diff --git a/CHANGELOG.md b/CHANGELOG.md index d20243cf66c..abe61b334f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -113,6 +113,7 @@ Docs: https://docs.openclaw.ai - Security/ACPX Windows spawn hardening: resolve `.cmd/.bat` wrappers via PATH/PATHEXT and execute unwrapped Node/EXE entrypoints without shell parsing when possible, while preserving compatibility fallback for unknown custom wrappers by default and adding an opt-in strict mode (`strictWindowsCmdWrapper`) to fail closed for unresolvable wrappers. This ships in the next npm release. Thanks @tdjackey for reporting. - Security/Inbound metadata stripping: tighten sentinel matching and JSON-fence validation for inbound metadata stripping so user-authored lookalike lines no longer trigger unintended metadata removal. - Security/Zalo webhook memory hardening: bound webhook security tracking state and normalize security keying to matched webhook paths (excluding attacker query-string churn) to prevent unauthenticated memory growth pressure on reachable webhook endpoints. Thanks @Somet2mes. +- Security/Web search citation redirects: enforce strict SSRF defaults for Gemini citation redirect resolution so redirects to localhost/private/internal targets are blocked. Thanks @tdjackey for reporting. - Channels/Command parsing parity: align command-body parsing fields with channel command-gating text for Slack, Signal, Microsoft Teams, Mattermost, and BlueBubbles to avoid mention-strip mismatches and inconsistent command detection. - CLI/Startup (Raspberry Pi + small hosts): speed up startup by avoiding unnecessary plugin preload on fast routes, adding root `--version` fast-path bootstrap bypass, parallelizing status JSON/non-JSON scans where safe, and enabling Node compile cache at startup with env override compatibility (`NODE_COMPILE_CACHE`, `NODE_DISABLE_COMPILE_CACHE`). (#5871) Thanks @BookCatKid and @vincentkoc for raising startup reports, and @lupuletic for related startup work in #27973. - Doctor/macOS state-dir safety: warn when OpenClaw state resolves inside iCloud Drive (`~/Library/Mobile Documents/com~apple~CloudDocs/...`) or `~/Library/CloudStorage/...`, because sync-backed paths can cause slower I/O and lock/sync races. (#31004) Thanks @vincentkoc. diff --git a/docs/tools/web.md b/docs/tools/web.md index 0d48d746b5e..dbd95eda1bb 100644 --- a/docs/tools/web.md +++ b/docs/tools/web.md @@ -194,7 +194,7 @@ For a gateway install, put it in `~/.openclaw/.env`. - Citation URLs from Gemini grounding are automatically resolved from Google's redirect URLs to direct URLs. - Redirect resolution uses the SSRF guard path (HEAD + redirect checks + http/https validation) before returning the final citation URL. -- This redirect resolver follows the trusted-network model (private/internal networks allowed by default) to match Gateway operator trust assumptions. +- Redirect resolution uses strict SSRF defaults, so redirects to private/internal targets are blocked. - The default model (`gemini-2.5-flash`) is fast and cost-effective. Any Gemini model that supports grounding can be used. diff --git a/src/agents/tools/web-search.redirect.test.ts b/src/agents/tools/web-search.redirect.test.ts index 9b0758f26fa..6578f917a18 100644 --- a/src/agents/tools/web-search.redirect.test.ts +++ b/src/agents/tools/web-search.redirect.test.ts @@ -32,10 +32,10 @@ describe("web_search redirect resolution hardening", () => { url: "https://example.com/start", timeoutMs: 5000, init: { method: "HEAD" }, - policy: { dangerouslyAllowPrivateNetwork: true }, proxy: "env", }), ); + expect(fetchWithSsrFGuardMock.mock.calls[0]?.[0]?.policy).toBeUndefined(); expect(release).toHaveBeenCalledTimes(1); }); diff --git a/src/agents/tools/web-search.ts b/src/agents/tools/web-search.ts index 1608e9e8821..8456bf9d498 100644 --- a/src/agents/tools/web-search.ts +++ b/src/agents/tools/web-search.ts @@ -721,7 +721,6 @@ async function resolveRedirectUrl(url: string): Promise { url, init: { method: "HEAD" }, timeoutMs: REDIRECT_TIMEOUT_MS, - policy: WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY, }, async ({ finalUrl }) => finalUrl || url, );