@poolzin/pool-bot 2026.3.13 → 2026.3.15

package/dist/gateway/gateway-improvements.js

@@ -0,0 +1,294 @@
+/**
+ * Gateway & Auth Upgrades
+ *
+ * Implements OpenClaw improvements:
+ * - Device-auth v2 with nonce-based signing
+ * - Trusted-proxy mode with loopback allowance
+ * - Control UI CORS with wildcard support
+ * - Security headers (HSTS, Permissions-Policy)
+ * - Rate limiting for sensitive endpoints
+ *
+ * OpenClaw #32384, #30951
+ */
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+export const DEFAULT_DEVICE_AUTH_V2_CONFIG = {
+    enabled: true,
+    nonceLength: 32,
+    nonceTtlMs: 5 * 60 * 1000, // 5 minutes
+    signatureAlgorithm: "sha256",
+    requireNonce: false, // Allow v1 for backward compatibility
+    allowV1Fallback: true,
+};
+const nonceStore = new Map();
+/**
+ * Cleanup expired nonces every 10 minutes
+ */
+setInterval(() => {
+    const now = Date.now();
+    const maxAge = 10 * 60 * 1000; // 10 minutes
+    for (const [deviceId, entry] of nonceStore.entries()) {
+        if (now - entry.createdAt > maxAge) {
+            nonceStore.delete(deviceId);
+        }
+    }
+}, 10 * 60 * 1000).unref();
+/**
+ * Generate a new nonce for device-auth v2
+ */
+export function generateNonce(config = DEFAULT_DEVICE_AUTH_V2_CONFIG) {
+    return randomBytes(config.nonceLength).toString("hex");
+}
+/**
+ * Store nonce for device-auth v2
+ */
+export function storeNonce(params) {
+    const { deviceId, nonce, config } = params;
+    nonceStore.set(deviceId, {
+        nonce,
+        createdAt: Date.now(),
+        used: false,
+    });
+    // Auto-expire after TTL
+    setTimeout(() => {
+        const entry = nonceStore.get(deviceId);
+        if (entry && entry.nonce === nonce) {
+            nonceStore.delete(deviceId);
+        }
+    }, config.nonceTtlMs).unref();
+}
+/**
+ * Verify nonce for device-auth v2
+ */
+export function verifyNonce(params) {
+    const { deviceId, nonce, config } = params;
+    const entry = nonceStore.get(deviceId);
+    if (!entry) {
+        return { valid: false, reason: "Nonce not found or expired" };
+    }
+    if (entry.used) {
+        return { valid: false, reason: "Nonce already used (replay attempt)" };
+    }
+    if (Date.now() - entry.createdAt > config.nonceTtlMs) {
+        nonceStore.delete(deviceId);
+        return { valid: false, reason: "Nonce expired" };
+    }
+    if (!timingSafeEqual(Buffer.from(entry.nonce), Buffer.from(nonce))) {
+        return { valid: false, reason: "Nonce mismatch" };
+    }
+    // Mark as used
+    entry.used = true;
+    return { valid: true };
+}
+/**
+ * Build device-auth v2 payload with nonce
+ */
+export function buildDeviceAuthV2Payload(params) {
+    const { deviceId, clientId, clientMode, role, scopes, signedAtMs, token, nonce } = params;
+    const scopesStr = scopes.join(",");
+    return `v2|${deviceId}|${clientId}|${clientMode}|${role}|${scopesStr}|${signedAtMs}|${token}|${nonce}`;
+}
+/**
+ * Sign device-auth v2 payload
+ */
+export function signDeviceAuthV2Payload(params) {
+    const { payload, secret, algorithm } = params;
+    return createHmac(algorithm, secret).update(payload).digest("hex");
+}
+/**
+ * Verify device-auth v2 signature
+ */
+export function verifyDeviceAuthV2Signature(params) {
+    const { payload, signature, secret, algorithm } = params;
+    try {
+        const expectedSignature = signDeviceAuthV2Payload({ payload, secret, algorithm });
+        const signatureBuffer = Buffer.from(signature, "hex");
+        const expectedBuffer = Buffer.from(expectedSignature, "hex");
+        if (signatureBuffer.length !== expectedBuffer.length) {
+            return { valid: false, reason: "Signature length mismatch" };
+        }
+        if (!timingSafeEqual(signatureBuffer, expectedBuffer)) {
+            return { valid: false, reason: "Signature mismatch" };
+        }
+        return { valid: true };
+    }
+    catch {
+        return { valid: false, reason: "Invalid signature format" };
+    }
+}
+export const DEFAULT_TRUSTED_PROXY_CONFIG = {
+    enabled: true,
+    trustedProxies: ["127.0.0.1", "::1"],
+    userHeader: "X-Forwarded-User",
+    requiredHeaders: [],
+    allowUsers: [],
+    allowLoopback: true,
+    autoApproveLoopbackScopes: true,
+    safeLoopbackScopes: ["read", "read:config", "read:status", "write", "execute", "execute:tool"],
+};
+/**
+ * Check if IP is a trusted proxy
+ */
+export function isTrustedProxy(ip, config = DEFAULT_TRUSTED_PROXY_CONFIG) {
+    if (!config.enabled) {
+        return false;
+    }
+    return config.trustedProxies.includes(ip);
+}
+/**
+ * Check if IP is loopback
+ */
+export function isLoopbackIp(ip) {
+    return ip === "127.0.0.1" || ip === "::1" || ip === "localhost";
+}
+/**
+ * Validate scope upgrade for loopback
+ */
+export function validateLoopbackScopeUpgrade(params) {
+    const { currentScopes, requestedScopes, config } = params;
+    if (!config.autoApproveLoopbackScopes) {
+        return { allowed: false, reason: "Auto-approve for loopback is disabled" };
+    }
+    const currentSet = new Set(currentScopes.map((s) => s.trim().toLowerCase()));
+    const newScopes = requestedScopes.filter((s) => !currentSet.has(s.trim().toLowerCase()));
+    const safeScopes = new Set(config.safeLoopbackScopes.map((s) => s.trim().toLowerCase()));
+    for (const scope of newScopes) {
+        const normalized = scope.trim().toLowerCase();
+        if (!safeScopes.has(normalized) &&
+            !normalized.startsWith("read:") &&
+            !normalized.startsWith("execute:")) {
+            return { allowed: false, reason: `Scope "${scope}" requires explicit approval` };
+        }
+    }
+    return { allowed: true };
+}
+export const DEFAULT_CONTROL_UI_CORS_CONFIG = {
+    enabled: true,
+    allowedOrigins: ["*"], // Wildcard by default for local dev
+    allowedMethods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Request-ID"],
+    exposedHeaders: ["X-Request-ID", "X-RateLimit-Remaining"],
+    maxAgeSeconds: 86400, // 24 hours
+    allowCredentials: false,
+    wildcardSubdomains: true,
+};
+/**
+ * Check if origin is allowed
+ */
+export function isOriginAllowed(origin, config = DEFAULT_CONTROL_UI_CORS_CONFIG) {
+    if (!config.enabled || !origin) {
+        return false;
+    }
+    // Wildcard allows all
+    if (config.allowedOrigins.includes("*")) {
+        return true;
+    }
+    // Check exact match
+    if (config.allowedOrigins.includes(origin)) {
+        return true;
+    }
+    // Check wildcard subdomains
+    if (config.wildcardSubdomains) {
+        for (const allowed of config.allowedOrigins) {
+            if (allowed.startsWith("*.")) {
+                const suffix = allowed.slice(1);
+                if (origin.endsWith(suffix)) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Generate CORS headers
+ */
+export function generateCorsHeaders(params) {
+    const { origin, config } = params;
+    const headers = {};
+    if (!config.enabled) {
+        return headers;
+    }
+    const allowedOrigin = isOriginAllowed(origin, config) ? (origin ?? "*") : "";
+    if (allowedOrigin) {
+        headers["Access-Control-Allow-Origin"] = allowedOrigin;
+        headers["Access-Control-Allow-Methods"] = config.allowedMethods.join(", ");
+        headers["Access-Control-Allow-Headers"] = config.allowedHeaders.join(", ");
+        headers["Access-Control-Expose-Headers"] = config.exposedHeaders.join(", ");
+        headers["Access-Control-Max-Age"] = String(config.maxAgeSeconds);
+        if (config.allowCredentials) {
+            headers["Access-Control-Allow-Credentials"] = "true";
+        }
+    }
+    return headers;
+}
+export const DEFAULT_SECURITY_HEADERS_CONFIG = {
+    enabled: true,
+    hstsMaxAgeSeconds: 31536000, // 1 year
+    hstsIncludeSubdomains: true,
+    hstsPreload: true,
+    permissionsPolicy: [
+        "accelerometer=()",
+        "camera=()",
+        "geolocation=()",
+        "gyroscope=()",
+        "magnetometer=()",
+        "microphone=()",
+        "payment=()",
+        "usb=()",
+    ],
+    xContentTypeOptions: true,
+    xFrameOptions: true,
+    xXssProtection: true,
+    referrerPolicy: "strict-origin-when-cross-origin",
+};
+/**
+ * Generate security headers
+ */
+export function generateSecurityHeaders(config = DEFAULT_SECURITY_HEADERS_CONFIG) {
+    if (!config.enabled) {
+        return {};
+    }
+    const headers = {};
+    // HSTS
+    if (config.hstsMaxAgeSeconds > 0) {
+        let hsts = `max-age=${config.hstsMaxAgeSeconds}`;
+        if (config.hstsIncludeSubdomains) {
+            hsts += "; includeSubDomains";
+        }
+        if (config.hstsPreload) {
+            hsts += "; preload";
+        }
+        headers["Strict-Transport-Security"] = hsts;
+    }
+    // Permissions-Policy
+    if (config.permissionsPolicy.length > 0) {
+        headers["Permissions-Policy"] = config.permissionsPolicy.join(", ");
+    }
+    // X-Content-Type-Options
+    if (config.xContentTypeOptions) {
+        headers["X-Content-Type-Options"] = "nosniff";
+    }
+    // X-Frame-Options
+    if (config.xFrameOptions) {
+        headers["X-Frame-Options"] = "DENY";
+    }
+    // X-XSS-Protection
+    if (config.xXssProtection) {
+        headers["X-XSS-Protection"] = "1; mode=block";
+    }
+    // Content-Security-Policy
+    if (config.contentSecurityPolicy) {
+        headers["Content-Security-Policy"] = config.contentSecurityPolicy;
+    }
+    // Referrer-Policy
+    headers["Referrer-Policy"] = config.referrerPolicy;
+    return headers;
+}
+/**
+ * Combine CORS and security headers
+ */
+export function generateGatewayHeaders(params) {
+    const corsHeaders = generateCorsHeaders({ origin: params.origin, config: params.corsConfig });
+    const securityHeaders = generateSecurityHeaders(params.securityConfig);
+    return { ...corsHeaders, ...securityHeaders };
+}

package/dist/gateway/node-command-policy.js

@@ -32,6 +32,7 @@ const SYSTEM_COMMANDS = [
     "system.execApprovals.set",
     "browser.proxy",
 ];
+const FILE_DANGEROUS_COMMANDS = ["file.write", "file.delete"];
 // "High risk" node commands. These can be enabled by explicitly adding them to
 // `gateway.nodes.allowCommands` (and ensuring they're not blocked by denyCommands).
 export const DEFAULT_DANGEROUS_NODE_COMMANDS = [
@@ -41,6 +42,7 @@ export const DEFAULT_DANGEROUS_NODE_COMMANDS = [
     ...CALENDAR_DANGEROUS_COMMANDS,
     ...REMINDERS_DANGEROUS_COMMANDS,
     ...SMS_DANGEROUS_COMMANDS,
+    ...FILE_DANGEROUS_COMMANDS,
 ];
 const PLATFORM_DEFAULTS = {
     ios: [
@@ -77,9 +79,12 @@ const PLATFORM_DEFAULTS = {
         ...PHOTOS_COMMANDS,
         ...MOTION_COMMANDS,
         ...SYSTEM_COMMANDS,
+        "file.read",
+        "file.exists",
+        "file.list",
     ],
-    linux: [...SYSTEM_COMMANDS],
-    windows: [...SYSTEM_COMMANDS],
+    linux: [...SYSTEM_COMMANDS, "file.read", "file.exists", "file.list"],
+    windows: [...SYSTEM_COMMANDS, "file.read", "file.exists", "file.list"],
     unknown: [...CANVAS_COMMANDS, ...CAMERA_COMMANDS, ...LOCATION_COMMANDS, ...SYSTEM_COMMANDS],
 };
 function normalizePlatformId(platform, deviceFamily) {

package/dist/infra/net/ssrf.js

@@ -20,6 +20,16 @@ function normalizeHostnameSet(values) {
     }
     return new Set(values.map((value) => normalizeHostname(value)).filter(Boolean));
 }
+/**
+ * Normalize hostname with Unicode NFKC folding to prevent homoglyph bypass attacks.
+ * This catches lookalike characters that could be used to bypass allowlist checks.
+ */
+export function normalizeHostnameWithUnicode(value) {
+    // Apply NFKC normalization to fold homoglyphs and lookalike characters
+    const normalized = value.normalize("NFKC");
+    // Then apply standard hostname normalization
+    return normalizeHostname(normalized) || normalized.toLowerCase();
+}
 function normalizeHostnameAllowlist(values) {
     if (!values || values.length === 0) {
         return [];
@@ -89,8 +99,11 @@ export function isPrivateIpAddress(address, policy) {
         return false;
     }
     // Security-critical parse failures should fail closed for any malformed IPv6 literal.
-    if (normalized.includes(":") && !parseLooseIpAddress(normalized)) {
-        return true;
+    // This includes IPv6 transition mechanism literals and malformed addresses.
+    if (normalized.includes(":")) {
+        if (!parseLooseIpAddress(normalized)) {
+            return true;
+        }
     }
     if (!isCanonicalDottedDecimalIPv4(normalized) && isLegacyIpv4Literal(normalized)) {
         return true;

package/dist/infra/shell-security.js

@@ -0,0 +1,201 @@
+/**
+ * Shell Command Security Hardening
+ *
+ * Prevents shell injection attacks via:
+ * - Line continuation blocking (\\\n)
+ * - Unicode normalization for homoglyph attacks
+ * - Fail-closed sandbox unavailable handling
+ * - Docker namespace join blocking
+ *
+ * OpenClaw #32384, #30951
+ */
+import { isSafeExecutableValue } from "./exec-safety.js";
+/**
+ * Shell metacharacters that enable command injection or chaining.
+ * Extended set includes backslash for line continuation detection.
+ */
+const SHELL_INJECTION_CHARS = /[;&|`$(){}<>\\]/;
+const SHELL_LINE_CONTINUATION = /\\\r?\n/g;
+const SHELL_COMMENT_INJECTION = /#[^\n]*$/gm;
+/**
+ * Unicode characters that can be used to bypass shell filters.
+ * Includes zero-width chars, homoglyphs, and special whitespace.
+ */
+const UNICODE_BYPASS_CHARS = /[\u200B-\u200D\uFEFF\u00A0\u2000-\u200A\u2028\u2029\u202F\u205F\u3000]/;
+/**
+ * Check if a command contains shell line continuations (\\\n).
+ * OpenClaw #32384 - blocks shell wrapper bypass attempts.
+ */
+export function hasShellLineContinuation(command) {
+    return SHELL_LINE_CONTINUATION.test(command);
+}
+/**
+ * Check if a command contains unicode bypass characters.
+ */
+export function hasUnicodeBypassChars(command) {
+    return UNICODE_BYPASS_CHARS.test(command);
+}
+/**
+ * Normalize command string to prevent unicode bypass attacks.
+ * Removes zero-width characters and normalizes whitespace.
+ */
+export function normalizeShellCommand(command) {
+    // Remove zero-width and special unicode chars
+    let normalized = command.replace(UNICODE_BYPASS_CHARS, "");
+    // Normalize line endings
+    normalized = normalized.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+    // Remove shell line continuations (security-critical)
+    normalized = normalized.replace(SHELL_LINE_CONTINUATION, "");
+    // Remove trailing comments that could bypass filters
+    normalized = normalized.replace(SHELL_COMMENT_INJECTION, "");
+    // Trim whitespace
+    return normalized.trim();
+}
+/**
+ * Enhanced shell command validation with continuation blocking.
+ * OpenClaw #32384
+ */
+export function isSafeShellCommand(command) {
+    if (!command || !command.trim()) {
+        return false;
+    }
+    const normalized = normalizeShellCommand(command);
+    // Block if normalization removed anything (indicates bypass attempt)
+    if (normalized !== command.trim()) {
+        return false;
+    }
+    // Check for shell injection chars
+    if (SHELL_INJECTION_CHARS.test(normalized)) {
+        return false;
+    }
+    // Check for unicode bypass attempts
+    if (hasUnicodeBypassChars(command)) {
+        return false;
+    }
+    // Check for line continuations
+    if (hasShellLineContinuation(command)) {
+        return false;
+    }
+    // Use existing safety check
+    return isSafeExecutableValue(normalized);
+}
+/**
+ * Docker namespace types that should be blocked by default.
+ * OpenClaw #32384 - prevents container escape via namespace joins.
+ */
+const BLOCKED_DOCKER_NAMESPACES = new Set(["pid", "ipc", "uts", "mount", "network"]);
+/**
+ * Check if a Docker run command attempts to join host namespaces.
+ * Blocks --pid=host, --ipc=host, --network=host, etc.
+ */
+export function hasDangerousDockerNamespace(command) {
+    const normalized = command.toLowerCase();
+    for (const ns of BLOCKED_DOCKER_NAMESPACES) {
+        // Match patterns like --pid=host, --pid host, --pidhost
+        const patterns = [
+            new RegExp(`--${ns}\\s*=\\s*host`, "i"),
+            new RegExp(`--${ns}\\s+host`, "i"),
+            new RegExp(`--${ns}host`, "i"),
+        ];
+        for (const pattern of patterns) {
+            if (pattern.test(normalized)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Validate Docker command for security issues.
+ * Returns { valid: true } or { valid: false, reason: string }
+ */
+export function validateDockerCommand(command) {
+    // Check for namespace joins
+    if (hasDangerousDockerNamespace(command)) {
+        return {
+            valid: false,
+            reason: "Docker namespace join detected (pid/ipc/uts/mount/network=host). Container escape vector.",
+        };
+    }
+    // Check for privileged mode
+    if (/--privileged/.test(command.toLowerCase())) {
+        return {
+            valid: false,
+            reason: "Privileged Docker container detected. Full host access bypass.",
+        };
+    }
+    // Check for dangerous volume mounts
+    const dangerousMounts = [
+        "/:/host",
+        "/:/root",
+        "--volume=/:",
+        "-v /:/",
+        "--volume=/:/",
+        "-v /:/",
+        "--volume=/var/run/docker.sock",
+        "-v /var/run/docker.sock",
+        "--volume=/run/docker.sock",
+        "-v /run/docker.sock",
+    ];
+    const normalized = command.toLowerCase();
+    for (const mount of dangerousMounts) {
+        if (normalized.includes(mount.toLowerCase())) {
+            return {
+                valid: false,
+                reason: `Dangerous volume mount detected: ${mount}. Host filesystem access bypass.`,
+            };
+        }
+    }
+    // Check for capability additions
+    if (/--cap-add=ALL|--cap-add\s+ALL|--cap-add=SYS_ADMIN|--cap-add\s+SYS_ADMIN/i.test(command)) {
+        return {
+            valid: false,
+            reason: "Dangerous capability addition detected (ALL or SYS_ADMIN). Privilege escalation vector.",
+        };
+    }
+    return { valid: true };
+}
+/**
+ * Fail-closed error for when sandbox is unavailable.
+ * OpenClaw #32384 - ensures commands are rejected when safety checks can't run.
+ */
+export class SandboxUnavailableError extends Error {
+    constructor(message = "Sandbox unavailable. Failing closed for security.") {
+        super(message);
+        this.name = "SandboxUnavailableError";
+    }
+}
+/**
+ * Wrap sandbox execution with fail-closed behavior.
+ * If sandbox checks cannot be performed, reject the command.
+ */
+export function withFailClosedSandbox(operation, context = "sandbox-execution") {
+    return operation().catch((error) => {
+        // Always fail closed - if we can't verify safety, reject
+        if (error instanceof SandboxUnavailableError) {
+            throw error;
+        }
+        // Wrap other errors as sandbox unavailable
+        throw new SandboxUnavailableError(`Sandbox check failed (${context}): ${error instanceof Error ? error.message : String(error)}. Failing closed.`);
+    });
+}
+/**
+ * Validate that a shell wrapper's inner executable matches approval.
+ */
+export function validateShellWrapper(params) {
+    const { command, approval } = params;
+    // Extract the actual executable from the command
+    const parts = command.trim().split(/\s+/);
+    if (parts.length === 0) {
+        return { valid: false, reason: "Empty command" };
+    }
+    const actualExecutable = parts[0];
+    // Check if executable matches approved inner executable
+    if (actualExecutable !== approval.innerExecutable) {
+        return {
+            valid: false,
+            reason: `Executable mismatch: approved "${approval.innerExecutable}", got "${actualExecutable}"`,
+        };
+    }
+    return { valid: true };
+}