From 21d6d878ce857d6d348ee1d6a87298330e34db6e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 2 Mar 2026 21:26:09 +0000
Subject: [PATCH] fix: harden exec allowlist regex literal handling (#32162)
 (thanks @stakeswky)

---
 CHANGELOG.md                     |  1 +
 src/infra/exec-approvals.test.ts | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7377a947fcf..6a4691ff0fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -61,6 +61,7 @@ Docs: https://docs.openclaw.ai
 - Telegram/models picker callbacks: keep long model buttons selectable by falling back to compact callback payloads and resolving provider ids on selection (with provider re-prompt on ambiguity), avoiding Telegram 64-byte callback truncation failures. (#31857) Thanks @bmendonca3.
 - Config/backups hardening: enforce owner-only (`0600`) permissions on rotated config backups and clean orphan `.bak.*` files outside the managed backup ring, reducing credential leakage risk from stale or permissive backup artifacts. (#31718) Thanks @YUJIE2002.
 - WhatsApp/inbound self-message context: propagate inbound `fromMe` through the web inbox pipeline and annotate direct self messages as `(self)` in envelopes so agents can distinguish owner-authored turns from contact turns. (#32167) Thanks @scoootscooob.
+- Exec approvals/allowlist matching: escape regex metacharacters in path-pattern literals (while preserving glob wildcards), preventing crashes on allowlisted executables like `/usr/bin/g++` and correctly matching mixed wildcard/literal token paths. (#32162) Thanks @stakeswky.
 - Webchat/stream finalization: persist streamed assistant text when final events omit `message`, while keeping final payload precedence and skipping empty stream buffers to prevent disappearing replies after tool turns. (#31920) Thanks @Sid-Qin.
 - Cron/store migration: normalize legacy cron jobs with string `schedule` and top-level `command`/`timeout` fields into canonical schedule/payload/session-target shape on load, preventing schedule-error loops on old persisted stores. (#31926) Thanks @bmendonca3.
 - Gateway/Heartbeat model reload: treat `models.*` and `agents.defaults.model` config updates as heartbeat hot-reload triggers so heartbeat picks up model changes without a full gateway restart. (#32046) Thanks @stakeswky.
diff --git a/src/infra/exec-approvals.test.ts b/src/infra/exec-approvals.test.ts
index 2367ae44027..52f4b5ef9a4 100644
--- a/src/infra/exec-approvals.test.ts
+++ b/src/infra/exec-approvals.test.ts
@@ -102,6 +102,16 @@ describe("exec approvals allowlist matching", () => {
     });
     expect(match?.pattern).toBe("/usr/bin/*++");
   });
+
+  it("matches paths containing []() regex tokens literally", () => {
+    const literalPattern = "/opt/builds/tool[1](stable)";
+    const match = matchAllowlist([{ pattern: literalPattern }], {
+      rawExecutable: literalPattern,
+      resolvedPath: literalPattern,
+      executableName: "tool[1](stable)",
+    });
+    expect(match?.pattern).toBe(literalPattern);
+  });
 });
 
 describe("mergeExecApprovalsSocketDefaults", () => {