whitzard-claw 1.0.0

package/scripts/check/memory_poisoning.sh

@@ -0,0 +1,334 @@
+# shellcheck shell=bash
+
+# ------------------------------------------------------------
+# Shared helpers
+# ------------------------------------------------------------
+
+OPENCLAW_PRESENT=false
+if command -v openclaw >/dev/null 2>&1; then
+    OPENCLAW_PRESENT=true
+fi
+
+has_pcre_grep() {
+    echo 'test' | grep -P 't.st' >/dev/null 2>&1
+}
+
+get_oc_config() {
+    # Usage: get_oc_config <key> <default>
+    local key="$1"
+    local default_val="${2:-}"
+    if [ "$OPENCLAW_PRESENT" = true ]; then
+        run_with_timeout 10 openclaw config get "$key" 2>/dev/null || echo "$default_val"
+    else
+        echo "$default_val"
+    fi
+}
+
+normalize_config_val() {
+    local val="${1:-}"
+    case "$val" in
+        null|undefined|"")
+            echo ""
+            ;;
+        *)
+            echo "$val"
+            ;;
+    esac
+}
+
+get_perm() {
+    local target="$1"
+
+    [ -e "$target" ] || {
+        echo "unknown"
+        return
+    }
+
+    case "$(uname -s)" in
+        Darwin|FreeBSD|OpenBSD|NetBSD)
+            stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        Linux)
+            stat -c '%a' "$target" 2>/dev/null || echo "unknown"
+            ;;
+        *)
+            stat -c '%a' "$target" 2>/dev/null || stat -f '%Lp' "$target" 2>/dev/null || echo "unknown"
+            ;;
+    esac
+}
+
+list_memory_files() {
+    # Enumerate workspace-level and agent-level memory files
+    local f
+    for f in \
+        "$WORKSPACE_DIR/SOUL.md" \
+        "$WORKSPACE_DIR/MEMORY.md" \
+        "$WORKSPACE_DIR/IDENTITY.md"
+    do
+        [ -f "$f" ] && echo "$f"
+    done
+
+    if [ -d "$OPENCLAW_DIR/agents" ]; then
+        find "$OPENCLAW_DIR/agents" -mindepth 2 -maxdepth 2 -type f \
+            \( -name 'soul.md' -o -name 'SOUL.md' -o -name 'MEMORY.md' -o -name 'IDENTITY.md' \) \
+            2>/dev/null || true
+    fi
+}
+
+extract_allowed_domains() {
+    # Build allowlist from config + defaults
+    # Defaults follow the TS snippet.
+    local cfg raw_domains
+    cfg="$(normalize_config_val "$(get_oc_config "secureclaw.network.egressAllowlist" "")")"
+
+    {
+        echo "api.anthropic.com"
+        echo "api.openai.com"
+        echo "generativelanguage.googleapis.com"
+        if [ -n "$cfg" ]; then
+            echo "$cfg" | grep -oE '[A-Za-z0-9.-]+\.[A-Za-z]{2,}' || true
+        fi
+    } | awk 'NF' | sort -u
+}
+
+url_host_allowed() {
+    # Usage: url_host_allowed <hostname>
+    local host="${1:-}"
+    local allowed
+    [ -n "$host" ] || return 1
+
+    while IFS= read -r allowed; do
+        [ -z "$allowed" ] && continue
+        if [ "$host" = "$allowed" ]; then
+            return 0
+        fi
+        case "$host" in
+            *."$allowed")
+                return 0
+                ;;
+        esac
+    done <<EOF
+$ALLOWED_DOMAINS
+EOF
+
+    return 1
+}
+
+# Precompute allowed domains once
+ALLOWED_DOMAINS="$(extract_allowed_domains)"
+
+# ============================================================
+# CHECK 1 (origin 10 + expanded patterns): Memory Poisoning Detection
+# ============================================================
+header 1 "Checking memory files for poisoning indicators..."
+
+MEMORY_POISON=0
+MEMORY_FILES_FOUND=0
+
+while IFS= read -r memfile; do
+    [ -z "$memfile" ] && continue
+    [ -f "$memfile" ] || continue
+
+    MEMORY_FILES_FOUND=$((MEMORY_FILES_FOUND + 1))
+
+    # Expanded but still relatively conservative injection/exfiltration patterns
+    POISON_HITS="$(grep -inE \
+        'ignore[[:space:]]+previous[[:space:]]+instructions|ignore[[:space:]]+all[[:space:]]+previous|disregard[[:space:]]+(all[[:space:]]+)?previous|override.*instruction|new[[:space:]]+system[[:space:]]+prompt|system[[:space:]]+prompt|forget.*previous|you[[:space:]]+are[[:space:]]+now|act[[:space:]]+as[[:space:]]+if|pretend[[:space:]]+to[[:space:]]+be|from[[:space:]]+now[[:space:]]+on.*ignore|forward[[:space:]]+to|send[[:space:]]+to|exfiltrat(e|ion)|leak[[:space:]]+(the[[:space:]]+)?(secret|token|credential|key)|reveal[[:space:]]+(the[[:space:]]+)?(system[[:space:]]+prompt|secret|token|credential|key)|post[[:space:]]+to[[:space:]]+https?://|upload[[:space:]]+to[[:space:]]+https?://' \
+        "$memfile" 2>/dev/null || true)"
+
+    if [ -n "$POISON_HITS" ]; then
+        result_critical "Memory poisoning indicators detected in $(basename "$memfile")"
+        log "$POISON_HITS"
+        MEMORY_POISON=$((MEMORY_POISON + 1))
+    fi
+done <<EOF
+$(list_memory_files)
+EOF
+
+if [ "$MEMORY_POISON" -eq 0 ]; then
+    if [ "$MEMORY_FILES_FOUND" -eq 0 ]; then
+        result_clean "No memory files found; poisoning check skipped"
+    else
+        result_clean "No poisoning indicators found in memory files"
+    fi
+fi
+
+# ============================================================
+# CHECK 2 (origin 40): Log Poisoning / WebSocket Header Injection
+# ============================================================
+header 2 "Checking log poisoning / WebSocket header injection..."
+
+LOG_POISON_ISSUES=0
+LOG_FILES_PRESENT=0
+
+if [ -d "$LOG_DIR" ]; then
+    LOG_FILES_PRESENT="$(find "$LOG_DIR" -type f ! -name '*.gz' 2>/dev/null | wc -l | tr -d ' ')"
+
+    # ---- Check 1: ANSI escape sequences
+    ANSI_HITS=""
+    if has_pcre_grep; then
+        ANSI_HITS="$(grep -rlP '\x1b\[' "$LOG_DIR" --exclude='*.gz' 2>/dev/null | head -5 || true)"
+    else
+        ANSI_HITS="$(LC_ALL=C grep -rl "$(printf '\033[')" "$LOG_DIR" --exclude='*.gz' 2>/dev/null | head -5 || true)"
+    fi
+
+    if [ -n "$ANSI_HITS" ]; then
+        ANSI_COUNT="$(echo "$ANSI_HITS" | wc -l | tr -d ' ')"
+        result_warn "ANSI escape sequences found in $ANSI_COUNT log file(s) - possible log poisoning"
+        log "$ANSI_HITS"
+        LOG_POISON_ISSUES=$((LOG_POISON_ISSUES + 1))
+    fi
+
+    # ---- Check 2: nested/fake log-entry patterns
+    FAKE_ENTRIES="$(grep -rlE '\]\s*(INFO|WARN|WARNING|ERROR|CRITICAL)\s*:.*\[20[0-9]{2}-' "$LOG_DIR" --exclude='*.gz' 2>/dev/null | head -3 || true)"
+    if [ -n "$FAKE_ENTRIES" ]; then
+        while IFS= read -r ffile; do
+            [ -z "$ffile" ] && continue
+            NESTED="$(grep -cE '^\[.*\]\s*(INFO|WARN|WARNING|ERROR|CRITICAL).*\[20[0-9]{2}-[0-9]{2}' "$ffile" 2>/dev/null || echo "0")"
+            if [ "${NESTED:-0}" -gt 0 ] 2>/dev/null; then
+                result_warn "Possible injected log entries in $(basename "$ffile") - log poisoning indicator"
+                log "$ffile"
+                LOG_POISON_ISSUES=$((LOG_POISON_ISSUES + 1))
+                break
+            fi
+        done <<EOF
+$FAKE_ENTRIES
+EOF
+    fi
+
+    # ---- Check 3: control characters in logs
+    CTRL_HITS=""
+    if has_pcre_grep; then
+        CTRL_HITS="$(grep -rlP '[\x00-\x08\x0e-\x1f]' "$LOG_DIR" --exclude='*.gz' 2>/dev/null | head -3 || true)"
+    else
+        if command -v perl >/dev/null 2>&1; then
+            CTRL_HITS="$(
+                find "$LOG_DIR" -type f ! -name '*.gz' 2>/dev/null | while IFS= read -r f; do
+                    perl -ne 'if (/[\x00-\x08\x0e-\x1f]/) { print "$ARGV\n"; exit 0 }' "$f" 2>/dev/null
+                done | head -3 || true
+            )"
+        fi
+    fi
+
+    if [ -n "$CTRL_HITS" ]; then
+        result_warn "Control characters found in logs - possible WebSocket header injection"
+        log "$CTRL_HITS"
+        LOG_POISON_ISSUES=$((LOG_POISON_ISSUES + 1))
+    fi
+fi
+
+
+if [ "$LOG_POISON_ISSUES" -eq 0 ]; then
+    if [ "${LOG_FILES_PRESENT:-0}" -eq 0 ] 2>/dev/null; then
+        result_clean "No log files found; log-poisoning check skipped"
+    else
+        result_clean "No log poisoning indicators found"
+    fi
+fi
+
+# ============================================================
+# CHECK 3 (new / MEM-003): Base64 encoded blocks in memory
+# ============================================================
+header 3 "Checking memory files for long base64-encoded blocks..."
+
+BASE64_ISSUES=0
+BASE64_FILES_FOUND=0
+
+while IFS= read -r memfile; do
+    [ -z "$memfile" ] && continue
+    [ -f "$memfile" ] || continue
+
+    BASE64_FILES_FOUND=$((BASE64_FILES_FOUND + 1))
+
+    # Conservative heuristic: very long base64-like block
+    if grep -Eq '(^|[^A-Za-z0-9+/=])[A-Za-z0-9+/]{160,}={0,2}([^A-Za-z0-9+/=]|$)' "$memfile" 2>/dev/null; then
+        result_warn "Long base64-like content found in $(basename "$memfile") - may hide malicious instructions"
+        log "  Evidence: $memfile"
+        BASE64_ISSUES=$((BASE64_ISSUES + 1))
+    fi
+done <<EOF
+$(list_memory_files)
+EOF
+
+if [ "$BASE64_ISSUES" -eq 0 ]; then
+    if [ "$BASE64_FILES_FOUND" -eq 0 ]; then
+        result_clean "No memory files found; base64 check skipped"
+    else
+        result_clean "No suspicious base64 blocks found in memory files"
+    fi
+fi
+
+# ============================================================
+# CHECK 4 (new / MEM-004): Non-whitelisted URLs in memory
+# ============================================================
+header 4 "Checking memory files for unexpected external URLs..."
+
+URL_ISSUES=0
+URL_FILES_FOUND=0
+
+while IFS= read -r memfile; do
+    [ -z "$memfile" ] && continue
+    [ -f "$memfile" ] || continue
+
+    URL_FILES_FOUND=$((URL_FILES_FOUND + 1))
+
+    URLS="$(grep -oE 'https?://[^[:space:]"'"'"'<>)]+' "$memfile" 2>/dev/null | sort -u || true)"
+    if [ -n "$URLS" ]; then
+        while IFS= read -r url; do
+            [ -z "$url" ] && continue
+
+            # Extract hostname conservatively
+            URL_HOST="$(printf "%s\n" "$url" | sed -E 's#^https?://([^/:?#]+).*$#\1#' | tr '[:upper:]' '[:lower:]')"
+            [ -z "$URL_HOST" ] && continue
+
+            if ! url_host_allowed "$URL_HOST"; then
+                result_warn "Unexpected URL in $(basename "$memfile") points to non-whitelisted domain '$URL_HOST'"
+                log "  Evidence: $memfile -> $url"
+                URL_ISSUES=$((URL_ISSUES + 1))
+            fi
+        done <<EOF
+$URLS
+EOF
+    fi
+done <<EOF
+$(list_memory_files)
+EOF
+
+if [ "$URL_ISSUES" -eq 0 ]; then
+    if [ "$URL_FILES_FOUND" -eq 0 ]; then
+        result_clean "No memory files found; URL allowlist check skipped"
+    else
+        result_clean "No unexpected external URLs found in memory files"
+    fi
+fi
+
+# ============================================================
+# CHECK 5 (new / MEM-005): Memory file permissions
+# ============================================================
+header 5 "Checking memory file permissions..."
+
+MEM_PERM_ISSUES=0
+MEM_PERM_FILES_FOUND=0
+
+while IFS= read -r memfile; do
+    [ -z "$memfile" ] && continue
+    [ -f "$memfile" ] || continue
+
+    MEM_PERM_FILES_FOUND=$((MEM_PERM_FILES_FOUND + 1))
+    MPERMS="$(get_perm "$memfile")"
+
+    if [ "$MPERMS" != "600" ] && [ "$MPERMS" != "unknown" ]; then
+        result_warn "Memory file $(basename "$memfile") has permissions $MPERMS (recommended: 600)"
+        MEM_PERM_ISSUES=$((MEM_PERM_ISSUES + 1))
+    fi
+done <<EOF
+$(list_memory_files)
+EOF
+
+if [ "$MEM_PERM_ISSUES" -eq 0 ]; then
+    if [ "$MEM_PERM_FILES_FOUND" -eq 0 ]; then
+        result_clean "No memory files found; permission check skipped"
+    else
+        result_clean "Memory file permissions acceptable"
+    fi
+fi