From 4c1dd9d0680205ce14b651cf5f315adebb957f52 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 21 Feb 2026 19:16:15 +0100 Subject: [PATCH] fix(security): harden macos rawCommand allowlist resolution --- CHANGELOG.md | 1 + docs/platforms/macos.md | 1 + docs/tools/exec-approvals.md | 3 +++ 3 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c34c1e87f77..6a5412ac893 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ Docs: https://docs.openclaw.ai - Agents/Sanitization: stop rewriting billing-shaped assistant text outside explicit error context so normal replies about billing/credits/payment are preserved across messaging channels. (#17834, fixes #11359) - Security/Agents: cap embedded Pi runner outer retry loop with a higher profile-aware dynamic limit (32-160 attempts) and return an explicit `retry_limit` error payload when retries never converge, preventing unbounded internal retry cycles (`GHSA-76m6-pj3w-v7mf`). - Telegram: detect duplicate bot-token ownership across Telegram accounts at startup/status time, mark secondary accounts as not configured with an explicit fix message, and block duplicate account startup before polling to avoid endless `getUpdates` conflict loops. +- Security/macOS Exec approvals: treat raw shell text containing shell control or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) as allowlist misses so first-token resolution can no longer approve chained payloads in `system.run`. This ships in the next npm release. Thanks @tdjackey for reporting. - Agents/Tool images: include source filenames in `agents/tool-images` resize logs so compression events can be traced back to specific files. - Providers/OAuth: harden Qwen and Chutes refresh handling by validating refresh response expiry values and preserving prior refresh tokens when providers return empty refresh token fields, with regression coverage for empty-token responses. - Models/Kimi-Coding: add missing implicit provider template for `kimi-coding` with correct `anthropic-messages` API type and base URL, fixing 403 errors when using Kimi for Coding. (#22409) diff --git a/docs/platforms/macos.md b/docs/platforms/macos.md index 7f38ba36b04..730d7015ad5 100644 --- a/docs/platforms/macos.md +++ b/docs/platforms/macos.md @@ -103,6 +103,7 @@ Example: Notes: - `allowlist` entries are glob patterns for resolved binary paths. +- Raw shell command text that contains shell control or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is treated as an allowlist miss and requires explicit approval (or allowlisting the shell binary). - Choosing “Always Allow” in the prompt adds that command to the allowlist. - `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `NODE_OPTIONS`, `PYTHON*`, `PERL*`, `RUBYOPT`) and then merged with the app’s environment. diff --git a/docs/tools/exec-approvals.md b/docs/tools/exec-approvals.md index 887de478360..e002fc937f9 100644 --- a/docs/tools/exec-approvals.md +++ b/docs/tools/exec-approvals.md @@ -142,6 +142,9 @@ Shell chaining (`&&`, `||`, `;`) is allowed when every top-level segment satisfi (including safe bins or skill auto-allow). Redirections remain unsupported in allowlist mode. Command substitution (`$()` / backticks) is rejected during allowlist parsing, including inside double quotes; use single quotes if you need literal `$()` text. +On macOS companion-app approvals, raw shell text containing shell control or expansion syntax +(`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is treated as an allowlist miss unless +the shell binary itself is allowlisted. Default safe bins: `jq`, `cut`, `uniq`, `head`, `tail`, `tr`, `wc`.