UNTRUSTED_CONTENT id="[a-f0-9]{16}">>>/);
expect(details.results?.[0]?.description).toContain("Ignore previous instructions");
expect(details.externalContent).toMatchObject({
untrusted: true,
@@ -332,7 +332,7 @@ describe("web_search external content wrapping", () => {
const result = await executePerplexitySearchForWrapping("test");
const details = result?.details as { content?: string };
expect(details.content).toContain("<<<EXTERNAL_UNTRUSTED_CONTENT>>>");
expect(details.content).toMatch(/<<<EXTERNAL_UNTRUSTED_CONTENT id="[a-f0-9]{16}">>>/);
expect(details.content).toContain("Ignore previous instructions");
});