nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/src/node-host
History
Robin Waslander b7a37c2023
fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval 
tsx, jiti, ts-node, ts-node-esm, vite-node, and esno were not recognized
as interpreter-style script runners in invoke-system-run-plan.ts. These
runners produced mutableFileOperand: null, causing invoke-system-run.ts
to skip revalidation entirely. A mutated script payload would execute
without the approval binding check that node ./run.js already enforced.

Two-part fix:
- Add tsx, jiti, and related TypeScript/ESM loaders to the known script
  runner set so they produce a valid mutableFileOperand from the planner
- Add a fail-closed runtime guard in invoke-system-run.ts that denies
  execution when a script run should have a mutable-file binding but the
  approval plan is missing it, preventing unknown future runners from
  silently bypassing revalidation

Fixes GHSA-qc36-x95h-7j53
 		2026-03-12 01:34:35 +01:00
..
config.ts fix: harden sandbox writes and centralize atomic file writes 2026-03-02 16:45:12 +00:00
exec-policy.test.ts test: dedupe fixtures and test harness setup 2026-02-23 05:45:54 +00:00
exec-policy.ts fix(security): block shell-wrapper line-continuation allowlist bypass 2026-02-22 22:36:29 +01:00
invoke-browser.test.ts refactor: harden browser relay CDP flows 2026-03-08 23:46:10 +00:00
invoke-browser.ts refactor: harden browser relay CDP flows 2026-03-08 23:46:10 +00:00
invoke-system-run-allowlist.ts refactor!: remove versioned system-run approval contract 2026-03-02 01:12:53 +00:00
invoke-system-run-plan.test.ts fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval 2026-03-12 01:34:35 +01:00
invoke-system-run-plan.ts fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval 2026-03-12 01:34:35 +01:00
invoke-system-run.test.ts fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval 2026-03-12 01:34:35 +01:00
invoke-system-run.ts fix(node-host): extend script-runner set and add fail-closed guard for mutable-file approval 2026-03-12 01:34:35 +01:00
invoke-types.ts refactor(security): simplify system.run approval model 2026-03-11 01:43:06 +00:00
invoke.sanitize-env.test.ts fix(node-host): decode Windows exec output with active code page (openclaw#30652) thanks @Sid-Qin 2026-03-02 07:50:17 -06:00
invoke.ts refactor(security): simplify system.run approval model 2026-03-11 01:43:06 +00:00
runner.credentials.test.ts ui: fix sessions table collapse on narrow widths (#12175) 2026-03-09 23:14:07 -05:00
runner.ts Node Host: allowlist password precedence labels 2026-03-07 16:43:22 -08:00
with-timeout.ts fix: add safety timeout to session.compact() to prevent lane deadlock (#16533) 2026-02-14 17:54:12 -05:00