Conversation
… repo hygiene, test cleanup (#13) Security fixes (3 critical, 3 high): - C1: Command injection in intelligent-commit-batcher.ts — replaced exec() string interpolation with spawn()-based runCommandSafe() for git add/commit operations - C2: Auth bypass on /logs endpoint in cli/server.ts — added requireAuth middleware - C3: Timing attack on API key validation in openclaw/api-server.ts — use crypto.timingSafeEqual for constant-time comparison - H1: Rate limiter memory leak in security-middleware.ts — added TTL eviction via setInterval to prevent unbounded Map growth - H3: Path traversal in server-config-registry.ts — validate serverName rejects path traversal characters (.., /, \\, null bytes) - H5: Path traversal in test-auto-creation-processor.ts — validate resolved path stays within expected directory Code quality: - H6: CORS wildcard + API key CSRF risk — restrict origins to localhost when apiKey is configured in openclaw API server - M5: Replace placeholder secrets with empty strings in openclaw sample config Repo hygiene: - Untrack dist/ (33 files), logs/reports/ (14 files), ci-test-env/ (133 files), performance-baselines.json from git — all were gitignored but still tracked - Fix enforcer-config.json framework version (1.0.0 → 1.15.18) - Add context-ses*.json, ci-test-env/ to .gitignore Test cleanup (27 files deleted, ~6,300 lines removed): - Delete empty/stub test files: test-integration.ts, test-processor.ts, marketplace.test.ts.skip - Delete non-vitest ad-hoc test scripts never run by npm test (6 files) - Delete backup files: .bak2, .backup - Delete entire scripts/archived/ directory (12 obsolete files) - Delete stale report .md files from scripts/ (7 files) - Fix broken vitest config refs: integration-setup.ts, security-setup.ts → setup.ts Version: 1.15.18 Tests: 2399 pass, 0 failures, 0 TS errors
htafolla
added a commit
that referenced
this pull request
Apr 2, 2026
- Add validators for terms #12, #19, #16, #3, #13 (early returns, small functions, DRY, over-engineering, error boundaries) - Wire processor-pipeline MCP to use CodexLoader for richer validation - Fix orchestrator config loading and conflict resolution wiring - Total 16 active validators now (was 11)
htafolla
added a commit
that referenced
this pull request
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive security audit and codebase cleanup addressing 3 critical, 3 high, and multiple medium-severity issues discovered during post-merge review.
Security Fixes
Critical
intelligent-commit-batcher.tsusedexec()with string interpolation for git operations. AddedrunCommandSafe()usingspawn()with args array, eliminating shell metacharacter interpretation entirely./logsendpoint incli/server.tswas not wrapped inrequireAuthmiddleware while all other API routes were protected. Fixed.openclaw/api-server.tsused===comparison. Now usescrypto.timingSafeEqualfor constant-time comparison.High
security-middleware.tscreated aMapthat never evicted stale IP entries. Added periodic TTL eviction viasetInterval.createDynamicConfig()inserver-config-registry.tsinterpolatedserverNameinto file paths without validation. Now rejects path traversal characters.test-auto-creation-processor.tswrote test files without validating paths stayed within expected directory. Added path resolution check.Access-Control-Allow-Origin: *with API key auth. Now restricts to localhost origins when apiKey is configured.Code Quality
req: any, res: anytypes to properRequest, Responsetypes in CLI serverRepo Hygiene
dist/(33 files),logs/reports/(14),ci-test-env/(133),performance-baselines.jsonenforcer-config.jsonframework version (1.0.0 → 1.15.18)context-ses*.json,ci-test-env/to.gitignoreTest Cleanup (27 files deleted, ~6,300 lines removed)
npm testscripts/archived/directory (12 obsolete files)scripts/Verification
BODY; __hermes_rc=$?; printf 'HERMES_FENCE_a9f7b3'; exit $__hermes_rc