🦞ClawTips
← Back to library

归档处理安全加固:限制上传/解压路径并过滤危险条目

解决文件上传与归档解压中的路径逃逸风险。前置:可升级 OpenClaw 到含 `fix(security): harden archive extraction` 的版本。步骤:先升级→在 staging 进行恶意样例回归→验证上传与下载路径约束→再发布。关键点:归档中 `../`、绝对路径等异常条目应被拒绝。验证:恶意样例无法写出允许目录。风险:自定义插件若绕过统一解压逻辑仍可能留有漏洞(需验证)。

GITHUBDiscovered 2026-02-14Author steipete
Prerequisites
  • Gateway host has a test/staging environment for safe validation.
  • You can run OpenClaw upgrade and inspect security-related logs.
Steps
  1. Upgrade to a revision that includes commit `3aa94af` (archive extraction hardening).
  2. Prepare malicious archive test cases (`../`, absolute path, weird filename controls).
  3. Run upload/extract flows in staging and confirm suspicious entries are rejected.
  4. Publish after successful regression and keep a rollback package ready.
Commands
openclaw gateway status
openclaw gateway restart
npm run build
Verify

Malicious archives fail safely and normal archives still process correctly after upgrade.

Caveats
  • Do not treat test-only pass as full security proof; continue runtime monitoring.
  • Exact behavior for third-party extraction hooks depends on integration path(需验证).
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post