SecretRef: harden custom/provider secret persistence and reuse#42554
Merged
SecretRef: harden custom/provider secret persistence and reuse#42554
Conversation
🔒 Aisle Security AnalysisWe found 1 potential security issue(s) in this PR:
1. 🟠 models.json env-var marker allows exfiltration of host environment tokens to arbitrary provider baseUrl (confused deputy)
DescriptionThe new If an attacker can influence
The protection is only an allowlist ( Vulnerable code: if (!isKnownEnvApiKeyMarker(customKey)) {
return null;
}
const envValue = normalizeOptionalSecretInput((params.env ?? process.env)[customKey]);
...
return { apiKey: envValue, ... };RecommendationDo not allow Mitigations (pick one or combine):
// models.json
// apiKey: "env:OPENAI_API_KEY"
function parseEnvMarker(value: string): string | null {
const trimmed = value.trim();
if (!trimmed.startsWith("env:")) return null;
return trimmed.slice("env:".length).trim();
}
These changes prevent a config-only attacker from turning an existing environment secret into an outbound credential for an attacker-controlled endpoint. Analyzed PR: #42554 at commit Last updated on: 2026-03-11T00:20:25Z |
openclaw-barnacle
bot
added
commands
Contributor
Greptile SummaryThis PR hardens SecretRef handling across custom/provider model credentials by centralising "usable credential" vs. "configured marker" semantics, projecting runtime configs onto the source snapshot before writes, preventing stale plaintext preservation during merges, stripping SecretRef marker headers before runtime use, and extending audit scan coverage to env-var-overridden agent directories. The changes are well-structured and backed by comprehensive test coverage. Key changes and observations:
Confidence Score: 4/5
Last reviewed commit: bb04ed0 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
openclaw-barnacle
bot
added
channel: bluebubbles
Contributor
Author
|
Addressed from the Aisle feedback:
For item 1 (custom-provider env marker exfil path): I did not change marker resolution behavior in this PR. That path currently relies on trusted-operator config semantics and existing compatibility (custom endpoints/proxies that intentionally use env markers). Tightening it here would break existing valid configs and is broader than this regression-hardening scope. |
joshavant
force-pushed
the
feature/secretref-regression-hardening
branch
from
703b91c to
d6520b2
Compare
Contributor
Author
|
Landed via temp rebase onto main. Thanks @joshavant! |
This was referenced Mar 10, 2026
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d6520b20c5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
+102
to
+103
| const stats = fs.statSync(filePath); | ||
| if (options.requireRegularFile && !stats.isFile()) { |
There was a problem hiding this comment.
When requireRegularFile is enabled, this guard uses fs.statSync, which follows symlinks. A symlinked models.json can therefore satisfy stats.isFile() and still be read, even though the caller explicitly asked to reject non-regular files. In writable state/agent directories this bypasses the hardening added in this commit and can make the audit scan arbitrary link targets; use lstatSync (or an O_NOFOLLOW open) for this check.
Useful? React with 👍 / 👎.
steipete
pushed a commit
that referenced
this pull request
Mar 10, 2026
* Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (#42554) (thanks @joshavant)
gumadeiras
pushed a commit
to BillChirico/openclaw
that referenced
this pull request
Mar 11, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
5 tasks
centminmod
added a commit
to centminmod/clawdbot
that referenced
this pull request
Mar 11, 2026
- Diamond-merge variant of PR openclaw#42554 (fbc6632 = 36d2ae2 variant) - SecretRef custom/provider secret persistence hardening: resolveUsableCustomProviderApiKey(), shouldPreserveExistingApiKey(), readJsonObjectIfExists() size/type guards (5MB cap + requireRegularFile), projectConfigOntoRuntimeSourceSnapshot() shape guard, sanitizeModelHeaders() marker stripping, active agent dir scanning - Audit 1 Claims 1+5 partial + 3 new defense-in-depth controls; 3 gaps unchanged
frankekn
pushed a commit
to MoerAI/openclaw
that referenced
this pull request
Mar 11, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
frankekn
pushed a commit
to Effet/openclaw
that referenced
this pull request
Mar 11, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
frankekn
pushed a commit
to ImLukeF/openclaw
that referenced
this pull request
Mar 11, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
Treedy2020
pushed a commit
to Treedy2020/openclaw
that referenced
this pull request
Mar 11, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
dhoman
pushed a commit
to dhoman/chrono-claw
that referenced
this pull request
Mar 11, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
ahelpercn
pushed a commit
to ahelpercn/openclaw
that referenced
this pull request
Mar 12, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
Ruijie-Ysp
pushed a commit
to Ruijie-Ysp/clawdbot
that referenced
this pull request
Mar 12, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
leozhengliu-pixel
pushed a commit
to leozhengliu-pixel/openclaw
that referenced
this pull request
Mar 13, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
Interstellar-code
pushed a commit
to Interstellar-code/operator1
that referenced
this pull request
Mar 16, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant) (cherry picked from commit 36d2ae2)
Interstellar-code
pushed a commit
to Interstellar-code/operator1
that referenced
this pull request
Mar 16, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant) (cherry picked from commit 36d2ae2)
senw-developers
pushed a commit
to senw-developers/va-openclaw
that referenced
this pull request
Mar 17, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 23, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant) (cherry picked from commit fbc6632)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 23, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant) (cherry picked from commit fbc6632)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 28, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant) (cherry picked from commit fbc6632) # Conflicts: # CHANGELOG.md # extensions/googlechat/src/onboarding.ts # extensions/nextcloud-talk/src/onboarding.ts # src/agents/model-auth-label.test.ts # src/agents/model-auth-label.ts # src/agents/model-auth-markers.test.ts # src/agents/model-auth-markers.ts # src/agents/model-auth.test.ts # src/agents/model-auth.ts # src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts # src/agents/models-config.merge.test.ts # src/agents/models-config.merge.ts # src/agents/models-config.providers.normalize-keys.test.ts # src/agents/models-config.providers.ts # src/agents/models-config.runtime-source-snapshot.test.ts # src/agents/models-config.ts # src/agents/pi-embedded-runner/model.test.ts # src/agents/pi-embedded-runner/model.ts # src/auto-reply/reply/directive-handling.auth.test.ts # src/auto-reply/reply/directive-handling.auth.ts # src/commands/auth-choice.model-check.ts # src/commands/model-picker.test.ts # src/commands/model-picker.ts # src/commands/models.list.e2e.test.ts # src/commands/models/list.auth-overview.test.ts # src/commands/models/list.auth-overview.ts # src/commands/models/list.probe.ts # src/commands/models/list.registry.ts # src/commands/models/list.status.test.ts # src/config/config.ts # src/config/io.runtime-snapshot-write.test.ts # src/config/io.ts # src/infra/provider-usage.auth.ts # src/secrets/audit.test.ts # src/secrets/audit.ts # src/secrets/storage-scan.ts
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 28, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant) (cherry picked from commit fbc6632) # Conflicts: # src/agents/model-auth-label.test.ts # src/agents/model-auth-label.ts # src/agents/model-auth-markers.test.ts # src/agents/model-auth-markers.ts # src/agents/model-auth.test.ts # src/agents/models-config.fills-missing-provider-apikey-from-env-var.test.ts # src/agents/models-config.merge.test.ts # src/agents/models-config.merge.ts # src/agents/models-config.providers.normalize-keys.test.ts # src/agents/models-config.providers.ts # src/agents/models-config.runtime-source-snapshot.test.ts # src/agents/models-config.ts # src/agents/pi-embedded-runner/model.test.ts # src/agents/pi-embedded-runner/model.ts # src/auto-reply/reply/directive-handling.auth.test.ts # src/auto-reply/reply/directive-handling.auth.ts # src/commands/auth-choice.model-check.ts # src/commands/model-picker.ts # src/commands/models.list.e2e.test.ts # src/commands/models/list.auth-overview.test.ts # src/commands/models/list.auth-overview.ts # src/commands/models/list.probe.ts # src/commands/models/list.registry.ts # src/commands/models/list.status.test.ts # src/config/io.runtime-snapshot-write.test.ts # src/secrets/audit.test.ts # src/secrets/audit.ts # src/secrets/storage-scan.ts
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Apr 4, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Apr 4, 2026
…law#42554) * Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (openclaw#42554) (thanks @joshavant)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens SecretRef handling for custom/provider model credentials so secrets are not persisted or reused unsafely across runtime, models.json generation, merge behavior, and audit scans.
It preserves the project goals of:
Problem Surface Addressed
This directly addresses the cluster: custom/provider secrets are persisted or reused unsafely (plaintext or marker leakage).
Main risks covered:
What Changed
1) Usable custom-key semantics centralized and propagated
configured markervsusable secretbehavior.2) Runtime-to-source snapshot projection for models.json writes
3) Merge/provenance hardening for provider apiKey preservation
existing.apiKeywhen the next entry is marker-managed.4) Runtime marker firewall for headers
secretref-managed/secretref-env:*) in inline/provider/fallback model header resolution paths before runtime use.5) Audit coverage hardening
OPENCLAW_AGENT_DIR/PI_CODING_AGENT_DIRoverride paths.Validation
pnpm testpassed (886test files,7241passed,2skipped).pnpm buildandpnpm checkpassed.fails fast at startup when selected web search provider ref is unresolvedkeeps last-known-good runtime snapshot active when refresh fails after a writekeeps last-known-good web runtime snapshot when reload introduces unresolved active web refsLinked Issues / PRs
Fixes #39823
Fixes #42355
Related prior work and superseded proposals: