openclaw-node-harness 2.1.0 → 2.2.0

package/lib/exec-safety.js

@@ -0,0 +1,163 @@
+/**
+ * exec-safety.js — Shared command safety filtering for mesh exec.
+ *
+ * Used by both CLI-side (mesh.js) and server-side (NATS exec handler)
+ * to block destructive or unauthorized commands before execution.
+ *
+ * Two layers:
+ *   1. DESTRUCTIVE_PATTERNS — blocklist of known-dangerous patterns
+ *   2. ALLOWED_PREFIXES — allowlist for server-side execution (opt-in)
+ */
+
+'use strict';
+
+// Shell metacharacter detection — blocks command chaining/injection.
+// Safe pipes to common read-only utilities are allowed.
+const SHELL_CHAIN_PATTERNS = /[\n\r\0;`]|\$\(|\|\||&&|<\(|>\(|<<|>>|>\s|\|(?!\s*grep\b|\s*head\b|\s*tail\b|\s*wc\b|\s*sort\b)/;
+
+function containsShellChaining(cmd) {
+  // Allow safe pipes to common read-only utilities
+  return SHELL_CHAIN_PATTERNS.test(cmd);
+}
+
+// Dangerous flags that allow arbitrary code execution via node
+const DANGEROUS_NODE_FLAGS = /\bnode\s+(-e\b|--eval\b|-p\b|--print\b|-r\b|--require\b|--import\b|--loader\b|--experimental-loader\b)/;
+
+// Dangerous git flags that allow arbitrary config / code execution
+const DANGEROUS_GIT_FLAGS = /\bgit\s+(-c\s|--config\s)/;
+
+// Dangerous find flags that allow arbitrary command execution
+const DANGEROUS_FIND_FLAGS = /\bfind\b.*\s(-exec\b|-execdir\b|-delete\b|-ok\b|-okdir\b)/;
+
+// Dangerous make variable overrides (SHELL=, CC=, etc.)
+const DANGEROUS_MAKE_FLAGS = /\bmake\b.*\b(SHELL|CC|CXX|LD|AR)=/;
+
+// Dangerous python flags that allow arbitrary code execution
+const DANGEROUS_PYTHON_FLAGS = /\bpython3?\s+(-c\b|-m\s+http)/;
+
+const DESTRUCTIVE_PATTERNS = [
+  /\brm\s+(-[a-zA-Z]*)?r[a-zA-Z]*f/,      // rm -rf, rm -fr, rm --recursive --force
+  /\brm\s+(-[a-zA-Z]*)?f[a-zA-Z]*r/,       // rm -fr variants
+  /\bmkfs\b/,                                // format filesystem
+  /\bdd\s+.*of=/,                            // raw disk write
+  /\b>\s*\/dev\/[sh]d/,                      // write to raw device
+  /\bcurl\b.*\|\s*(ba)?sh/,                  // curl pipe to shell
+  /\bwget\b.*\|\s*(ba)?sh/,                  // wget pipe to shell
+  /\bchmod\s+(-[a-zA-Z]*\s+)?777\s+\//,     // chmod 777 on root paths
+  /\b:(){ :\|:& };:/,                        // fork bomb
+  /\bsudo\b/,                                // sudo escalation
+  /\bsu\s+-?\s/,                             // su user switch
+  /\bpasswd\b/,                              // password change
+  /\buseradd\b|\buserdel\b/,                 // user management
+  /\biptables\b|\bnft\b/,                    // firewall modification
+  /\bsystemctl\s+(stop|disable|mask)/,       // service disruption
+  /\blaunchctl\s+(unload|remove)/,           // macOS service disruption
+  /\bkill\s+-9\s+1\b/,                       // kill init/launchd
+  />\s*\/etc\//,                             // overwrite system config
+  /\beval\b.*\$\(/,                          // eval with command substitution
+];
+
+/**
+ * Allowed command prefixes for server-side NATS exec.
+ * Only commands starting with one of these are permitted.
+ * CLI-side uses blocklist only; server-side uses both blocklist + allowlist.
+ */
+const ALLOWED_EXEC_PREFIXES = [
+  'git ', 'node ', 'python ', 'python3 ',
+  'npm test', 'npm run test', 'npm run lint', 'npm run build', 'npm run dev',
+  'npm run start', 'npm install', 'npm ci', 'npm ls', 'npm outdated',
+  'npm audit', 'npm version', 'npm pack', 'npm run check',
+  'npx vitest', 'npx jest', 'npx eslint', 'npx prettier', 'npx tsc',
+  'cat ', 'ls ', 'head ', 'tail ', 'grep ', 'find ', 'wc ',
+  'echo ', 'date ', 'uptime ', 'df ', 'free ', 'ps ',
+  'bash openclaw/', 'bash ~/openclaw/', 'bash ./bin/',
+  'pwd', 'which ',
+  'cargo ', 'go ', 'make ', 'pytest ', 'jest ', 'vitest ',
+];
+
+/**
+ * Check if a command matches any destructive pattern.
+ * @param {string} command
+ * @returns {{ blocked: boolean, pattern?: RegExp }}
+ */
+function checkDestructivePatterns(command) {
+  for (const pattern of DESTRUCTIVE_PATTERNS) {
+    if (pattern.test(command)) {
+      return { blocked: true, pattern };
+    }
+  }
+  return { blocked: false };
+}
+
+/**
+ * Check if a command is allowed by the server-side allowlist.
+ * @param {string} command
+ * @returns {boolean}
+ */
+function isAllowedExecCommand(command) {
+  const trimmed = (command || '').trim();
+  if (!trimmed) return false;
+  return ALLOWED_EXEC_PREFIXES.some(p => trimmed.startsWith(p));
+}
+
+/**
+ * Full server-side validation: blocklist + allowlist.
+ * Returns { allowed: true } or { allowed: false, reason: string }.
+ * @param {string} command
+ * @returns {{ allowed: boolean, reason?: string }}
+ */
+function validateExecCommand(command) {
+  const trimmed = (command || '').trim();
+  if (!trimmed) {
+    return { allowed: false, reason: 'Empty command' };
+  }
+
+  if (containsShellChaining(trimmed)) {
+    return { allowed: false, reason: `Command contains shell chaining operators: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_NODE_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous node flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_GIT_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous git flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_FIND_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous find flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_MAKE_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous make variable override detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_PYTHON_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous python flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  const destructive = checkDestructivePatterns(trimmed);
+  if (destructive.blocked) {
+    return { allowed: false, reason: `Blocked by destructive pattern: ${destructive.pattern}` };
+  }
+
+  if (!isAllowedExecCommand(trimmed)) {
+    return { allowed: false, reason: `Command not in server-side allowlist: ${trimmed.slice(0, 80)}` };
+  }
+
+  return { allowed: true };
+}
+
+module.exports = {
+  DESTRUCTIVE_PATTERNS,
+  ALLOWED_EXEC_PREFIXES,
+  DANGEROUS_NODE_FLAGS,
+  DANGEROUS_GIT_FLAGS,
+  DANGEROUS_FIND_FLAGS,
+  DANGEROUS_MAKE_FLAGS,
+  DANGEROUS_PYTHON_FLAGS,
+  checkDestructivePatterns,
+  isAllowedExecCommand,
+  validateExecCommand,
+  containsShellChaining,
+};

package/lib/kanban-io.js

@@ -28,47 +28,30 @@ const ACTIVE_TASKS_PATH = path.join(
 // Prevents lost updates when mesh-bridge and memory-daemon write concurrently.
 // See architecture note above for why this is local-only.
 
-function withMkdirLock(filePath, fn) {
+async function withMkdirLock(filePath, fn) {
   const lockDir = filePath + '.lk';
-  const maxWait = 5000; // 5s max wait
+  const maxWait = 5000;
+  const pollInterval = 50;
   const start = Date.now();
 
-  // Acquire: mkdir is atomic on POSIX
-  while (true) {
+  while (Date.now() - start < maxWait) {
     try {
       fs.mkdirSync(lockDir);
-      break; // got the lock
-    } catch (err) {
-      if (err.code !== 'EEXIST') throw err;
-      // Lock held by another process — check for stale lock (>30s)
       try {
-        const lockAge = Date.now() - fs.statSync(lockDir).mtimeMs;
-        if (lockAge > 30000) {
-          // Stale lock — previous holder crashed
-          fs.rmdirSync(lockDir);
-          continue;
-        }
-      } catch { /* stat failed, lock was just released */ continue; }
-
-      if (Date.now() - start > maxWait) {
-        throw new Error(`kanban-io: lock timeout after ${maxWait}ms on ${filePath}`);
+        return await fn();
+      } finally {
+        try { fs.rmdirSync(lockDir); } catch {}
       }
-      // Sleep ~10ms — Atomics.wait is precise but throws on main thread
-      // in some Node.js builds; fall back to busy-spin (rare contention path)
-      try {
-        Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 10);
-      } catch {
-        const end = Date.now() + 10;
-        while (Date.now() < end) { /* busy-wait fallback */ }
+    } catch (err) {
+      if (err.code === 'EEXIST') {
+        await new Promise(r => setTimeout(r, pollInterval));
+        continue;
       }
+      throw err;
     }
   }
-
-  try {
-    return fn();
-  } finally {
-    try { fs.rmdirSync(lockDir); } catch { /* already released */ }
-  }
+  // Timeout — refuse to proceed without lock to prevent data corruption
+  throw new Error(`kanban-io: lock acquisition timeout after ${maxWait}ms — file may be corrupted`);
 }
 
 // ── Parser ──────────────────────────────────────────
@@ -367,9 +350,13 @@ function _updateTaskInPlaceUnsafe(filePath, taskId, fieldUpdates = {}, arrayAppe
     ...lines.slice(blockEnd),
   ];
 
-  // Atomic write
+  // Atomic write — fsync before rename to ensure data hits disk
   const tmpPath = filePath + '.tmp.' + process.pid;
-  fs.writeFileSync(tmpPath, newLines.join('\n'));
+  const output = newLines.join('\n');
+  const fd = fs.openSync(tmpPath, 'w');
+  fs.writeSync(fd, output);
+  fs.fsyncSync(fd);
+  fs.closeSync(fd);
   fs.renameSync(tmpPath, filePath);
 }
 

package/lib/llm-providers.js

@@ -21,6 +21,30 @@ const path = require('path');
 const fs = require('fs');
 const os = require('os');
 
+// ── Shell Command Security ─────────────────────────
+const SHELL_CHAIN_PATTERNS = /[\n\r\0;`]|\$\(|\|\||&&|<\(|>\(|<<|>>|>\s|\|(?!\s*grep\b|\s*head\b|\s*tail\b|\s*wc\b|\s*sort\b)/;
+
+const DANGEROUS_FIND_FLAGS = /\bfind\b.*\s(-exec\b|-execdir\b|-delete\b|-ok\b|-okdir\b)/;
+
+const DANGEROUS_NODE_FLAGS = /\bnode\s+(-e\b|--eval\b|-p\b|--print\b|-r\b|--require\b|--import\b|--loader\b|--experimental-loader\b)/;
+
+const SHELL_PROVIDER_ALLOWED_PREFIXES = [
+  'npm test', 'npm run', 'node ', 'python ', 'pytest', 'cargo test',
+  'go test', 'make', 'jest', 'vitest', 'mocha',
+  'bash openclaw/', 'bash ~/openclaw/', 'bash ./bin/',
+  'sh openclaw/', 'sh ~/openclaw/', 'sh ./bin/',
+  'cat ', 'echo ', 'ls ', 'grep ', 'find ', 'git '
+];
+
+function validateShellCommand(cmd) {
+  const trimmed = (cmd || '').trim();
+  if (!trimmed) return false;
+  if (SHELL_CHAIN_PATTERNS.test(trimmed)) return false;
+  if (DANGEROUS_NODE_FLAGS.test(trimmed)) return false;
+  if (DANGEROUS_FIND_FLAGS.test(trimmed)) return false;
+  return SHELL_PROVIDER_ALLOWED_PREFIXES.some(p => trimmed.startsWith(p));
+}
+
 // ── Generic Provider Factory ────────────────────────
 // Most agentic coding CLIs follow a similar pattern:
 //   binary [prompt-flag] "prompt" [model-flag] model [cwd-flag] dir
@@ -167,6 +191,9 @@ const PROVIDERS = {
     buildArgs(prompt, model, task) {
       // Use task.description (the raw command) if available, fall back to prompt
       const cmd = (task && task.description) ? task.description : prompt;
+      if (!validateShellCommand(cmd)) {
+        throw new Error(`Shell provider: command blocked by security filter: ${cmd.slice(0, 80)}`);
+      }
       return ['-c', cmd];
     },
     cleanEnv(env) {

package/lib/mcp-knowledge/core.mjs

@@ -349,14 +349,14 @@ export async function indexWorkspace(db, root, opts = {}) {
     const texts = chunks.map(c => c.text);
     const vectors = await embedBatch(texts);
 
-    // sqlite-vec quirk: rowid must be literal, not bound param with better-sqlite3.
+    // Insert chunks and their vector embeddings
     const doInsert = db.transaction(() => {
       insertDoc.run(file.rel, hash, Date.now(), chunks.length);
       for (let i = 0; i < chunks.length; i++) {
         const snippet = chunks[i].text.slice(0, SNIPPET_LENGTH).replace(/\n/g, ' ');
         const info = insertChunk.run(file.rel, chunks[i].section, chunks[i].text, snippet);
         const vecBuf = Buffer.from(vectors[i].buffer);
-        db.prepare(`INSERT INTO chunk_vectors VALUES (${info.lastInsertRowid}, ?)`).run(vecBuf);
+        db.prepare(`INSERT INTO chunk_vectors VALUES (?, ?)`).run(info.lastInsertRowid, vecBuf);
       }
     });
     doInsert();
@@ -373,6 +373,7 @@ export async function indexWorkspace(db, root, opts = {}) {
 // ─── Search Functions ────────────────────────────────────────────────────────
 
 export async function semanticSearch(db, query, limit = 10) {
+  const safeLimit = Math.max(1, Math.min(100, Math.floor(Number(limit) || 10)));
   const count = db.prepare('SELECT COUNT(*) as c FROM chunk_vectors').get().c;
   if (count === 0) return [];
 
@@ -388,7 +389,7 @@ export async function semanticSearch(db, query, limit = 10) {
       c.snippet
     FROM chunk_vectors cv
     JOIN chunks c ON c.id = cv.rowid
-    WHERE embedding MATCH ? AND k = ${limit}
+    WHERE embedding MATCH ? AND k = ${safeLimit}
     ORDER BY distance
   `).all(vecBuf);
 
@@ -401,6 +402,7 @@ export async function semanticSearch(db, query, limit = 10) {
 }
 
 export async function findRelated(db, docPath, limit = 10) {
+  const safeLimit = Math.max(1, Math.min(100, Math.floor(Number(limit) || 10)));
   const chunkIds = db.prepare('SELECT id FROM chunks WHERE doc_path = ?').all(docPath);
 
   if (chunkIds.length === 0) {
@@ -445,7 +447,7 @@ export async function findRelated(db, docPath, limit = 10) {
       c.snippet
     FROM chunk_vectors cv
     JOIN chunks c ON c.id = cv.rowid
-    WHERE embedding MATCH ? AND k = ${limit * 3}
+    WHERE embedding MATCH ? AND k = ${safeLimit * 3}
     ORDER BY distance
   `).all(vecBuf);
 
@@ -459,7 +461,7 @@ export async function findRelated(db, docPath, limit = 10) {
     }
   }
 
-  return [...seen.values()].slice(0, limit).map(r => ({
+  return [...seen.values()].slice(0, safeLimit).map(r => ({
     path: r.doc_path,
     section: r.section,
     score: parseFloat((1 - r.distance * r.distance / 2).toFixed(4)),

package/lib/mcp-knowledge/server.mjs

@@ -163,7 +163,14 @@ async function startHttp(engine, port, host) {
         // Parse body
         const chunks = [];
         for await (const chunk of req) chunks.push(chunk);
-        const body = JSON.parse(Buffer.concat(chunks).toString());
+        let body;
+        try {
+          body = JSON.parse(Buffer.concat(chunks).toString());
+        } catch (e) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Invalid JSON in request body' }));
+          return;
+        }
 
         await transport.handleRequest(req, res, body);
         return;