negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
16,230 Commits 1 Branch 0 Tags
9d30159fcd126e4f59f95e2afdbe99e8cb24cce9
Commit Graph

203 Commits

Author SHA1 Message Date
Peter Steinberger
9d30159fcd refactor: dedupe channel and gateway surfaces 2026-03-02 19:57:33 +00:00
Peter Steinberger
39afcee864 test(perf): trim cron and audit fixture overhead 2026-03-02 19:48:02 +00:00
Peter Steinberger
031bf0c6c0 refactor(security): split safe-regex parse and bounded matching 2026-03-02 16:47:00 +00:00
Peter Steinberger
31c7637e0f fix(security): block quantified ambiguous alternation regex 2026-03-02 16:37:45 +00:00
StingNing
944abe0a6c fix(security): recognize localized Windows SYSTEM account in ACL audit (#29698) 
* fix(security): recognize localized Windows SYSTEM account in ACL audit

On non-English Windows (e.g. French "AUTORITE NT\Système"), the security
audit falsely reports fs.config.perms_writable because the localized
SYSTEM account name is not recognized as trusted.

Changes:
- Add common localized SYSTEM principal names (French, German, Spanish,
  Portuguese) to TRUSTED_BASE
- Add diacritics-stripping fallback in classifyPrincipal for unhandled
  locales
- Use well-known SID *S-1-5-18 in icacls reset commands instead of
  hardcoded "SYSTEM" string for locale independence

Fixes #29681

* style: format windows acl files

---------

Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-02 08:38:56 -06:00
Peter Steinberger
b02b94673f refactor: dedupe runtime and helper flows 2026-03-02 12:55:47 +00:00
Peter Steinberger
2cda78a0b0 test(perf): stub docker probes in filesystem audit cases 2026-03-02 12:18:27 +00:00
Peter Steinberger
adf2ef88c6 test(perf): simplify temp-path guard scan loop 2026-03-02 11:59:24 +00:00
Peter Steinberger
d95bc10425 test(perf): streamline deep code-safety audit assertions 2026-03-02 11:58:49 +00:00
Peter Steinberger
c80a332def test(perf): cut cron retry waits and tighten tmp guard prefilter 2026-03-02 11:54:26 +00:00
Peter Steinberger
735216f7e4 test(perf): reduce security audit and guardrail overhead 2026-03-02 11:41:33 +00:00
Peter Steinberger
1b98879295 test(perf): reduce guardrail and media test overhead 2026-03-02 11:16:29 +00:00
Peter Steinberger
96ef6ea3cf test(perf): dedupe setup in cli/security script suites 2026-03-02 10:53:21 +00:00
Peter Steinberger
8a1465c314 test(perf): trim timer-heavy suites and guardrail scanning 2026-03-02 10:28:39 +00:00
Peter Steinberger
5b8f492a48 fix(security): harden spoofed system marker handling 2026-03-02 06:19:16 +00:00
Tak Hoffman
bbab94c1fe security(feishu): bind doc create grants to trusted requester context (#31184) 
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-03-01 20:51:45 -06:00
Peter Steinberger
17bae93680 fix(security): warn on wildcard control-ui origins and feishu owner grants 2026-03-02 02:23:22 +00:00
Benedikt Johannes
b81e1b902d Fixes minor security vulnerability (#30948) (#30951) 
Merged via squash.

Prepared head SHA: cfbe5fe8301370d751b3c62d908533f00d583933
Co-authored-by: benediktjohannes <253604130+benediktjohannes@users.noreply.github.com>
Co-authored-by: shakkernerd <165377636+shakkernerd@users.noreply.github.com>
Reviewed-by: @shakkernerd
 2026-03-02 00:38:01 +00:00
Peter Steinberger
bce643a0bd refactor(security): enforce account-scoped pairing APIs 2026-02-26 21:57:52 +01:00
Peter Steinberger
262bca9bdd fix: restore dm command and self-chat auth behavior 2026-02-26 18:49:16 +01:00
Peter Steinberger
64de4b6d6a fix: enforce explicit group auth boundaries across channels 2026-02-26 18:49:16 +01:00
Peter Steinberger
cd80c7e7ff refactor: unify dm policy store reads and reason codes 2026-02-26 17:47:57 +01:00
Peter Steinberger
051fdcc428 fix(security): centralize dm/group allowlist auth composition 2026-02-26 16:35:33 +01:00
Peter Steinberger
892a9c24b0 refactor(security): centralize channel allowlist auth policy 2026-02-26 13:06:33 +01:00
Peter Steinberger
8bdda7a651 fix(security): keep DM pairing allowlists out of group auth 2026-02-26 12:58:18 +01:00
Peter Steinberger
8f8e46d898 refactor: unify reaction ingress policy guards across channels 2026-02-26 01:34:47 +01:00
Peter Steinberger
aedf62ac7e fix: harden discord and slack reaction ingress authorization 2026-02-26 01:26:47 +01:00
Peter Steinberger
42f455739f fix(security): clarify denyCommands exact-match guidance 2026-02-26 00:55:35 +01:00
Peter Steinberger
a177b10b79 test(windows): normalize risky-path assertions 2026-02-25 01:28:47 +00:00
Brian Mendonca
9924f7c84e fix(security): classify hook sessions case-insensitively 2026-02-24 23:48:09 +00:00
Peter Steinberger
4355e08262 refactor: harden safe-bin trusted dir diagnostics 2026-02-24 23:29:44 +00:00
Peter Steinberger
5552f9073f refactor(sandbox): centralize network mode policy helpers 2026-02-24 23:26:46 +00:00
Peter Steinberger
14b6eea6e3 feat(sandbox): block container namespace joins by default 2026-02-24 23:20:34 +00:00
Peter Steinberger
4d124e4a9b feat(security): warn on likely multi-user trust-model mismatch 2026-02-24 14:03:19 +00:00
Brian Mendonca
d51a4695f0 Deny cron tool on /tools/invoke by default 
(cherry picked from commit 816a6b3a4df5bf8436f08e3fc8fa82411e3543ac)
 2026-02-24 04:33:50 +00:00
Peter Steinberger
c070be1bc4 fix(sandbox): harden fs bridge path checks and bind mount policy 2026-02-24 02:21:43 +00:00
Peter Steinberger
223d7dc23d feat(gateway)!: require explicit non-loopback control-ui origins 2026-02-24 01:57:11 +00:00
Peter Steinberger
161d9841dc refactor(security): unify dangerous name matching handling 2026-02-24 01:33:08 +00:00
Peter Steinberger
cfa44ea6b4 fix(security): make allowFrom id-only by default with dangerous name opt-in (#24907) 
* fix(channels): default allowFrom to id-only; add dangerous name opt-in

* docs(security): align channel allowFrom docs with id-only default
 2026-02-24 01:01:51 +00:00
Peter Steinberger
663f784e4e test(core): trim redundant setup and tighten waits 2026-02-24 00:31:58 +00:00
Peter Steinberger
a2dfe9879f fix(security): harden regex compilation for filters and redaction 2026-02-23 23:54:50 +00:00
Peter Steinberger
f52a0228ca test: optimize auth and audit test runtime 2026-02-23 23:31:52 +00:00
Peter Steinberger
b922ecb8c1 test(security): reduce duplicate audit assertions 2026-02-23 22:16:39 +00:00
边黎安
a4c373935f fix(agents): fall back to agents.defaults.model when agent has no model config (#24210) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 0f272b102763736001a82cfda23f35ff2ee9cac8
Co-authored-by: bianbiandashen <16240681+bianbiandashen@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-23 03:18:55 -05:00
Peter Steinberger
57b75678d4 test(security): consolidate runtime guardrail scans 2026-02-22 22:06:01 +00:00
Peter Steinberger
8af6d1a186 refactor(test): dedupe repeated fixture setup helpers 2026-02-22 20:04:51 +00:00
Peter Steinberger
b79c89fc90 fix: stabilize CI type and test harness coverage 2026-02-22 18:06:34 +00:00
Peter Steinberger
03285465ff perf(test): lazy-load weak-random fallback scanner 2026-02-22 17:52:12 +00:00
Peter Steinberger
90a8ddc3c6 perf(test): replace temp-path guard AST parse with fast scanner 2026-02-22 17:52:12 +00:00
Peter Steinberger
2962e5a383 perf(test): tighten temp-path dynamic prefilter 2026-02-22 17:51:38 +00:00