nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,225 Commits 743 Branches 79 Tags 2.9 GiB
Commit Graph

26 Commits

Author SHA1 Message Date
Peter Steinberger cc2ff68947 test: optimize gateway infra memory and security coverage 2026-02-21 21:44:50 +00:00
George Pickett 802f043e53 Net: expand cross-origin sensitive header regression test 2026-02-19 11:42:25 -08:00
Andrii Furmanets c0cd5a7265 Net: strip sensitive headers on cross-origin redirects 2026-02-19 11:42:25 -08:00
Peter Steinberger 26c9b37f5b fix(security): enforce strict IPv4 SSRF literal handling 2026-02-19 15:24:47 +01:00
Peter Steinberger baa335f258 fix(security): harden SSRF IPv4 literal parsing 2026-02-19 15:14:46 +01:00
Peter Steinberger d05c8eb912 refactor: unify SSRF hostname/ip precheck and add policy regression 2026-02-19 10:25:31 +01:00
Peter Steinberger d51929ecb5 fix: block ISATAP SSRF bypass via shared host/ip guard 2026-02-19 09:59:47 +01:00
Peter Steinberger e8154c12e6 refactor(net): table-drive embedded IPv6 decoding and SSRF tests 2026-02-18 04:57:08 +01:00
Peter Steinberger 442fdbf3d8 fix(security): block SSRF IPv6 transition bypasses 2026-02-18 04:53:09 +01:00
cpojer 49bd9f75f4
chore: Fix types in tests 33/N. 2026-02-17 15:50:07 +09:00
cpojer 6e5df1dc0f
chore: Fix types in tests 25/N. 2026-02-17 14:31:02 +09:00
Sebastian f924ab40d8 revert(tools): undo accidental merge of PR #18584 2026-02-16 21:13:48 -05:00
smartprogrammer93 6d2e3685d6 feat(tools): add URL allowlist for web_search and web_fetch 
Add optional urlAllowlist config at tools.web level that restricts which
URLs can be accessed by web tools:

- Config types (types.tools.ts): Add urlAllowlist?: string[] to tools.web
- Zod schema: Add urlAllowlist field to ToolsWebSchema
- Schema help: Add help text for the new config fields
- web_search: Filter Brave search results by allowlist (provider=brave)
- web_fetch: Block URLs not matching allowlist before fetching
- ssrf.ts: Export normalizeHostnameAllowlist and matchesHostnameAllowlist

URL matching supports:
- Exact domain match (example.com)
- Wildcard patterns (*.github.com)

When urlAllowlist is not configured, all URLs are allowed (backwards compatible).

Tests: Add web-tools.url-allowlist.test.ts with 23 tests covering:
- URL allowlist resolution from config
- Wildcard pattern matching
- web_fetch error response format
- Brave search result filtering
 2026-02-16 23:50:18 +01:00
Peter Steinberger 58ab60c0fc perf(test): fold tls fingerprint normalization into ssrf suite 2026-02-16 02:44:59 +00:00
Peter Steinberger 4aaafe5322 refactor(net): share hostname normalization 2026-02-16 01:01:22 +00:00
Peter Steinberger c0c0e0f9ae fix(security): block full-form IPv4-mapped IPv6 in SSRF guard 2026-02-14 22:58:38 +01:00
Marcus Castro 7ec60d6449 fix: use relayAbort helper for addEventListener to preserve AbortError reason 2026-02-13 18:13:18 +01:00
Marcus Castro d9c582627c perf: use .abort.bind() instead of arrow closures to prevent memory leaks (#7174) 2026-02-13 18:13:18 +01:00
Peter Steinberger 99f28031e5 fix: harden OpenResponses URL input fetching 2026-02-13 01:38:49 +01:00
Peter Steinberger 9bd64c8a1f fix: expand SSRF guard coverage 2026-02-02 04:58:32 -08:00
Peter Steinberger 81c68f582d fix: guard remote media fetches with SSRF checks 2026-02-02 04:07:29 -08:00
cpojer f06dd8df06
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer 5ceff756e1
chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
cpojer 15792b153f
chore: Enable more lint rules, disable some that trigger a lot. Will clean up later. 2026-01-31 16:04:04 +09:00
Peter Steinberger b623557a2e fix: harden url fetch dns pinning 2026-01-26 16:05:29 +00:00
Peter Steinberger 5bd55037e4 fix: harden web fetch SSRF and redirects 
Co-authored-by: Eli <fogboots@users.noreply.github.com>
 2026-01-21 02:54:14 +00:00