@upx-us/shield 0.7.4 → 0.7.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/dist/index.js +1 -2
- package/dist/src/config.d.ts +1 -0
- package/dist/src/config.js +14 -1
- package/dist/src/rpc/client.js +6 -0
- package/openclaw.plugin.json +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
+
## [0.7.6] — 2026-03-13
|
|
8
|
+
|
|
9
|
+
### Security
|
|
10
|
+
- **URL enforcement switched to allowlist** — plugin traffic is restricted to the Shield ingest endpoint. Any other URL is rejected and replaced with the default. No infrastructure details are disclosed in source.
|
|
11
|
+
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
## [0.7.5] — 2026-03-13
|
|
15
|
+
|
|
16
|
+
### Security
|
|
17
|
+
- **Block direct platform backend calls** — `loadCredentials()` now detects and overrides any `SHIELD_API_URL` pointing to a platform backend (legacy Replit URLs, `uss.upx.com`). Plugin traffic is enforced to only reach the Shield ingest proxy. A second-layer check in the RPC client rejects blocked URLs even if config loading is bypassed.
|
|
18
|
+
- **Fix RPC `apiUrl` resolution** — RPC handlers now use the validated `apiUrl` from credentials instead of a non-existent config field (which silently fell through to `null`).
|
|
19
|
+
|
|
20
|
+
---
|
|
7
21
|
## [0.7.4] — 2026-03-13
|
|
8
22
|
|
|
9
23
|
### Changed
|
package/dist/index.js
CHANGED
|
@@ -995,9 +995,8 @@ exports.default = {
|
|
|
995
995
|
.catch((err) => respond(false, { error: err instanceof Error ? err.message : String(err) }));
|
|
996
996
|
});
|
|
997
997
|
const rpcCreds = (0, config_1.loadCredentials)();
|
|
998
|
-
const rpcConfig = (0, config_1.loadConfig)({});
|
|
999
998
|
const platformApiConfig = {
|
|
1000
|
-
apiUrl:
|
|
999
|
+
apiUrl: rpcCreds?.apiUrl || null,
|
|
1001
1000
|
instanceId: state.instanceId || rpcCreds?.instanceId || '',
|
|
1002
1001
|
hmacSecret: rpcCreds?.hmacSecret || '',
|
|
1003
1002
|
};
|
package/dist/src/config.d.ts
CHANGED
|
@@ -21,6 +21,7 @@ export declare function deriveAgentsDirFromInstallPath(startDir?: string): strin
|
|
|
21
21
|
export declare const SHIELD_CONFIG_PATH: string;
|
|
22
22
|
export declare function injectConfigEnv(): void;
|
|
23
23
|
export declare function loadCredentials(): ShieldCredentials;
|
|
24
|
+
export declare function enforceIngestUrl(url: string): string;
|
|
24
25
|
export declare function loadCredentialsFromPluginConfig(_pluginConfig: Record<string, unknown>): ShieldCredentials;
|
|
25
26
|
export interface ConfigOverrides {
|
|
26
27
|
credentials?: ShieldCredentials;
|
package/dist/src/config.js
CHANGED
|
@@ -37,6 +37,7 @@ exports.SHIELD_CONFIG_PATH = void 0;
|
|
|
37
37
|
exports.deriveAgentsDirFromInstallPath = deriveAgentsDirFromInstallPath;
|
|
38
38
|
exports.injectConfigEnv = injectConfigEnv;
|
|
39
39
|
exports.loadCredentials = loadCredentials;
|
|
40
|
+
exports.enforceIngestUrl = enforceIngestUrl;
|
|
40
41
|
exports.loadCredentialsFromPluginConfig = loadCredentialsFromPluginConfig;
|
|
41
42
|
exports.loadConfig = loadConfig;
|
|
42
43
|
const os_1 = require("os");
|
|
@@ -128,13 +129,25 @@ function loadCredentials() {
|
|
|
128
129
|
}
|
|
129
130
|
return val;
|
|
130
131
|
}
|
|
132
|
+
const rawApiUrl = process.env.SHIELD_API_URL || file.SHIELD_API_URL || '';
|
|
133
|
+
const apiUrl = enforceIngestUrl(rawApiUrl);
|
|
131
134
|
return {
|
|
132
|
-
apiUrl
|
|
135
|
+
apiUrl,
|
|
133
136
|
hmacSecret: resolve('SHIELD_HMAC_SECRET', 'SHIELD_SECRET'),
|
|
134
137
|
instanceId: resolve('SHIELD_INSTANCE_ID', 'SHIELD_FINGERPRINT'),
|
|
135
138
|
shieldEnv: process.env.SHIELD_ENV || file.SHIELD_ENV || '',
|
|
136
139
|
};
|
|
137
140
|
}
|
|
141
|
+
const CANONICAL_INGEST_URL = 'https://openclaw-shield.upx.com';
|
|
142
|
+
function enforceIngestUrl(url) {
|
|
143
|
+
if (!url || !url.startsWith(CANONICAL_INGEST_URL)) {
|
|
144
|
+
if (url && url !== CANONICAL_INGEST_URL) {
|
|
145
|
+
log.warn('config', `SHIELD_API_URL is not a permitted ingest endpoint — overriding with the default. Remove SHIELD_API_URL from your config to fix this permanently.`);
|
|
146
|
+
}
|
|
147
|
+
return CANONICAL_INGEST_URL;
|
|
148
|
+
}
|
|
149
|
+
return url;
|
|
150
|
+
}
|
|
138
151
|
function loadCredentialsFromPluginConfig(_pluginConfig) {
|
|
139
152
|
return loadCredentials();
|
|
140
153
|
}
|
package/dist/src/rpc/client.js
CHANGED
|
@@ -57,6 +57,12 @@ async function callPlatformApi(config, path, params, method) {
|
|
|
57
57
|
error: 'Platform API not configured. This feature requires the Shield platform API which is not yet available for your instance. Check your Shield dashboard for updates.',
|
|
58
58
|
};
|
|
59
59
|
}
|
|
60
|
+
if (!config.apiUrl.startsWith('https://openclaw-shield.upx.com')) {
|
|
61
|
+
return {
|
|
62
|
+
ok: false,
|
|
63
|
+
error: 'Shield API URL is not the permitted ingest endpoint. Reconfigure Shield or contact support.',
|
|
64
|
+
};
|
|
65
|
+
}
|
|
60
66
|
const url = new URL(path, config.apiUrl);
|
|
61
67
|
const httpMethod = method || (params ? 'POST' : 'GET');
|
|
62
68
|
if (httpMethod === 'GET' && params) {
|
package/openclaw.plugin.json
CHANGED
package/package.json
CHANGED