Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openclaw/src/gateway/server
History
Robin Waslander ebed3bbde1
fix(gateway): enforce browser origin check regardless of proxy headers 
In trusted-proxy mode, enforceOriginCheckForAnyClient was set to false
whenever proxy headers were present. This allowed browser-originated
WebSocket connections from untrusted origins to bypass origin validation
entirely, as the check only ran for control-ui and webchat client types.

An attacker serving a page from an untrusted origin could connect through
a trusted reverse proxy, inherit proxy-injected identity, and obtain
operator.admin access via the sharedAuthOk / roleCanSkipDeviceIdentity
path without any origin restriction.

Remove the hasProxyHeaders exemption so origin validation runs for all
browser-originated connections regardless of how the request arrived.

Fixes GHSA-5wcw-8jjv-m286
2026-03-12 01:16:52 +01:00
..
__tests__
refactor(gateway): hard-break plugin wildcard http handlers
2026-03-02 16:24:06 +00:00
plugins-http
fix(gateway): harden plugin HTTP route auth
2026-03-07 19:55:06 +00:00
ws-connection
fix(gateway): enforce browser origin check regardless of proxy headers
2026-03-12 01:16:52 +01:00
close-reason.ts
chore: Enable "curly" rule to avoid single-statement if confusion/errors.
2026-01-31 16:19:20 +09:00
health-state.ts
fix: resolve live config paths in status and gateway metadata (#39952)
2026-03-08 09:59:32 -05:00
hooks.ts
Cron: enforce cron-owned delivery contract (#40998)
2026-03-09 20:12:37 +01:00
http-auth.ts
refactor(shared): extract reused path and normalization helpers
2026-03-02 05:20:19 +00:00
http-listen.test.ts
fix(gateway): synthesize lifecycle robustness for restart and startup probes (#33831)
2026-03-03 21:31:12 -06:00
http-listen.ts
fix(gateway): synthesize lifecycle robustness for restart and startup probes (#33831)
2026-03-03 21:31:12 -06:00
plugins-http.test.ts
fix(gateway): propagate real gateway client into plugin subagent runtime
2026-03-11 14:17:01 +01:00
plugins-http.ts
fix(gateway): propagate real gateway client into plugin subagent runtime
2026-03-11 14:17:01 +01:00
presence-events.test.ts
refactor: centralize presence routing and version precedence coverage (#19609)
2026-02-18 00:02:51 -05:00
presence-events.ts
refactor: centralize presence routing and version precedence coverage (#19609)
2026-02-18 00:02:51 -05:00
readiness.test.ts
refactor(gateway): dedupe readiness healthy snapshot fixtures
2026-03-07 17:58:31 +00:00
readiness.ts
fix(gateway): skip stale-socket restarts for Telegram polling (openclaw#38405)
2026-03-07 00:20:34 -06:00
tls.ts
fix: stabilize gateway ws + iOS
2026-01-19 10:09:04 +00:00
ws-connection.ts
refactor(shared): dedupe protocol schema typing and session/media helpers
2026-03-02 19:57:33 +00:00
ws-types.ts
feat(gateway): add node canvas capability refresh flow
2026-02-27 12:16:36 +05:30