Spaces:
Runtime error
Runtime error
nyk commited on
fix: stop forcing dangerouslyDisableDeviceAuth + fix exec security value
Browse files- Remove unconditional `dangerouslyDisableDeviceAuth = true` from MC
origin registration. MC should only add its origin to allowedOrigins,
not silently downgrade the gateway's device auth security posture.
- Replace invalid `sandbox` value with `allowlist` in security scan
and auto-fix for `tools.exec.security`. Current OpenClaw validates
only: deny, allowlist, full. The old `sandbox` value was rejected.
Closes #357, closes #356
src/app/api/security-scan/fix/route.ts
CHANGED
|
@@ -272,10 +272,10 @@ export async function POST(request: NextRequest) {
|
|
| 272 |
if (shouldFix('exec_restricted')) {
|
| 273 |
if (!ocConfig.tools) ocConfig.tools = {}
|
| 274 |
if (!ocConfig.tools.exec) ocConfig.tools.exec = {}
|
| 275 |
-
if (ocConfig.tools.exec.security !== '
|
| 276 |
-
ocConfig.tools.exec.security = '
|
| 277 |
configChanged = true
|
| 278 |
-
results.push({ id: 'exec_restricted', name: 'Exec tool restriction', fixed: true, detail: 'Set exec security to "
|
| 279 |
}
|
| 280 |
}
|
| 281 |
|
|
|
|
| 272 |
if (shouldFix('exec_restricted')) {
|
| 273 |
if (!ocConfig.tools) ocConfig.tools = {}
|
| 274 |
if (!ocConfig.tools.exec) ocConfig.tools.exec = {}
|
| 275 |
+
if (ocConfig.tools.exec.security !== 'allowlist' && ocConfig.tools.exec.security !== 'deny') {
|
| 276 |
+
ocConfig.tools.exec.security = 'allowlist'
|
| 277 |
configChanged = true
|
| 278 |
+
results.push({ id: 'exec_restricted', name: 'Exec tool restriction', fixed: true, detail: 'Set exec security to "allowlist"', fixSafety: FIX_SAFETY['exec_restricted'] })
|
| 279 |
}
|
| 280 |
}
|
| 281 |
|
src/lib/gateway-runtime.ts
CHANGED
|
@@ -44,19 +44,16 @@ export function registerMcAsDashboard(mcUrl: string): { registered: boolean; alr
|
|
| 44 |
const origin = new URL(mcUrl).origin
|
| 45 |
const origins: string[] = parsed.gateway.controlUi.allowedOrigins || []
|
| 46 |
const alreadyInOrigins = origins.includes(origin)
|
| 47 |
-
const deviceAuthAlreadyDisabled = parsed.gateway.controlUi.dangerouslyDisableDeviceAuth === true
|
| 48 |
|
| 49 |
-
if (alreadyInOrigins
|
| 50 |
return { registered: false, alreadySet: true }
|
| 51 |
}
|
| 52 |
|
| 53 |
-
// Add MC origin to allowedOrigins
|
| 54 |
-
//
|
| 55 |
-
|
| 56 |
-
|
| 57 |
-
|
| 58 |
-
}
|
| 59 |
-
parsed.gateway.controlUi.dangerouslyDisableDeviceAuth = true
|
| 60 |
|
| 61 |
fs.writeFileSync(configPath, JSON.stringify(parsed, null, 2) + '\n')
|
| 62 |
logger.info({ origin }, 'Registered MC origin in gateway config')
|
|
|
|
| 44 |
const origin = new URL(mcUrl).origin
|
| 45 |
const origins: string[] = parsed.gateway.controlUi.allowedOrigins || []
|
| 46 |
const alreadyInOrigins = origins.includes(origin)
|
|
|
|
| 47 |
|
| 48 |
+
if (alreadyInOrigins) {
|
| 49 |
return { registered: false, alreadySet: true }
|
| 50 |
}
|
| 51 |
|
| 52 |
+
// Add MC origin to allowedOrigins only — do NOT touch dangerouslyDisableDeviceAuth.
|
| 53 |
+
// MC authenticates via gateway token, but forcing device auth off is a security
|
| 54 |
+
// downgrade that the operator should control, not Mission Control.
|
| 55 |
+
origins.push(origin)
|
| 56 |
+
parsed.gateway.controlUi.allowedOrigins = origins
|
|
|
|
|
|
|
| 57 |
|
| 58 |
fs.writeFileSync(configPath, JSON.stringify(parsed, null, 2) + '\n')
|
| 59 |
logger.info({ origin }, 'Registered MC origin in gateway config')
|
src/lib/security-scan.ts
CHANGED
|
@@ -362,9 +362,9 @@ function scanOpenClaw(): Category {
|
|
| 362 |
checks.push({
|
| 363 |
id: 'exec_restricted',
|
| 364 |
name: 'Exec tool restricted',
|
| 365 |
-
status: execSecurity === 'deny' ? 'pass' : execSecurity === '
|
| 366 |
detail: `Exec security: ${execSecurity || 'default'}`,
|
| 367 |
-
fix: execSecurity !== 'deny' && execSecurity !== '
|
| 368 |
severity: 'high',
|
| 369 |
})
|
| 370 |
|
|
|
|
| 362 |
checks.push({
|
| 363 |
id: 'exec_restricted',
|
| 364 |
name: 'Exec tool restricted',
|
| 365 |
+
status: execSecurity === 'deny' ? 'pass' : execSecurity === 'allowlist' ? 'pass' : 'warn',
|
| 366 |
detail: `Exec security: ${execSecurity || 'default'}`,
|
| 367 |
+
fix: execSecurity !== 'deny' && execSecurity !== 'allowlist' ? 'Set tools.exec.security to "deny" or "allowlist"' : '',
|
| 368 |
severity: 'high',
|
| 369 |
})
|
| 370 |
|