nyk commited on
Commit
4840982
·
unverified ·
1 Parent(s): 778f981

fix: stop forcing dangerouslyDisableDeviceAuth + fix exec security value

Browse files

- Remove unconditional `dangerouslyDisableDeviceAuth = true` from MC
origin registration. MC should only add its origin to allowedOrigins,
not silently downgrade the gateway's device auth security posture.

- Replace invalid `sandbox` value with `allowlist` in security scan
and auto-fix for `tools.exec.security`. Current OpenClaw validates
only: deny, allowlist, full. The old `sandbox` value was rejected.

Closes #357, closes #356

src/app/api/security-scan/fix/route.ts CHANGED
@@ -272,10 +272,10 @@ export async function POST(request: NextRequest) {
272
  if (shouldFix('exec_restricted')) {
273
  if (!ocConfig.tools) ocConfig.tools = {}
274
  if (!ocConfig.tools.exec) ocConfig.tools.exec = {}
275
- if (ocConfig.tools.exec.security !== 'sandbox' && ocConfig.tools.exec.security !== 'deny') {
276
- ocConfig.tools.exec.security = 'sandbox'
277
  configChanged = true
278
- results.push({ id: 'exec_restricted', name: 'Exec tool restriction', fixed: true, detail: 'Set exec security to "sandbox"', fixSafety: FIX_SAFETY['exec_restricted'] })
279
  }
280
  }
281
 
 
272
  if (shouldFix('exec_restricted')) {
273
  if (!ocConfig.tools) ocConfig.tools = {}
274
  if (!ocConfig.tools.exec) ocConfig.tools.exec = {}
275
+ if (ocConfig.tools.exec.security !== 'allowlist' && ocConfig.tools.exec.security !== 'deny') {
276
+ ocConfig.tools.exec.security = 'allowlist'
277
  configChanged = true
278
+ results.push({ id: 'exec_restricted', name: 'Exec tool restriction', fixed: true, detail: 'Set exec security to "allowlist"', fixSafety: FIX_SAFETY['exec_restricted'] })
279
  }
280
  }
281
 
src/lib/gateway-runtime.ts CHANGED
@@ -44,19 +44,16 @@ export function registerMcAsDashboard(mcUrl: string): { registered: boolean; alr
44
  const origin = new URL(mcUrl).origin
45
  const origins: string[] = parsed.gateway.controlUi.allowedOrigins || []
46
  const alreadyInOrigins = origins.includes(origin)
47
- const deviceAuthAlreadyDisabled = parsed.gateway.controlUi.dangerouslyDisableDeviceAuth === true
48
 
49
- if (alreadyInOrigins && deviceAuthAlreadyDisabled) {
50
  return { registered: false, alreadySet: true }
51
  }
52
 
53
- // Add MC origin to allowedOrigins and disable device auth
54
- // (MC authenticates via gateway token device pairing is unnecessary)
55
- if (!alreadyInOrigins) {
56
- origins.push(origin)
57
- parsed.gateway.controlUi.allowedOrigins = origins
58
- }
59
- parsed.gateway.controlUi.dangerouslyDisableDeviceAuth = true
60
 
61
  fs.writeFileSync(configPath, JSON.stringify(parsed, null, 2) + '\n')
62
  logger.info({ origin }, 'Registered MC origin in gateway config')
 
44
  const origin = new URL(mcUrl).origin
45
  const origins: string[] = parsed.gateway.controlUi.allowedOrigins || []
46
  const alreadyInOrigins = origins.includes(origin)
 
47
 
48
+ if (alreadyInOrigins) {
49
  return { registered: false, alreadySet: true }
50
  }
51
 
52
+ // Add MC origin to allowedOrigins only do NOT touch dangerouslyDisableDeviceAuth.
53
+ // MC authenticates via gateway token, but forcing device auth off is a security
54
+ // downgrade that the operator should control, not Mission Control.
55
+ origins.push(origin)
56
+ parsed.gateway.controlUi.allowedOrigins = origins
 
 
57
 
58
  fs.writeFileSync(configPath, JSON.stringify(parsed, null, 2) + '\n')
59
  logger.info({ origin }, 'Registered MC origin in gateway config')
src/lib/security-scan.ts CHANGED
@@ -362,9 +362,9 @@ function scanOpenClaw(): Category {
362
  checks.push({
363
  id: 'exec_restricted',
364
  name: 'Exec tool restricted',
365
- status: execSecurity === 'deny' ? 'pass' : execSecurity === 'sandbox' ? 'pass' : 'warn',
366
  detail: `Exec security: ${execSecurity || 'default'}`,
367
- fix: execSecurity !== 'deny' && execSecurity !== 'sandbox' ? 'Set tools.exec.security to "deny" or "sandbox"' : '',
368
  severity: 'high',
369
  })
370
 
 
362
  checks.push({
363
  id: 'exec_restricted',
364
  name: 'Exec tool restricted',
365
+ status: execSecurity === 'deny' ? 'pass' : execSecurity === 'allowlist' ? 'pass' : 'warn',
366
  detail: `Exec security: ${execSecurity || 'default'}`,
367
+ fix: execSecurity !== 'deny' && execSecurity !== 'allowlist' ? 'Set tools.exec.security to "deny" or "allowlist"' : '',
368
  severity: 'high',
369
  })
370