mirror of
https://github.com/yuangyaa/openclaw.git
synced 2026-07-15 19:51:57 +08:00
* security(hooks): block prototype-chain traversal in webhook template getByPath The getByPath() function in hooks-mapping.ts traverses attacker-controlled webhook payload data using arbitrary property path expressions, but does not filter dangerous property names (__proto__, constructor, prototype). The config-paths module (config-paths.ts) already blocks these exact keys for config path traversal via a BLOCKED_KEYS set, but the hooks template system was not protected with the same guard. Add a BLOCKED_PATH_KEYS set mirroring config-paths.ts and reject traversal into __proto__, prototype, or constructor in getByPath(). Add three test cases covering all three blocked keys. Signed-off-by: Alan Ross <alan@sleuthco.ai> * test(gateway): narrow hook action type in prototype-pollution tests * changelog: credit hooks prototype-path guard in PR 22213 * changelog: move hooks prototype-path fix into security section --------- Signed-off-by: Alan Ross <alan@sleuthco.ai> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>