negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
18,249 Commits 1 Branch 0 Tags
a60a4b4b5eeb8f12be6d2f1dd501fdfd63449758
Commit Graph

19 Commits

Author SHA1 Message Date
Peter Steinberger
296b19e413 test: dedupe gateway browser discord and channel coverage 2026-02-22 17:11:54 +00:00
Peter Steinberger
f4dd0577b0 fix(security): block hook transform symlink escapes 2026-02-22 10:18:05 +01:00
SleuthCo.AI
fe609c0c77 security(hooks): block prototype-chain traversal in webhook template getByPath (#22213) 
* security(hooks): block prototype-chain traversal in webhook template getByPath

The getByPath() function in hooks-mapping.ts traverses attacker-controlled
webhook payload data using arbitrary property path expressions, but does not
filter dangerous property names (__proto__, constructor, prototype).

The config-paths module (config-paths.ts) already blocks these exact keys
for config path traversal via a BLOCKED_KEYS set, but the hooks template
system was not protected with the same guard.

Add a BLOCKED_PATH_KEYS set mirroring config-paths.ts and reject traversal
into __proto__, prototype, or constructor in getByPath(). Add three test
cases covering all three blocked keys.

Signed-off-by: Alan Ross <alan@sleuthco.ai>

* test(gateway): narrow hook action type in prototype-pollution tests

* changelog: credit hooks prototype-path guard in PR 22213

* changelog: move hooks prototype-path fix into security section

---------

Signed-off-by: Alan Ross <alan@sleuthco.ai>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-21 03:01:03 -05:00
Marcus Castro
c8ee33c162 fix(gateway): include export name in hook transform cache key (#13855) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: a9eea919b88b33c3297620d62b38bac9cfa412bf
Co-authored-by: mcaxtr <7562095+mcaxtr@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
 2026-02-20 17:44:51 +00:00
cpojer
084e39b519 chore: Fix types in tests 38/N. 2026-02-17 15:50:07 +09:00
cpojer
e02feaff83 chore: Fix types in tests 11/N. 2026-02-17 11:22:49 +09:00
Peter Steinberger
93ca0ed54f refactor(channels): dedupe transport and gateway test scaffolds 2026-02-16 14:59:31 +00:00
Peter Steinberger
3d38e56401 refactor(test): dedupe hook transform skip assertions 2026-02-15 15:30:37 +00:00
Peter Steinberger
35c0e66ed0 fix(security): harden hooks module loading 2026-02-14 15:03:27 +01:00
Peter Steinberger
a0361b8ba9 fix(security): restrict hook transform module loading 2026-02-14 13:46:09 +01:00
Bill Chirico
ca629296c6 feat(hooks): add agentId support to webhook mappings (#13672) 
* feat(hooks): add agentId support to webhook mappings

Allow webhook mappings to route hook runs to a specific agent via
the new `agentId` field. This enables lightweight agents with minimal
bootstrap files to handle webhooks, reducing token cost per hook run.

The agentId is threaded through:
- HookMappingConfig (config type + zod schema)
- HookMappingResolved + HookAction (mapping types)
- normalizeHookMapping + buildActionFromMapping (mapping logic)
- mergeAction (transform override support)
- HookAgentPayload + normalizeAgentPayload (direct /hooks/agent endpoint)
- dispatchAgentHook → CronJob.agentId (server dispatch)

The existing runCronIsolatedAgentTurn already supports agentId on
CronJob — this change simply wires it through from webhook mappings.

Usage in config:
  hooks.mappings[].agentId = "my-agent"

Usage via POST /hooks/agent:
  { "message": "...", "agentId": "my-agent" }

Includes tests for mapping passthrough and payload normalization.
Includes doc updates for webhook.md.

* fix(hooks): enforce webhook agent routing policy + docs/changelog updates (#13672) (thanks @BillChirico)

* fix(hooks): harden explicit agent allowlist semantics (#13672) (thanks @BillChirico)

---------

Co-authored-by: Pip <pip@openclaw.ai>
Co-authored-by: Gustavo Madeira Santana <gumadeiras@gmail.com>
 2026-02-10 19:23:58 -05:00
cpojer
f06dd8df06 chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer
b7e401b6b6 chore: Enable no-useless-concat (removing the lint rule from the disabled list automatically enables it because it is in the "suspicious" group). 2026-01-31 16:08:56 +09:00
Peter Steinberger
9a7160786a refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
Peter Steinberger
6d16a658e5 refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
Peter Steinberger
73988506fe feat: allow hook model overrides 2026-01-08 09:33:42 +00:00
Peter Steinberger
246adaa119 chore: rename project to clawdbot 2026-01-04 14:38:51 +00:00
Jared Verdi
12e27f9e5e Gateway: ack skipped hook transforms with 204 2026-01-03 02:32:50 +01:00
Peter Steinberger
aeb5455555 feat: add webhook hook mappings 
# Conflicts:
#	src/gateway/server.ts
 2025-12-24 19:48:05 +00:00