fix(security): harden against shell injection, command execution, and timing attacks #193
+465
−527
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The clawdbot gateway authenticates at the WebSocket application protocol level, not via HTTP headers. sandbox.wsConnect() does not forward custom headers, so token injection via Authorization headers or query params never worked. The fix: - Enable gateway.controlUi.allowInsecureAuth to bypass device pairing - Add gateway.trustedProxies to trust all proxy connections - Pass CLAWDBOT_GATEWAY_TOKEN env var for LAN binding requirement - Remove unused addGatewayAuthHeader, use addGatewayAuthToken (no-op) - Add preview_urls: false to wrangler.jsonc (Durable Objects compat) - Add token change detection to gateway version fingerprinting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… timing attacks Address 10 vulnerabilities from security audit: - Validate requestId before shell interpolation in device approval (critical) - Add command allowlist to debug CLI endpoint (critical) - Add WebSocket rate limiting (100 msg/s) and message size cap (1MB) - Hash gateway token fingerprint with SHA-256 instead of storing prefix - Tighten trustedProxies to localhost only in start-moltbot.sh - Warn when DEV_MODE bypasses auth alongside CF Access config - Add structured audit logging for security events - Remove per-request env var logging that leaked config info - Support Authorization: Bearer header for CDP auth, refactor duplicated checks - Fix timingSafeEqual to not leak secret length on mismatch Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
requestIdbefore shell interpolation in device approval to prevent command injection/debug/cliendpoint — onlyclawdbot,node --version,ls,ps, etc. are permittedtrustedProxiesfrom0.0.0.0/0to localhost only (127.0.0.0/8,::1/128)[SECURITY WARNING]whenDEV_MODEbypasses auth alongside CF Access configsrc/utils/audit.ts) for auth, device approval, gateway restart, storage sync, and debug commandsconsole.loglines that leaked env var presenceAuthorization: Bearerheader for CDP auth (query param still works as fallback); refactor 4 duplicated auth checks into shared helpertimingSafeEqualto not leak secret length via early return on length mismatchTest plan
rm -rf dist && npm run buildpasses with zero TypeScript errorsPOST /api/admin/devices/foo;curl+evil.com/approvereturns 400/debug/cli?cmd=rm+-rf+/returns 403/debug/gateway-api?path=../../etc/passwdreturns 400trustedProxiesAuthorization: Bearerheader and?secret=query param🤖 Generated with Claude Code