mohuclaw 1.0.1

package/scripts/check/execution_sandbox.sh

@@ -0,0 +1,502 @@
+# shellcheck shell=bash
+
+# ------------------------------------------------------------
+# Shared helpers
+# ------------------------------------------------------------
+
+OPENCLAW_PRESENT=false
+if command -v openclaw >/dev/null 2>&1; then
+    OPENCLAW_PRESENT=true
+fi
+
+OC_VERSION="unknown"
+PARSED_OC_VERSION=""
+OC_MAJOR=""
+OC_MINOR=""
+OC_PATCH=""
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    OC_VERSION="$(run_with_timeout 5 openclaw --version 2>/dev/null || echo "unknown")"
+    PARSED_OC_VERSION="$(echo "$OC_VERSION" | grep -oE '[0-9]{4}\.[0-9]+\.[0-9]+' | head -1 || true)"
+    if [ -n "$PARSED_OC_VERSION" ]; then
+        OC_MAJOR="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f1)"
+        OC_MINOR="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f2)"
+        OC_PATCH="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f3)"
+    fi
+fi
+
+get_oc_config() {
+    # Usage: get_oc_config <key> <default>
+    local key="$1"
+    local default_val="${2:-}"
+    if [ "$OPENCLAW_PRESENT" = true ]; then
+        run_with_timeout 10 openclaw config get "$key" 2>/dev/null || echo "$default_val"
+    else
+        echo "$default_val"
+    fi
+}
+
+version_ge() {
+    # Usage: version_ge <major> <minor> <patch>
+    local t_major="$1"
+    local t_minor="$2"
+    local t_patch="$3"
+
+    if [ -z "$PARSED_OC_VERSION" ]; then
+        return 1
+    fi
+
+    if [ "$OC_MAJOR" -gt "$t_major" ] 2>/dev/null; then
+        return 0
+    fi
+    if [ "$OC_MAJOR" -lt "$t_major" ] 2>/dev/null; then
+        return 1
+    fi
+
+    if [ "$OC_MINOR" -gt "$t_minor" ] 2>/dev/null; then
+        return 0
+    fi
+    if [ "$OC_MINOR" -lt "$t_minor" ] 2>/dev/null; then
+        return 1
+    fi
+
+    if [ "$OC_PATCH" -ge "$t_patch" ] 2>/dev/null; then
+        return 0
+    fi
+
+    return 1
+}
+
+version_lt() {
+    # Usage: version_lt <major> <minor> <patch>
+    if [ -z "$PARSED_OC_VERSION" ]; then
+        return 1
+    fi
+    if version_ge "$1" "$2" "$3"; then
+        return 1
+    fi
+    return 0
+}
+
+get_perm() {
+    local target="$1"
+
+    [ -e "$target" ] || {
+        echo "unknown"
+        return
+    }
+
+    case "$(uname -s)" in
+        Darwin|FreeBSD|OpenBSD|NetBSD)
+            stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        Linux)
+            stat -c '%a' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        *)
+            stat -c '%a' "$target" 2>/dev/null || stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+    esac
+}
+
+# ============================================================
+# CHECK 1 (origin 18): Tool Policy / Elevated Tools Audit
+# ============================================================
+header 1 "Auditing tool policies and elevated access..."
+
+TOOL_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    ELEVATED="$(get_oc_config "tools.elevated.enabled" "")"
+    if [ "$ELEVATED" = "true" ]; then
+        ELEVATED_ALLOW="$(get_oc_config "tools.elevated.allowFrom" "")"
+        if echo "$ELEVATED_ALLOW" | grep -qE '"\*"|\*' 2>/dev/null; then
+            result_critical "Elevated tools enabled with wildcard allowFrom"
+            TOOL_ISSUES=$((TOOL_ISSUES + 1))
+        else
+            log "  INFO: Elevated tools enabled with restricted allowFrom"
+        fi
+    fi
+
+    DENY_LIST="$(get_oc_config "tools.deny" "")"
+    if [ -z "$DENY_LIST" ] || [ "$DENY_LIST" = "[]" ] || [ "$DENY_LIST" = "null" ]; then
+        result_warn "No tools in deny list (consider blocking high-risk tools such as exec/process/browser)"
+        TOOL_ISSUES=$((TOOL_ISSUES + 1))
+    fi
+fi
+
+if [ "$TOOL_ISSUES" -eq 0 ]; then
+    result_clean "Tool policies acceptable"
+fi
+
+# ============================================================
+# CHECK 2 (origin 26): Exec-Approvals Configuration
+# ============================================================
+header 2 "Auditing exec-approvals configuration..."
+
+EXEC_ISSUES=0
+EXEC_FILE="$OPENCLAW_DIR/exec-approvals.json"
+
+if [ -f "$EXEC_FILE" ]; then
+    UNSAFE_EXEC="$(grep -iE '"security"\s*:\s*"allow"|"ask"\s*:\s*"off"|"allowlist"\s*:\s*\[\s*\]' "$EXEC_FILE" 2>/dev/null || true)"
+    if [ -n "$UNSAFE_EXEC" ]; then
+        result_critical "Exec-approvals has unsafe configuration"
+        log "$UNSAFE_EXEC"
+        EXEC_ISSUES=$((EXEC_ISSUES + 1))
+    fi
+
+    EXEC_PERMS="$(get_perm "$EXEC_FILE")"
+    if [ "$EXEC_PERMS" != "600" ] && [ "$EXEC_PERMS" != "unknown" ]; then
+        result_warn "exec-approvals.json has permissions $EXEC_PERMS (recommended: 600)"
+        EXEC_ISSUES=$((EXEC_ISSUES + 1))
+    fi
+fi
+
+if [ "$EXEC_ISSUES" -eq 0 ]; then
+    result_clean "Exec-approvals configuration acceptable"
+fi
+
+# ============================================================
+# CHECK 3 (origin 27 + EXEC-005/006/007): Docker Container Security
+# ============================================================
+header 3 "Auditing Docker container security..."
+
+DOCKER_ISSUES=0
+
+if command -v docker >/dev/null 2>&1; then
+    OC_CONTAINERS="$(docker ps --format '{{.Names}} {{.Image}}' 2>/dev/null | grep -iE 'openclaw|clawdbot|moltbot' || true)"
+    if [ -n "$OC_CONTAINERS" ]; then
+        while IFS= read -r container_line; do
+            [ -z "$container_line" ] && continue
+            CNAME="$(echo "$container_line" | awk '{print $1}')"
+
+            CUSER="$(docker inspect --format '{{.Config.User}}' "$CNAME" 2>/dev/null || echo "")"
+            if [ -z "$CUSER" ] || [ "$CUSER" = "root" ] || [ "$CUSER" = "0" ]; then
+                result_warn "Container '$CNAME' running as root"
+                DOCKER_ISSUES=$((DOCKER_ISSUES + 1))
+            fi
+
+            DSOCK="$(docker inspect --format '{{range .Mounts}}{{.Source}} {{end}}' "$CNAME" 2>/dev/null | grep 'docker.sock' || true)"
+            if [ -n "$DSOCK" ]; then
+                result_critical "Container '$CNAME' has Docker socket mounted (container escape risk)"
+                DOCKER_ISSUES=$((DOCKER_ISSUES + 1))
+            fi
+
+            PRIV="$(docker inspect --format '{{.HostConfig.Privileged}}' "$CNAME" 2>/dev/null || echo "")"
+            if [ "$PRIV" = "true" ]; then
+                result_critical "Container '$CNAME' is running in privileged mode"
+                DOCKER_ISSUES=$((DOCKER_ISSUES + 1))
+            fi
+
+            # EXEC-005: cap_drop should include ALL
+            CAP_DROP_ALL="$(docker inspect --format '{{range .HostConfig.CapDrop}}{{println .}}{{end}}' "$CNAME" 2>/dev/null || true)"
+            if ! echo "$CAP_DROP_ALL" | grep -qx 'ALL'; then
+                result_warn "Container '$CNAME' retains Linux capabilities (cap_drop does not include ALL)"
+                DOCKER_ISSUES=$((DOCKER_ISSUES + 1))
+            fi
+
+            # EXEC-006: no-new-privileges:true should be enabled
+            SECURITY_OPTS="$(docker inspect --format '{{range .HostConfig.SecurityOpt}}{{println .}}{{end}}' "$CNAME" 2>/dev/null || true)"
+            if ! echo "$SECURITY_OPTS" | grep -qx 'no-new-privileges:true'; then
+                result_warn "Container '$CNAME' allows privilege escalation (security_opt missing no-new-privileges:true)"
+                DOCKER_ISSUES=$((DOCKER_ISSUES + 1))
+            fi
+
+            # EXEC-007: network_mode should not be host
+            NETWORK_MODE="$(docker inspect --format '{{.HostConfig.NetworkMode}}' "$CNAME" 2>/dev/null || echo "")"
+            if [ "$NETWORK_MODE" = "host" ]; then
+                result_critical "Container '$CNAME' uses host network mode (bypasses network isolation)"
+                DOCKER_ISSUES=$((DOCKER_ISSUES + 1))
+            fi
+        done <<EOF
+$OC_CONTAINERS
+EOF
+    else
+        log "  No OpenClaw-related Docker containers detected"
+    fi
+fi
+
+if [ "$DOCKER_ISSUES" -eq 0 ]; then
+    result_clean "Docker security acceptable"
+fi
+
+# ============================================================
+# CHECK 4 (origin 35): Exec safeBins Validation Bypass
+# ============================================================
+header 4 "Checking exec safeBins bypass (CVE-2026-28363)..."
+
+SAFEBINS_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    if version_lt 2026 2 23; then
+        result_critical "OpenClaw v$OC_VERSION vulnerable to CVE-2026-28363 (safeBins bypass via sort --compress-prog). Update to v2026.2.23+"
+        SAFEBINS_ISSUES=$((SAFEBINS_ISSUES + 1))
+    fi
+
+    SAFE_BINS="$(get_oc_config "tools.exec.safeBins" "")"
+    if echo "$SAFE_BINS" | grep -q '"sort"' 2>/dev/null; then
+        log "  INFO: 'sort' is in safeBins list (ensure v2026.2.23+)"
+    fi
+fi
+
+if [ "$SAFEBINS_ISSUES" -eq 0 ]; then
+    result_clean "Exec safeBins validation acceptable"
+fi
+
+# ============================================================
+# CHECK 5 (origin 37): PATH Hijacking / Command Hijacking
+# ============================================================
+header 5 "Checking PATH hijacking risk (GHSA-jqpq)..."
+
+PATH_ISSUES=0
+
+IFS=':' read -r -a PATH_DIRS <<< "${PATH:-}"
+
+for PDIR in "${PATH_DIRS[@]}"; do
+    [ -z "$PDIR" ] && continue
+    if [ -d "$PDIR" ] && [ -w "$PDIR" ]; then
+        case "$PDIR" in
+            "$HOME/bin"|"$HOME/.local/bin"|"$HOME/.cargo/bin"|"$HOME/go/bin")
+                continue
+                ;;
+        esac
+
+        for CMD in node python3 bash curl git ssh openclaw; do
+            if [ -f "$PDIR/$CMD" ] && [ -x "$PDIR/$CMD" ]; then
+                SYS_BIN="$(which -a "$CMD" 2>/dev/null | tail -1 || true)"
+                if [ -n "$SYS_BIN" ] && [ "$PDIR/$CMD" != "$SYS_BIN" ]; then
+                    result_critical "PATH hijack: $PDIR/$CMD shadows system $SYS_BIN (GHSA-jqpq)"
+                    PATH_ISSUES=$((PATH_ISSUES + 1))
+                fi
+            fi
+        done
+    fi
+done
+
+if [ -d "$WORKSPACE_DIR" ]; then
+    PLANTED="$(find "$WORKSPACE_DIR" -maxdepth 3 -type f \( -name "node" -o -name "python3" -o -name "bash" -o -name "curl" -o -name "git" \) 2>/dev/null | head -5 || true)"
+    if [ -n "$PLANTED" ]; then
+        while IFS= read -r pbin; do
+            [ -z "$pbin" ] && continue
+            if [ -x "$pbin" ]; then
+                result_critical "Planted executable in workspace: $pbin (PATH hijack vector)"
+                PATH_ISSUES=$((PATH_ISSUES + 1))
+            fi
+        done <<EOF
+$PLANTED
+EOF
+    fi
+fi
+
+if [ "$PATH_ISSUES" -eq 0 ]; then
+    result_clean "No PATH hijacking indicators found"
+fi
+
+# ============================================================
+# CHECK 6 (origin 43): Exec-Approvals Shell Expansion Bypass
+# ============================================================
+header 6 "Checking exec-approvals shell expansion bypass (CVE-2026-28463)..."
+
+SHEXP_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    if version_lt 2026 2 14; then
+        result_critical "Exec-approvals shell expansion bypass (CVE-2026-28463). Update to v2026.2.14+"
+        SHEXP_ISSUES=$((SHEXP_ISSUES + 1))
+    fi
+
+    SAFE_BINS="$(get_oc_config "tools.exec.safeBins" "")"
+    for RBIN in head tail grep cat; do
+        if echo "$SAFE_BINS" | grep -q "\"$RBIN\"" 2>/dev/null; then
+            log "  INFO: '$RBIN' in safeBins - ensure v2026.2.14+"
+        fi
+    done
+fi
+
+if [ "$SHEXP_ISSUES" -eq 0 ]; then
+    result_clean "Exec-approvals shell expansion handling acceptable"
+fi
+
+# ============================================================
+# CHECK 7 (origin 44): Approval Field Injection / Exec Gating Bypass
+# ============================================================
+header 7 "Checking approval field injection bypass (CVE-2026-28466)..."
+
+AFI_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    if version_lt 2026 2 14; then
+        result_critical "Approval field injection bypass (CVE-2026-28466). Update to v2026.2.14+"
+        AFI_ISSUES=$((AFI_ISSUES + 1))
+    fi
+fi
+
+if [ "$AFI_ISSUES" -eq 0 ]; then
+    result_clean "Approval field sanitization acceptable"
+fi
+
+# ============================================================
+# CHECK 8 (origin 42): Browser Control API Path Traversal
+# ============================================================
+header 8 "Checking browser control path traversal (CVE-2026-28462)..."
+
+BCTRL_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    if version_lt 2026 2 13; then
+        result_critical "Browser control API path traversal (CVE-2026-28462). Update to v2026.2.13+"
+        BCTRL_ISSUES=$((BCTRL_ISSUES + 1))
+    fi
+fi
+
+if [ "$BCTRL_ISSUES" -eq 0 ]; then
+    result_clean "Browser control path handling acceptable"
+fi
+
+# ============================================================
+# CHECK 9 (origin 47): TAR Archive Path Traversal
+# ============================================================
+header 9 "Checking TAR archive path traversal (CVE-2026-28453)..."
+
+TAR_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    if version_lt 2026 2 14; then
+        result_critical "TAR archive path traversal (CVE-2026-28453). Update to v2026.2.14+"
+        TAR_ISSUES=$((TAR_ISSUES + 1))
+    fi
+fi
+
+if [ "$TAR_ISSUES" -eq 0 ]; then
+    result_clean "TAR archive handling acceptable"
+fi
+
+# ============================================================
+# CHECK 10 (origin 19): Sandbox Configuration
+# ============================================================
+header 10 "Checking sandbox configuration..."
+
+SANDBOX_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    SANDBOX_MODE="$(get_oc_config "sandbox.mode" "")"
+    if [ "$SANDBOX_MODE" = "off" ] || [ "$SANDBOX_MODE" = "none" ]; then
+        result_warn "Sandbox mode is disabled (recommended: mode='all')"
+        SANDBOX_ISSUES=$((SANDBOX_ISSUES + 1))
+    elif [ -n "$SANDBOX_MODE" ]; then
+        log "  Sandbox mode: $SANDBOX_MODE"
+    fi
+
+    WORKSPACE_ACCESS="$(get_oc_config "sandbox.workspaceAccess" "")"
+    if [ "$WORKSPACE_ACCESS" = "rw" ]; then
+        log "  INFO: Sandbox workspace access is read-write"
+    fi
+fi
+
+if [ "$SANDBOX_ISSUES" -eq 0 ]; then
+    result_clean "Sandbox configuration acceptable"
+fi
+
+# ============================================================
+# CHECK 11 (origin 28): Node.js Version / Known CVEs
+# ============================================================
+header 11 "Checking Node.js version for known CVEs..."
+
+NODE_ISSUES=0
+
+if command -v node >/dev/null 2>&1; then
+    NODE_VER="$(node --version 2>/dev/null | sed 's/^v//')"
+    NODE_MAJOR="$(echo "$NODE_VER" | cut -d. -f1)"
+    NODE_MINOR="$(echo "$NODE_VER" | cut -d. -f2)"
+    NODE_PATCH="$(echo "$NODE_VER" | cut -d. -f3)"
+    log "  Node.js version: v$NODE_VER"
+
+    if [ -n "$NODE_MAJOR" ] && [ "$NODE_MAJOR" -eq 22 ] 2>/dev/null && [ -n "$NODE_MINOR" ] && [ "$NODE_MINOR" -lt 12 ] 2>/dev/null; then
+        result_warn "Node.js v$NODE_VER is vulnerable to CVE-2026-21636 (permission model bypass). Upgrade to 22.12.0+"
+        NODE_ISSUES=$((NODE_ISSUES + 1))
+    elif [ -n "$NODE_MAJOR" ] && [ "$NODE_MAJOR" -lt 22 ] 2>/dev/null; then
+        result_warn "Node.js v$NODE_VER is below recommended v22 LTS"
+        NODE_ISSUES=$((NODE_ISSUES + 1))
+    fi
+else
+    log "  Node.js not found"
+fi
+
+if [ "$NODE_ISSUES" -eq 0 ]; then
+    result_clean "Node.js version acceptable"
+fi
+
+# ============================================================
+# CHECK 12 (origin 24): Log Redaction Audit
+# ============================================================
+header 12 "Checking log redaction settings..."
+
+LOG_ISSUES=0
+
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    REDACT="$(get_oc_config "logging.redactSensitive" "")"
+    if [ "$REDACT" = "off" ] || [ "$REDACT" = "false" ] || [ "$REDACT" = "none" ]; then
+        result_warn "Log redaction is disabled (sensitive data may leak to logs)"
+        LOG_ISSUES=$((LOG_ISSUES + 1))
+    elif [ -n "$REDACT" ]; then
+        log "  Log redaction: $REDACT"
+    fi
+
+    GW_LOG="/tmp/openclaw"
+    if [ -d "$GW_LOG" ]; then
+        GW_LOG_PERMS="$(get_perm "$GW_LOG")"
+        if [ "$GW_LOG_PERMS" != "700" ] && [ "$GW_LOG_PERMS" != "750" ] && [ "$GW_LOG_PERMS" != "unknown" ]; then
+            result_warn "Gateway log dir /tmp/openclaw has permissions $GW_LOG_PERMS (recommended: 700)"
+            LOG_ISSUES=$((LOG_ISSUES + 1))
+        fi
+    fi
+fi
+
+if [ "$LOG_ISSUES" -eq 0 ]; then
+    result_clean "Log redaction settings acceptable"
+fi
+
+# ============================================================
+# CHECK 13 (origin 22): Persistence Mechanism Scan
+# ============================================================
+header 13 "Scanning for unauthorized persistence mechanisms..."
+
+PERSIST_ISSUES=0
+
+if [ -d "$HOME/Library/LaunchAgents" ]; then
+    SUSPICIOUS_AGENTS="$(find "$HOME/Library/LaunchAgents" -name "*.plist" -exec grep -liE 'openclaw|clawdbot|moltbot' {} \; 2>/dev/null || true)"
+    if [ -n "$SUSPICIOUS_AGENTS" ]; then
+        log "  LaunchAgents referencing OpenClaw-related strings:"
+        log "$SUSPICIOUS_AGENTS"
+
+        while IFS= read -r agent; do
+            [ -z "$agent" ] && continue
+            if ! grep -q "com.openclaw.security-dashboard" "$agent" 2>/dev/null; then
+                AGENT_LABEL="$(grep -A1 '<key>Label</key>' "$agent" 2>/dev/null | tail -1 | sed 's/.*<string>\(.*\)<\/string>.*/\1/' || true)"
+                result_warn "Unknown LaunchAgent: ${AGENT_LABEL:-unknown} ($(basename "$agent"))"
+                PERSIST_ISSUES=$((PERSIST_ISSUES + 1))
+            fi
+        done <<EOF
+$SUSPICIOUS_AGENTS
+EOF
+    fi
+fi
+
+CRON_ENTRIES="$(crontab -l 2>/dev/null | grep -ivE "${SELF_DIR_NAME}|#" | grep -iE 'openclaw|clawdbot|moltbot|curl.*\|.*sh|wget.*\|.*bash' || true)"
+if [ -n "$CRON_ENTRIES" ]; then
+    result_warn "Suspicious cron entries found"
+    log "$CRON_ENTRIES"
+    PERSIST_ISSUES=$((PERSIST_ISSUES + 1))
+fi
+
+if command -v systemctl >/dev/null 2>&1; then
+    SYS_SERVICES="$(systemctl --user list-units --type=service --all 2>/dev/null | grep -iE 'openclaw|clawdbot|moltbot' | grep -v "$SELF_DIR_NAME" || true)"
+    if [ -n "$SYS_SERVICES" ]; then
+        log "  User systemd services referencing OpenClaw-related strings:"
+        log "$SYS_SERVICES"
+    fi
+fi
+
+if [ "$PERSIST_ISSUES" -eq 0 ]; then
+    result_clean "No unauthorized persistence mechanisms"
+fi