Skip to content

fix(security): OC-02 block sessions_spawn via HTTP gateway + fix ACP auto-approval#15390

Merged
steipete merged 2 commits intoopenclaw:mainfrom
aether-ai-agent:fix/oc-02-sessions-spawn-gateway-acp
Feb 13, 2026
Merged

fix(security): OC-02 block sessions_spawn via HTTP gateway + fix ACP auto-approval#15390
steipete merged 2 commits intoopenclaw:mainfrom
aether-ai-agent:fix/oc-02-sessions-spawn-gateway-acp

Conversation

@aether-ai-agent
Copy link
Contributor

@aether-ai-agent aether-ai-agent commented Feb 13, 2026
edited by greptile-apps bot
Loading

Summary

  • Add DEFAULT_GATEWAY_HTTP_TOOL_DENY to block dangerous tools (sessions_spawn, sessions_send, gateway, whatsapp_login) from HTTP /tools/invoke endpoint
  • Fix ACP client requestPermission callback to require interactive confirmation for dangerous tools instead of auto-approving everything
  • Add gateway.tools.{allow,deny} config override for gateway deny list customization

Security Impact

OC-02 Critical RCE (CWE-78, CVSS 9.8) — Two attack vectors remediated:

  1. HTTP POST to /tools/invoke with tool=sessions_spawn could spawn agent sessions with full exec access
  2. ACP client auto-approved all permission requests including exec, fs_write, etc.

Changes

File Change
src/config/types.gateway.ts Add GatewayToolsConfig type + tools field to GatewayConfig
src/gateway/tools-invoke-http.ts Add deny list constant + filter after policy cascade
src/acp/client.ts Replace auto-approve with danger-aware permission handler
src/gateway/tools-invoke-http.test.ts Add 3 tests for gateway deny list
src/acp/client.test.ts Add 4 structural tests for ACP permission logic

Test plan

  • sessions_spawn returns 404 via HTTP gateway
  • sessions_send returns 404 via HTTP gateway
  • gateway tool returns 404 via HTTP gateway
  • agents_list still returns 200 (not denied)
  • ACP dangerous tools constant includes exec, sessions_spawn
  • ACP empty options returns deny
  • ACP permission logging uses stderr
  • ACP 30s timeout exists
  • All existing tests pass (12 gateway + 4 ACP = 16 total)

Greptile Overview

Greptile Summary

This PR hardens two security-sensitive surfaces:

  • Gateway HTTP POST /tools/invoke: adds a default deny list (sessions_spawn, sessions_send, gateway, whatsapp_login) that is applied after the existing multi-stage tool policy cascade, plus a gateway.tools.{deny,allow} config override for customizing that deny list.
  • ACP client: replaces unconditional auto-approval in requestPermission with a “dangerous tool” classifier and an interactive confirmation prompt (30s timeout), and moves permission-related logging to stderr to avoid protocol corruption.

Tests were added for the gateway deny behavior and for presence of the ACP permission logic (structural source checks).

Confidence Score: 4/5

  • This PR appears safe to merge and meaningfully reduces two high-impact security risks.
  • Code changes are narrow and targeted (HTTP deny list + ACP permission prompt) and include new tests around the gateway deny behavior. I did not find any definite functional regressions in the changed files. Confidence is reduced because this environment lacks node_modules/pnpm, so I could not verify ACP SDK semantics for hard-coded optionId fallbacks at runtime (only structural tests cover ACP changes).
  • src/acp/client.ts

Last reviewed commit: 1fd902d

(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!

@openclaw-barnacle openclaw-barnacle bot added gateway Gateway runtime size: M labels Feb 13, 2026
@HenryLoenwind
Copy link
Contributor

HenryLoenwind commented Feb 13, 2026

Why are you denying the admin tool to do admin things? The http sendpoints are not a public or third-party facing API. They are behind an "owner-level" access control.

@steipete steipete self-assigned this Feb 13, 2026
steipete added a commit to aether-ai-agent/openclaw that referenced this pull request Feb 13, 2026
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
4c257a0 
…penclaw#15390) (thanks @aether-ai-agent)
@steipete steipete force-pushed the fix/oc-02-sessions-spawn-gateway-acp branch from 1fd902d to 4c257a0 Compare February 13, 2026 13:29
aether-ai-agent and others added 2 commits February 13, 2026 14:29
@aether-ai-agent @steipete
fix(security): block dangerous tools from HTTP gateway and fix ACP au…
0af37a0 
…to-approval (OC-02)

Two critical RCE vectors patched:

Vector 1 - Gateway HTTP /tools/invoke:
- Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn,
  sessions_send, gateway, whatsapp_login from HTTP invocation
- Apply deny filter after existing policy cascade, before tool lookup
- Add gateway.tools.{allow,deny} config override in GatewayConfig

Vector 2 - ACP client auto-approval:
- Replace blind allow_once selection with danger-aware permission handler
- Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation
- Safe tools retain auto-approve behavior (backward compatible)
- Empty options array now denied (was hardcoded "allow")
- 30s timeout auto-denies to prevent hung sessions

CWE-78 | CVSS:3.1 9.8 Critical
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
045cdbc 
…penclaw#15390) (thanks @aether-ai-agent)
@steipete steipete force-pushed the fix/oc-02-sessions-spawn-gateway-acp branch from 4c257a0 to 045cdbc Compare February 13, 2026 13:29
@steipete steipete merged commit ee31cd4 into openclaw:main Feb 13, 2026
3 checks passed
@steipete
Copy link
Contributor

steipete commented Feb 13, 2026

Landed via temp rebase onto main.

  • Gate: pnpm check && pnpm build && pnpm test
  • Land commit: 045cdbc
  • Merge commit: ee31cd4

Thanks @aether-ai-agent!

@openclaw-barnacle openclaw-barnacle bot added the docs Improvements or additions to documentation label Feb 13, 2026
@github-actions github-actions bot mentioned this pull request Feb 13, 2026
Open
alex-muradov pushed a commit to alex-muradov/openclaw that referenced this pull request Feb 13, 2026
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
9ac025f 
…penclaw#15390) (thanks @aether-ai-agent)
zhangyang-crazy-one pushed a commit to zhangyang-crazy-one/openclaw that referenced this pull request Feb 13, 2026
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
b367e26 
…penclaw#15390) (thanks @aether-ai-agent)
skyhawk14 pushed a commit to skyhawk14/openclaw that referenced this pull request Feb 13, 2026
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
de70a07 
…penclaw#15390) (thanks @aether-ai-agent)
steipete added a commit to azade-c/openclaw that referenced this pull request Feb 14, 2026
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
dc72d48 
…penclaw#15390) (thanks @aether-ai-agent)
GwonHyeok pushed a commit to learners-superpumped/openclaw that referenced this pull request Feb 15, 2026
@steipete @GwonHyeok
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
a6aff87 
…penclaw#15390) (thanks @aether-ai-agent)
cloud-neutral pushed a commit to cloud-neutral-toolkit/openclawbot.svc.plus that referenced this pull request Feb 15, 2026
@steipete
fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (o…
444b6cc 
…penclaw#15390) (thanks @aether-ai-agent)
jiulingyun added a commit to jiulingyun/openclaw-cn that referenced this pull request Feb 15, 2026
@jiulingyun
fix(security): block high-risk tools from HTTP /tools/invoke + ACP pe…
2505285 
…rmission hardening (upstream ee31cd4, openclaw#15390)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@steipete steipete

Labels

docs Improvements or additions to documentation gateway Gateway runtime size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aether-ai-agent @HenryLoenwind @steipete

Comments