ocuclaw 1.3.3 → 1.3.4

package/dist/tools/glasses-ui-recipes.js

@@ -1,13 +1,3 @@
-// Recipe executors for glasses_ui_refresh. Kinds: http (in-process fetch),
-// llm (two HTTP API backends behind one dispatcher), and system-stats
-// (in-process node:os reads). All return either { output } or
-// { error: <string> }. The shell (spawn bash) and llm claude-cli
-// (spawn claude) backends were removed to drop the plugin's last
-// child_process spawn — see the backends comment in config/runtime-config.ts.
-//
-// output is `string` for plain text and `object` for JSON. The cron engine
-// hands `output` to the template engine which handles both shapes.
-
 import { totalmem, freemem, loadavg, cpus } from "node:os";
 import * as dns from "node:dns";
 import { Agent } from "undici";
@@ -46,11 +36,6 @@ function checkIpv4Tuple(a, b) {
   return null;
 }
 
-// Classify a resolved IP literal (as returned by dns.lookup). Reused both
-// by the URL-form check below and by the per-connection lookup that fires
-// when undici opens the socket — see safeLookup. For IPv4 we route through
-// checkIpv4Tuple; for IPv6 we additionally peel IPv4-mapped (::ffff:a.b.c.d)
-// and the hex-compressed IPv4-compat form that Node sometimes returns.
 function checkResolvedIp(address, family) {
   if (typeof address !== "string") return null;
   if (family === 4) {
@@ -78,24 +63,12 @@ function checkResolvedIp(address, family) {
     const r = checkIpv4Tuple((high >> 8) & 0xff, high & 0xff);
     return r ? `IPv4-compatible IPv6 (${r})` : null;
   }
-  // fe80::/10 spans fe80:: through febf:: — the top 10 bits are 1111111010,
-  // so the first byte is always 0xfe and the second byte ranges 0x80-0xbf.
-  // The canonical first hextet is therefore fe[89ab][0-9a-f] (the leading
-  // 'fe' is fixed, the third hex char is 8/9/a/b for the high two bits 10).
-  // The old startsWith("fe80:") check missed fe81::* through febf::*.
+
   if (/^fe[89ab][0-9a-f]:/.test(addr)) return "IPv6 link-local blocked";
   if (/^f[cd][0-9a-f]{2}:/.test(addr)) return "IPv6 ULA blocked";
   return null;
 }
 
-// Per-connection DNS lookup that undici calls just before opening the socket.
-// We resolve the hostname via the same resolver fetch would use, then check
-// EVERY returned address: if any resolves into a private/loopback/link-local
-// range, reject the whole hostname. Strict — split-horizon DNS that returns
-// public IPs at one moment and private at another can't slip past, because
-// we only ever connect via this lookup's returned address (no TOCTOU). TLS
-// SNI and certificate verification keep using the URL hostname downstream,
-// so https://public.example still validates against its public cert.
 export function makeSafeLookup(dnsLookup) {
   return function safeLookup(hostname, opts, cb) {
     const family = opts && typeof opts.family === "number" ? opts.family : 0;
@@ -127,26 +100,6 @@ const ssrfSafeDispatcher = new Agent({
   connect: { lookup: makeSafeLookup(dns.promises.lookup) },
 });
 
-// Block direct-IP requests to loopback, link-local (incl. 169.254.169.254
-// cloud-metadata IPs), RFC1918 private space, IPv6 ULA/link-local. This is
-// the cheap URL-form check that runs before any DNS — it rejects literal IPs
-// (including IPv4-mapped/compat IPv6) without a round-trip.
-//
-// Hostnames pass through this URL-form check by design; the second layer is
-// safeLookup() above, which undici invokes just before opening the socket.
-// That layer closes the real attack surface here:
-//   1. Static A record. evil.example with `A 127.0.0.1` (or 169.254.169.254,
-//      or an RFC1918 IP) — no DNS rebinding required, the agent just owns
-//      a domain.
-//   2. Operator's resolver context. evenclaw deployments may resolve names
-//      like grafana.internal or vault to private services the operator
-//      didn't realize the plugin could reach.
-//   3. Cloud-metadata uniformity. evil.example → 169.254.169.254 works on
-//      every AWS/GCP/Azure VM running OcuClaw.
-// safeLookup rejects the hostname if ANY resolved IP is private — strict, so
-// split-horizon DNS can't slip past either.
-//
-// Non-http(s) schemes (file:, gopher:, ftp:, data:) are rejected outright.
 function isForbiddenHttpDestination(urlString) {
   let parsed;
   try {
@@ -158,33 +111,28 @@ function isForbiddenHttpDestination(urlString) {
   if (proto !== "http:" && proto !== "https:") {
     return `disallowed scheme: ${proto}`;
   }
-  // Node's WHATWG URL.hostname may or may not strip the IPv6 brackets across
-  // versions; normalize by stripping them ourselves so the IPv6 checks below
-  // work regardless.
+
   const rawHost = parsed.hostname.toLowerCase();
   const host = rawHost.startsWith("[") && rawHost.endsWith("]")
     ? rawHost.slice(1, -1)
     : rawHost;
-  // Common loopback aliases.
+
   if (host === "localhost" || host === "ip6-localhost" || host === "ip6-loopback") {
     return "loopback hostname blocked";
   }
-  // IPv4 dotted quad?
+
   const v4 = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
   if (v4) {
     return checkIpv4Tuple(Number(v4[1]), Number(v4[2]));
   }
-  // Bare hex IPv4 like 0x7f000001 — refuse anything that looks numeric.
+
   if (/^[0-9a-f.x]+$/.test(host) && /^\d/.test(host) && !host.includes(":")) {
     return "ambiguous numeric host blocked";
   }
-  // IPv6? URL.hostname strips brackets but keeps colons.
+
   if (host.includes(":")) {
     if (host === "::" || host === "::1") return "IPv6 loopback/unspecified blocked";
-    // IPv4-mapped IPv6 (RFC 4291 §2.5.5.2): ::ffff:a.b.c.d (dotted) or
-    // ::ffff:XXXX:YYYY (hex). Also IPv4-compatible (deprecated): ::a.b.c.d.
-    // All of these resolve to an IPv4 destination — extract the embedded
-    // IPv4 and run it through the IPv4 rules so the bypass closes.
+
     const mappedDotted = host.match(/^::(?:ffff:)?(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
     if (mappedDotted) {
       const reason = checkIpv4Tuple(Number(mappedDotted[1]), Number(mappedDotted[2]));
@@ -200,11 +148,7 @@ function isForbiddenHttpDestination(urlString) {
       if (reason) return `IPv4-mapped IPv6 blocked (${reason})`;
       return null;
     }
-    // IPv4-compatible IPv6 (deprecated, RFC 4291 §2.5.5.1): ::XXXX:YYYY
-    // Node's URL parser normalizes ::a.b.c.d to this compressed-hex form, so
-    // the dotted regex above never fires for compat addresses — handle it
-    // here. Excludes the IPv4-mapped case (caught above) and the IPv6
-    // loopback ::1 (caught earlier as an exact match).
+
     const compatHex = host.match(/^::([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
     if (compatHex) {
       const high = parseInt(compatHex[1], 16);
@@ -214,7 +158,7 @@ function isForbiddenHttpDestination(urlString) {
       if (reason) return `IPv4-compatible IPv6 blocked (${reason})`;
       return null;
     }
-    // fe80::/10 spans fe80:: through febf:: — see comment in checkResolvedIp.
+
     if (/^fe[89ab][0-9a-f]:/.test(host)) return "IPv6 link-local blocked";
     if (/^f[cd][0-9a-f]{2}:/.test(host)) return "IPv6 ULA blocked";
     return null;
@@ -224,7 +168,7 @@ function isForbiddenHttpDestination(urlString) {
 
 function resolveJsonPath(value, jsonPath) {
   if (!jsonPath || typeof jsonPath !== "string") return value;
-  // Minimal JSONPath: only "$.a.b.c" and "$.a[0].b" shapes.
+
   const expr = jsonPath.trim();
   if (!expr.startsWith("$")) return value;
   const rest = expr.slice(1).replace(/\[(\d+)\]/g, ".$1");
@@ -244,23 +188,80 @@ function resolveJsonPath(value, jsonPath) {
   return cursor;
 }
 
+export function normalizeHttpAllowHosts(list) {
+  if (!Array.isArray(list)) return [];
+  return list
+    .filter((p) => typeof p === "string")
+    .map((p) => p.trim().toLowerCase().replace(/\.+$/, ""))
+    .filter((p) => p.length > 0);
+}
+
+export function isHttpHostAllowed(hostname, allowList) {
+  if (!Array.isArray(allowList) || allowList.length === 0) return false;
+  if (typeof hostname !== "string" || !hostname) return false;
+  const host = hostname.trim().toLowerCase().replace(/\.+$/, "");
+  if (!host) return false;
+  return allowList.some((p) =>
+    p.startsWith(".") ? host === p.slice(1) || host.endsWith(p) : host === p,
+  );
+}
+
+const CROSS_ORIGIN_STRIP_HEADERS = new Set([
+  "authorization",
+  "cookie",
+  "proxy-authorization",
+  "x-api-key",
+  "api-key",
+  "x-auth-token",
+  "x-access-token",
+  "x-amz-security-token",
+]);
+const CREDENTIALISH_HEADER_RE = /(^|-)(api|auth|access|secret|session)(-|key|token|$)/i;
+
+function stripCrossOriginHeaders(headers) {
+  const out = {};
+  for (const key of Object.keys(headers || {})) {
+    const lower = key.toLowerCase();
+    if (CROSS_ORIGIN_STRIP_HEADERS.has(lower)) continue;
+    if (CREDENTIALISH_HEADER_RE.test(lower)) continue;
+    out[key] = headers[key];
+  }
+  return out;
+}
+
+function sameOrigin(a, b) {
+  try {
+    return new URL(a).origin === new URL(b).origin;
+  } catch (_) {
+    return false;
+  }
+}
+
 export async function executeHttpRecipe(params, opts) {
   const url = params && typeof params.url === "string" ? params.url : "";
   if (!url) return { error: "http recipe missing url" };
-  // The SSRF guard is enabled by default for all production callers (the cron
-  // engine invokes executeHttpRecipe(recipe) with no second argument). Tests
-  // that spin up their own loopback HTTP server opt out via
-  // executeHttpRecipe(recipe, { allowPrivateNetworks: true }). The recipe
-  // schema deliberately does NOT include this flag, so agents can't bypass.
+
   if (!(opts && opts.allowPrivateNetworks === true)) {
     const forbidden = isForbiddenHttpDestination(url);
     if (forbidden) {
       return { error: `http recipe destination blocked: ${forbidden}` };
     }
   }
+
+  const allowHosts = opts && Array.isArray(opts.allowHosts) ? opts.allowHosts : null;
+  if (allowHosts) {
+    let initialHost = "";
+    try { initialHost = new URL(url).hostname; } catch (_) {}
+    if (!isHttpHostAllowed(initialHost, allowHosts)) {
+      return { error: `http recipe destination not in allowlist: ${initialHost || url}` };
+    }
+  }
   const method = params && typeof params.method === "string" ? params.method.toUpperCase() : "GET";
   const headers = params && params.headers && typeof params.headers === "object" ? params.headers : {};
   const body = method !== "GET" && method !== "HEAD" ? params && params.body : undefined;
+
+  let requestHeaders = headers;
+  let requestBody = body;
   const timeoutMs = Number.isFinite(params && params.timeoutMs)
     ? params.timeoutMs
     : DEFAULT_TIMEOUT_MS;
@@ -270,12 +271,7 @@ export async function executeHttpRecipe(params, opts) {
   const jsonPath = params && typeof params.jsonPath === "string" ? params.jsonPath : "";
 
   const fetchFn = opts && typeof opts.fetch === "function" ? opts.fetch : fetch;
-  // The dispatcher carries the per-connection DNS lookup (safeLookup) that
-  // resolves hostnames and blocks any that point at private IPs — see the
-  // comment block on isForbiddenHttpDestination. Production callers default
-  // to the module-level ssrfSafeDispatcher; the test seam accepts an
-  // injected dispatcher (e.g. one built with a canned lookup) so the lookup
-  // check can be exercised without real DNS.
+
   const dispatcher =
     opts && opts.dispatcher !== undefined ? opts.dispatcher : ssrfSafeDispatcher;
   const controller = new AbortController();
@@ -283,24 +279,19 @@ export async function executeHttpRecipe(params, opts) {
   const allowPrivate = opts && opts.allowPrivateNetworks === true;
   const MAX_REDIRECTS = 3;
   try {
-    // Manual redirect handling — fetch's default redirect: "follow" lets a
-    // public attacker-controlled domain return a 302 → http://169.254.169.254/
-    // after the one-shot URL check. Validate every hop. Capped at 3 to
-    // bound effort and prevent loops.
+
     let currentUrl = url;
     let response = null;
     let hop = 0;
     while (true) {
       const fetchInit = {
         method,
-        headers,
-        body,
+        headers: requestHeaders,
+        body: requestBody,
         signal: controller.signal,
         redirect: "manual",
       };
-      // Only attach a dispatcher when it's defined and non-null. Injected
-      // tests that pass `dispatcher: null` explicitly opt out (e.g. to use
-      // a mock fetch with no networking at all).
+
       if (dispatcher) fetchInit.dispatcher = dispatcher;
       response = await fetchFn(currentUrl, fetchInit);
       if (response.status >= 300 && response.status < 400) {
@@ -323,7 +314,20 @@ export async function executeHttpRecipe(params, opts) {
             return { error: `http recipe redirect destination blocked: ${forbidden}` };
           }
         }
-        // Drain the redirect body to free the socket before the next hop.
+
+        if (allowHosts) {
+          let nextHost = "";
+          try { nextHost = new URL(nextUrl).hostname; } catch (_) {}
+          if (!isHttpHostAllowed(nextHost, allowHosts)) {
+            return { error: `http recipe redirect destination not in allowlist: ${nextHost || nextUrl}` };
+          }
+        }
+
+        if (!sameOrigin(currentUrl, nextUrl)) {
+          requestHeaders = stripCrossOriginHeaders(requestHeaders);
+          requestBody = undefined;
+        }
+
         try { await response.arrayBuffer(); } catch (_) {}
         currentUrl = nextUrl;
         hop += 1;
@@ -375,10 +379,7 @@ export async function executeHttpRecipe(params, opts) {
     if (err && err.name === "AbortError") {
       return { error: `http recipe timeout after ${timeoutMs}ms` };
     }
-    // undici wraps connect-time errors (including our safeLookup rejections)
-    // as `TypeError: fetch failed` with the real reason on err.cause. Surface
-    // the cause so SSRF-guard rejections are visible to the operator and
-    // testable.
+
     const msg = err && err.message ? err.message : String(err);
     const causeMsg = err && err.cause && err.cause.message ? err.cause.message : "";
     const full = causeMsg ? `${msg}: ${causeMsg}` : msg;
@@ -397,12 +398,6 @@ function stripModelProviderPrefix(modelRef) {
   return idx === -1 ? modelRef : modelRef.slice(idx + 1);
 }
 
-// Both CLI-spawn backends (codex-cli, claude-cli) were removed to eliminate
-// the plugin's last child_process spawn — see the backends comment in
-// config/runtime-config.ts for the rationale and the deferred native-delegation
-// track. Operators who want those providers point an *-api backend at the
-// provider endpoint (key resolved via the host modelAuth, tool-less).
-
 async function runAnthropicApi(params, deps) {
   const fetchFn = deps && deps.fetch ? deps.fetch : fetch;
   if (!params.apiKey) return { error: "anthropic-api: missing api key" };
@@ -516,10 +511,6 @@ export function executeLlmRecipe(recipe, ctx) {
   return executeLlmRecipeWithDeps(recipe, ctx, {});
 }
 
-// L0' tier: host RAM/CPU via in-process node:os reads. No shell (a sandboxed
-// `free -m` would report the container's view, not the host's). CPU% is a delta
-// over a short window — os.loadavg() is run-queue length, not utilization. Deps
-// (totalmem/freemem/loadavg/cpus/sleep) are injectable for deterministic tests.
 export function computeCpuPct(t0, t1) {
   let idleDelta = 0;
   let totalDelta = 0;