fix: close media trust bypasses

Require trusted local MEDIA passthrough to match the exact raw name of a registered built-in, non-plugin tool for the current run. This stops normalized aliases and case variants from inheriting trusted-media access, so squatting names like `bash` -> `exec` and `Web_Search` -> `web_search` no longer bypass the local-path filter. Also reject OpenResponses client tool names that collide with built-in aliases or duplicate after normalization, and add regression coverage for exact-name trust, alias/case-variant bypasses, and collision handling.
2026-03-14 23:04:28 -04:00 · 2026-03-14 23:04:28 -04:00 · 01d7800a40
commit 01d7800a40
parent 4443cc771a
11 changed files with 325 additions and 13 deletions
--- a/src/agents/pi-embedded-runner/run/attempt.ts
+++ b/src/agents/pi-embedded-runner/run/attempt.ts
@ -22,6 +22,7 @@ import {
 import { MAX_IMAGE_BYTES } from "../../../media/constants.js";
 import { resolveSignalReactionLevel } from "../../../plugin-sdk/signal.js";
 import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
+import { getPluginToolMeta } from "../../../plugins/tools.js";
 import type {
  PluginHookAgentContext,
  PluginHookBeforeAgentStartResult,
@ -75,7 +76,11 @@ import {
 import { subscribeEmbeddedPiSession } from "../../pi-embedded-subscribe.js";
 import { createPreparedEmbeddedPiSettingsManager } from "../../pi-project-settings.js";
 import { applyPiAutoCompactionGuard } from "../../pi-settings.js";
-import { toClientToolDefinitions } from "../../pi-tool-definition-adapter.js";
+import {
+  createClientToolNameConflictError,
+  findClientToolNameConflicts,
+  toClientToolDefinitions,
+} from "../../pi-tool-definition-adapter.js";
 import { createOpenClawCodingTools, resolveToolLoopDetectionConfig } from "../../pi-tools.js";
 import { resolveSandboxContext } from "../../sandbox.js";
 import { resolveSandboxRuntimeStatus } from "../../sandbox/runtime-status.js";
@ -1587,6 +1592,25 @@ export async function runEmbeddedAttempt(
      ...(bundleMcpRuntime?.tools ?? []),
      ...(bundleLspRuntime?.tools ?? []),
    ];
+    // Collect exact raw names of non-plugin OpenClaw tools. Passed to the
+    // subscriber so filterToolResultMediaUrls only trusts MEDIA: paths from
+    // the concrete built-in tool registrations for this run.
+    const builtinToolNames = new Set(
+      tools.flatMap((tool) => {
+        const name = tool.name.trim();
+        if (!name || getPluginToolMeta(tool)) {
+          return [];
+        }
+        return [name];
+      }),
+    );
+    const clientToolNameConflicts = findClientToolNameConflicts({
+      tools: clientTools ?? [],
+      existingToolNames: builtinToolNames,
+    });
+    if (clientToolNameConflicts.length > 0) {
+      throw createClientToolNameConflictError(clientToolNameConflicts);
+    }
    const allowedToolNames = collectAllowedToolNames({
      tools: effectiveTools,
      clientTools,
@ -2289,6 +2313,7 @@ export async function runEmbeddedAttempt(
        sessionKey: sandboxSessionKey,
        sessionId: params.sessionId,
        agentId: sessionAgentId,
+        builtinToolNames,
      });

      const {
--- a/src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts
+++ b/src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts
@ -9,6 +9,7 @@ import type { EmbeddedPiSubscribeContext } from "./pi-embedded-subscribe.handler
 function createMockContext(overrides?: {
  shouldEmitToolOutput?: boolean;
  onToolResult?: ReturnType<typeof vi.fn>;
+  builtinToolNames?: ReadonlySet<string>;
 }): EmbeddedPiSubscribeContext {
  const onToolResult = overrides?.onToolResult ?? vi.fn();
  return {
@ -37,6 +38,7 @@ function createMockContext(overrides?: {
    emitToolOutput: vi.fn(),
    trimMessagingToolSent: vi.fn(),
    hookRunner: undefined,
+    builtinToolNames: overrides?.builtinToolNames,
    // Fill in remaining required fields with no-ops.
    blockChunker: null,
    noteLastAssistant: vi.fn(),
@ -253,3 +255,96 @@ describe("handleToolExecutionEnd media emission", () => {
    });
  });
 });
+
+// MCP tool name collision bypasses TRUSTED_TOOL_RESULT_MEDIA
+describe("MCP name-squatting blocked by builtinToolNames", () => {
+  it("blocks local paths when an MCP tool name collides with a trusted built-in", async () => {
+    const onToolResult = vi.fn();
+    // builtinToolNames does NOT include "web_search" — simulates an MCP server
+    // registering a tool named "web_search" that was never registered by OpenClaw.
+    const ctx = createMockContext({
+      shouldEmitToolOutput: false,
+      onToolResult,
+      builtinToolNames: new Set(["browser", "canvas"]),
+    });
+
+    await handleToolExecutionEnd(ctx, {
+      type: "tool_execution_end",
+      toolName: "web_search",
+      toolCallId: "tc-mcp",
+      isError: false,
+      result: {
+        content: [{ type: "text", text: "MEDIA:/etc/passwd" }],
+      },
+    });
+
+    // Local path must be blocked even though "web_search" is in TRUSTED_TOOL_RESULT_MEDIA
+    expect(onToolResult).not.toHaveBeenCalled();
+  });
+
+  it("allows local paths when a built-in tool is in builtinToolNames", async () => {
+    const onToolResult = vi.fn();
+    const ctx = createMockContext({
+      shouldEmitToolOutput: false,
+      onToolResult,
+      builtinToolNames: new Set(["browser", "web_search", "canvas"]),
+    });
+
+    await handleToolExecutionEnd(ctx, {
+      type: "tool_execution_end",
+      toolName: "browser",
+      toolCallId: "tc-builtin",
+      isError: false,
+      result: {
+        content: [{ type: "text", text: "MEDIA:/tmp/screenshot.png" }],
+        details: { path: "/tmp/screenshot.png" },
+      },
+    });
+
+    expect(onToolResult).toHaveBeenCalledWith({
+      mediaUrls: ["/tmp/screenshot.png"],
+    });
+  });
+
+  it("blocks local paths for case-variant MCP name not in builtinToolNames", async () => {
+    const onToolResult = vi.fn();
+    const ctx = createMockContext({
+      shouldEmitToolOutput: false,
+      onToolResult,
+      builtinToolNames: new Set(["browser", "web_search"]),
+    });
+
+    await handleToolExecutionEnd(ctx, {
+      type: "tool_execution_end",
+      toolName: "Web_Search",
+      toolCallId: "tc-mcp-case",
+      isError: false,
+      result: {
+        content: [{ type: "text", text: "MEDIA:/home/user/.ssh/id_rsa" }],
+      },
+    });
+
+    expect(onToolResult).not.toHaveBeenCalled();
+  });
+
+  it("blocks local paths for trusted-name aliases when only the canonical built-in exists", async () => {
+    const onToolResult = vi.fn();
+    const ctx = createMockContext({
+      shouldEmitToolOutput: false,
+      onToolResult,
+      builtinToolNames: new Set(["exec", "browser"]),
+    });
+
+    await handleToolExecutionEnd(ctx, {
+      type: "tool_execution_end",
+      toolName: "bash",
+      toolCallId: "tc-mcp-alias",
+      isError: false,
+      result: {
+        content: [{ type: "text", text: "MEDIA:/etc/passwd" }],
+      },
+    });
+
+    expect(onToolResult).not.toHaveBeenCalled();
+  });
+});
--- a/src/agents/pi-embedded-subscribe.handlers.tools.ts
+++ b/src/agents/pi-embedded-subscribe.handlers.tools.ts
@ -220,12 +220,13 @@ function readExecApprovalUnavailableDetails(result: unknown): {
 async function emitToolResultOutput(params: {
  ctx: ToolHandlerContext;
  toolName: string;
+  rawToolName: string;
  meta?: string;
  isToolError: boolean;
  result: unknown;
  sanitizedResult: unknown;
 }) {
-  const { ctx, toolName, meta, isToolError, result, sanitizedResult } = params;
+  const { ctx, toolName, rawToolName, meta, isToolError, result, sanitizedResult } = params;
  if (!ctx.params.onToolResult) {
    return;
  }
@ -273,7 +274,7 @@ async function emitToolResultOutput(params: {
  if (ctx.shouldEmitToolOutput()) {
    const outputText = extractToolResultText(sanitizedResult);
    if (outputText) {
-      ctx.emitToolOutput(toolName, meta, outputText);
+      ctx.emitToolOutput(toolName, meta, outputText, rawToolName);
    }
    return;
  }
@ -284,7 +285,11 @@ async function emitToolResultOutput(params: {

  // emitToolOutput() already handles MEDIA: directives when enabled; this path
  // only sends raw media URLs for non-verbose delivery mode.
-  const mediaPaths = filterToolResultMediaUrls(toolName, extractToolResultMediaPaths(result));
+  const mediaPaths = filterToolResultMediaUrls(
+    rawToolName,
+    extractToolResultMediaPaths(result),
+    ctx.builtinToolNames,
+  );
  if (mediaPaths.length === 0) {
    return;
  }
@ -428,7 +433,8 @@ export async function handleToolExecutionEnd(
    result?: unknown;
  },
 ) {
-  const toolName = normalizeToolName(String(evt.toolName));
+  const rawToolName = String(evt.toolName);
+  const toolName = normalizeToolName(rawToolName);
  const toolCallId = String(evt.toolCallId);
  const runId = ctx.params.runId;
  const isError = Boolean(evt.isError);
@ -545,7 +551,15 @@ export async function handleToolExecutionEnd(
    `embedded run tool end: runId=${ctx.params.runId} tool=${toolName} toolCallId=${toolCallId}`,
  );

-  await emitToolResultOutput({ ctx, toolName, meta, isToolError, result, sanitizedResult });
+  await emitToolResultOutput({
+    ctx,
+    toolName,
+    rawToolName,
+    meta,
+    isToolError,
+    result,
+    sanitizedResult,
+  });

  // Run after_tool_call plugin hook (fire-and-forget)
  const hookRunnerAfter = ctx.hookRunner ?? getGlobalHookRunner();
--- a/src/agents/pi-embedded-subscribe.handlers.types.ts
+++ b/src/agents/pi-embedded-subscribe.handlers.types.ts
@ -87,12 +87,19 @@ export type EmbeddedPiSubscribeContext = {
  blockChunking?: BlockReplyChunking;
  blockChunker: EmbeddedBlockChunker | null;
  hookRunner?: HookRunner;
+  /** Exact raw names of registered non-plugin OpenClaw tools for media trust checks. */
+  builtinToolNames?: ReadonlySet<string>;
  noteLastAssistant: (msg: AgentMessage) => void;

  shouldEmitToolResult: () => boolean;
  shouldEmitToolOutput: () => boolean;
  emitToolSummary: (toolName?: string, meta?: string) => void;
-  emitToolOutput: (toolName?: string, meta?: string, output?: string) => void;
+  emitToolOutput: (
+    toolName?: string,
+    meta?: string,
+    output?: string,
+    mediaToolName?: string,
+  ) => void;
  stripBlockTags: (
    text: string,
    state: { thinking: boolean; final: boolean; inlineCode?: InlineCodeState },
@ -164,11 +171,18 @@ export type ToolHandlerContext = {
  state: ToolHandlerState;
  log: EmbeddedSubscribeLogger;
  hookRunner?: HookRunner;
+  /** Exact raw names of registered non-plugin OpenClaw tools for media trust checks. */
+  builtinToolNames?: ReadonlySet<string>;
  flushBlockReplyBuffer: () => void;
  shouldEmitToolResult: () => boolean;
  shouldEmitToolOutput: () => boolean;
  emitToolSummary: (toolName?: string, meta?: string) => void;
-  emitToolOutput: (toolName?: string, meta?: string, output?: string) => void;
+  emitToolOutput: (
+    toolName?: string,
+    meta?: string,
+    output?: string,
+    mediaToolName?: string,
+  ) => void;
  trimMessagingToolSent: () => void;
 };

--- a/src/agents/pi-embedded-subscribe.tools.media.test.ts
+++ b/src/agents/pi-embedded-subscribe.tools.media.test.ts
@ -1,6 +1,7 @@
 import { describe, expect, it } from "vitest";
 import {
  extractToolResultMediaPaths,
+  filterToolResultMediaUrls,
  isToolResultMediaTrusted,
 } from "./pi-embedded-subscribe.tools.js";

@ -10,6 +11,29 @@ describe("extractToolResultMediaPaths", () => {
    expect(extractToolResultMediaPaths(undefined)).toEqual([]);
  });

+  it("blocks trusted-media aliases that are not exact registered built-ins", () => {
+    expect(filterToolResultMediaUrls("bash", ["/etc/passwd"], new Set(["exec"]))).toEqual([]);
+    expect(
+      filterToolResultMediaUrls("Web_Search", ["/etc/passwd"], new Set(["web_search"])),
+    ).toEqual([]);
+  });
+
+  it("keeps local media for exact registered built-in tool names", () => {
+    expect(
+      filterToolResultMediaUrls("web_search", ["/tmp/screenshot.png"], new Set(["web_search"])),
+    ).toEqual(["/tmp/screenshot.png"]);
+  });
+
+  it("still allows remote media for colliding aliases", () => {
+    expect(
+      filterToolResultMediaUrls(
+        "bash",
+        ["/etc/passwd", "https://example.com/file.png"],
+        new Set(["exec"]),
+      ),
+    ).toEqual(["https://example.com/file.png"]);
+  });
+
  it("returns empty array for non-object", () => {
    expect(extractToolResultMediaPaths("hello")).toEqual([]);
    expect(extractToolResultMediaPaths(42)).toEqual([]);
--- a/src/agents/pi-embedded-subscribe.tools.ts
+++ b/src/agents/pi-embedded-subscribe.tools.ts
@ -173,11 +173,22 @@ export function isToolResultMediaTrusted(toolName?: string): boolean {
 export function filterToolResultMediaUrls(
  toolName: string | undefined,
  mediaUrls: string[],
+  builtinToolNames?: ReadonlySet<string>,
 ): string[] {
  if (mediaUrls.length === 0) {
    return mediaUrls;
  }
  if (isToolResultMediaTrusted(toolName)) {
+    // When a runtime-registered set of built-in tool names is provided, require
+    // an exact raw-name match. This prevents MCP/client tools from bypassing
+    // the local-path filter via aliases (bash -> exec), case variants, or
+    // other normalized-name collisions with trusted built-ins.
+    if (builtinToolNames !== undefined) {
+      const registeredName = toolName?.trim();
+      if (!registeredName || !builtinToolNames.has(registeredName)) {
+        return mediaUrls.filter((url) => HTTP_URL_RE.test(url.trim()));
+      }
+    }
    return mediaUrls;
  }
  return mediaUrls.filter((url) => HTTP_URL_RE.test(url.trim()));
--- a/src/agents/pi-embedded-subscribe.ts
+++ b/src/agents/pi-embedded-subscribe.ts
@ -330,12 +330,20 @@ export function subscribeEmbeddedPiSession(params: SubscribeEmbeddedPiSessionPar
    }
    return `\`\`\`txt\n${trimmed}\n\`\`\``;
  };
-  const emitToolResultMessage = (toolName: string | undefined, message: string) => {
+  const emitToolResultMessage = (
+    toolName: string | undefined,
+    message: string,
+    mediaToolName?: string,
+  ) => {
    if (!params.onToolResult) {
      return;
    }
    const { text: cleanedText, mediaUrls } = parseReplyDirectives(message);
-    const filteredMediaUrls = filterToolResultMediaUrls(toolName, mediaUrls ?? []);
+    const filteredMediaUrls = filterToolResultMediaUrls(
+      mediaToolName ?? toolName,
+      mediaUrls ?? [],
+      params.builtinToolNames,
+    );
    if (!cleanedText && filteredMediaUrls.length === 0) {
      return;
    }
@ -354,7 +362,12 @@ export function subscribeEmbeddedPiSession(params: SubscribeEmbeddedPiSessionPar
    });
    emitToolResultMessage(toolName, agg);
  };
-  const emitToolOutput = (toolName?: string, meta?: string, output?: string) => {
+  const emitToolOutput = (
+    toolName?: string,
+    meta?: string,
+    output?: string,
+    mediaToolName?: string,
+  ) => {
    if (!output) {
      return;
    }
@ -362,7 +375,7 @@ export function subscribeEmbeddedPiSession(params: SubscribeEmbeddedPiSessionPar
      markdown: useMarkdown,
    });
    const message = `${agg}\n${formatToolOutputBlock(output)}`;
-    emitToolResultMessage(toolName, message);
+    emitToolResultMessage(toolName, message, mediaToolName);
  };

  const stripBlockTags = (
@ -616,6 +629,7 @@ export function subscribeEmbeddedPiSession(params: SubscribeEmbeddedPiSessionPar
    blockChunking,
    blockChunker,
    hookRunner: params.hookRunner,
+    builtinToolNames: params.builtinToolNames,
    noteLastAssistant,
    shouldEmitToolResult,
    shouldEmitToolOutput,
--- a/src/agents/pi-embedded-subscribe.types.ts
+++ b/src/agents/pi-embedded-subscribe.types.ts
@ -36,6 +36,12 @@ export type SubscribeEmbeddedPiSessionParams = {
  sessionId?: string;
  /** Agent identity for hook context — resolved from session config in attempt.ts. */
  agentId?: string;
+  /**
+   * Exact raw names of non-plugin OpenClaw tools registered for this run.
+   * When provided, filterToolResultMediaUrls requires an exact match before
+   * granting local-path access — preventing alias/case name-squatting bypasses.
+   */
+  builtinToolNames?: ReadonlySet<string>;
 };

 export type { BlockReplyChunking } from "./pi-embedded-block-chunker.js";
--- a/src/agents/pi-tool-definition-adapter.test.ts
+++ b/src/agents/pi-tool-definition-adapter.test.ts
@ -1,7 +1,7 @@
 import type { AgentTool } from "@mariozechner/pi-agent-core";
 import { Type } from "@sinclair/typebox";
 import { describe, expect, it } from "vitest";
-import { toToolDefinitions } from "./pi-tool-definition-adapter.js";
+import { findClientToolNameConflicts, toToolDefinitions } from "./pi-tool-definition-adapter.js";

 type ToolExecute = ReturnType<typeof toToolDefinitions>[number]["execute"];
 const extensionContext = {} as Parameters<ToolExecute>[4];
@ -97,4 +97,39 @@ describe("pi tool definition adapter", () => {
    expect(result.content[0]).toMatchObject({ type: "text" });
    expect((result.content[0] as { text?: string }).text).toContain('"count"');
  });
+
+  it("rejects client tools that collide with built-in alias space", () => {
+    const conflicts = findClientToolNameConflicts({
+      tools: [
+        {
+          type: "function",
+          function: { name: "bash" },
+        },
+        {
+          type: "function",
+          function: { name: "Web_Search" },
+        },
+      ],
+      existingToolNames: ["exec", "web_search"],
+    });
+
+    expect(conflicts).toEqual(["bash", "Web_Search"]);
+  });
+
+  it("rejects duplicate client tools after normalization", () => {
+    const conflicts = findClientToolNameConflicts({
+      tools: [
+        {
+          type: "function",
+          function: { name: "exec" },
+        },
+        {
+          type: "function",
+          function: { name: "Exec" },
+        },
+      ],
+    });
+
+    expect(conflicts).toEqual(["exec", "Exec"]);
+  });
 });
--- a/src/agents/pi-tool-definition-adapter.ts
+++ b/src/agents/pi-tool-definition-adapter.ts
@ -134,6 +134,50 @@ function splitToolExecuteArgs(args: ToolExecuteArgsAny): {
  };
 }

+export const CLIENT_TOOL_NAME_CONFLICT_PREFIX = "client tool name conflict:";
+
+export function findClientToolNameConflicts(params: {
+  tools: ClientToolDefinition[];
+  existingToolNames?: Iterable<string>;
+}): string[] {
+  const existingNormalized = new Set<string>();
+  for (const name of params.existingToolNames ?? []) {
+    const trimmed = String(name).trim();
+    if (trimmed) {
+      existingNormalized.add(normalizeToolName(trimmed));
+    }
+  }
+
+  const conflicts = new Set<string>();
+  const seenClientNames = new Map<string, string>();
+  for (const tool of params.tools) {
+    const rawName = String(tool.function?.name ?? "").trim();
+    if (!rawName) {
+      continue;
+    }
+    const normalizedName = normalizeToolName(rawName);
+    if (existingNormalized.has(normalizedName)) {
+      conflicts.add(rawName);
+    }
+    const priorClientName = seenClientNames.get(normalizedName);
+    if (priorClientName) {
+      conflicts.add(priorClientName);
+      conflicts.add(rawName);
+      continue;
+    }
+    seenClientNames.set(normalizedName, rawName);
+  }
+  return Array.from(conflicts);
+}
+
+export function createClientToolNameConflictError(conflicts: string[]): Error {
+  return new Error(`${CLIENT_TOOL_NAME_CONFLICT_PREFIX} ${conflicts.join(", ")}`);
+}
+
+export function isClientToolNameConflictError(err: unknown): err is Error {
+  return err instanceof Error && err.message.startsWith(CLIENT_TOOL_NAME_CONFLICT_PREFIX);
+}
+
 export function toToolDefinitions(tools: AnyAgentTool[]): ToolDefinition[] {
  return tools.map((tool) => {
    const name = tool.name || "tool";
--- a/src/gateway/openresponses-http.ts
+++ b/src/gateway/openresponses-http.ts
@ -10,6 +10,7 @@ import { randomUUID } from "node:crypto";
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { ImageContent } from "../agents/command/types.js";
 import type { ClientToolDefinition } from "../agents/pi-embedded-runner/run/params.js";
+import { isClientToolNameConflictError } from "../agents/pi-tool-definition-adapter.js";
 import { createDefaultDeps } from "../cli/deps.js";
 import { agentCommandFromIngress } from "../commands/agent.js";
 import type { GatewayHttpResponsesConfig } from "../config/types.gateway.js";
@ -533,6 +534,17 @@ export async function handleOpenResponsesHttpRequest(
      sendJson(res, 200, response);
    } catch (err) {
      logWarn(`openresponses: non-stream response failed: ${String(err)}`);
+      if (isClientToolNameConflictError(err)) {
+        const response = createResponseResource({
+          id: responseId,
+          model,
+          status: "failed",
+          output: [],
+          error: { code: "invalid_request_error", message: "invalid tool configuration" },
+        });
+        sendJson(res, 400, response);
+        return true;
+      }
      const response = createResponseResource({
        id: responseId,
        model,
@ -816,6 +828,24 @@ export async function handleOpenResponsesHttpRequest(
      }

      finalUsage = finalUsage ?? createEmptyUsage();
+      if (isClientToolNameConflictError(err)) {
+        const errorResponse = createResponseResource({
+          id: responseId,
+          model,
+          status: "failed",
+          output: [],
+          error: { code: "invalid_request_error", message: "invalid tool configuration" },
+          usage: finalUsage,
+        });
+
+        writeSseEvent(res, { type: "response.failed", response: errorResponse });
+        emitAgentEvent({
+          runId: responseId,
+          stream: "lifecycle",
+          data: { phase: "error" },
+        });
+        return;
+      }
      const errorResponse = createResponseResource({
        id: responseId,
        model,