security(web): sanitize WhatsApp accountId to prevent path traversal#4610
Merged
steipete merged 3 commits intoopenclaw:mainfrom Feb 1, 2026
Merged
Conversation
openclaw-barnacle
bot
added
the
channel: whatsapp-web
Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692
leszekszpunar
force-pushed
the
fix/2692-whatsapp-accountid-path-traversal
branch
from
641c64b to
84044e5
Compare
steipete
added a commit
that referenced
this pull request
Feb 1, 2026
Contributor
|
Landed via temp rebase onto main.\n\n- Gate: pnpm lint && pnpm build && pnpm test\n- Land commit: 758ec03\n- Merge commit: 1bdd9e3\n\nThanks @leszekszpunar! |
bennewton999
pushed a commit
to bennewton999/openclaw
that referenced
this pull request
Feb 2, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
buiilding
pushed a commit
to buiilding/openclaw
that referenced
this pull request
Feb 2, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
claudio-neo
pushed a commit
to claudio-neo/openclaw
that referenced
this pull request
Feb 3, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
HashWarlock
pushed a commit
to HashWarlock/openclaw
that referenced
this pull request
Feb 4, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
psytz123
pushed a commit
to psytz123/openclaw
that referenced
this pull request
Feb 5, 2026
## Security Updates Incorporated (283 commits) ### Critical Security Fixes: 1. **Security: owner-only tools + command auth hardening** (openclaw#9202) 2. **Security: harden sandboxed media handling** (openclaw#9182) 3. **Security: Prevent gateway credential exfiltration via URL override** (openclaw#9179) 4. **fix: infer --auth-choice from API key flags during non-interactive onboarding** (openclaw#9241) 5. **fix: enforce owner allowlist for commands** 6. **Telegram: remove @ts-nocheck from bot.ts, fix duplicate error handler, harden sticker caching** (openclaw#9077) 7. **fix(imessage): detect self-chat echoes to prevent infinite loops** (openclaw#8680) 8. **fix(imessage): unify timeout configuration with configurable probeTimeoutMs** 9. **security(web): sanitize WhatsApp accountId to prevent path traversal** (openclaw#4610) 10. **fix: harden whatsapp command auth** ### WhatsApp Security Enhancements: - WhatsApp login guard security improvements - LID mention detection hardening - Contact cards security fixes - Ack reaction logic improvements - Media max size configurable limits - Group allowlist normalization ### Authentication & Authorization: - Owner allowlist enforcement - Command auth hardening - API key flag inference - Gateway credential protection - Sandboxed media handling security ### Channel-Specific Security: - **Telegram**: Sticker caching hardening, forward metadata fixes - **iMessage**: Echo loop prevention, timeout configuration - **Signal**: Typing receipt security - **Slack**: Media download security - **Matrix**: Room security improvements ### New Features with Security: - **Feishu channel support** (new secure channel) - **Per-channel responsePrefix override** - **Cloudflare AI Gateway provider** - **Discord presence monitoring** - **Enhanced cron delivery security** ## Dashboard v2.0 Preserved: - ✅ Kanban CRUD operations (create/update/delete) - ✅ Swarm agent management (spawn/kill/view output) - ✅ 3 new autonomy tabs (nightworker, selfimprove, proactive) - ✅ Server-side RPC handlers for new features - ✅ CSS architecture for autonomy system - ✅ Complete dashboard audit with persistence ## Merge Strategy: - **Kept OURS**: Dashboard UI files (app-render.ts, app-settings.ts, app.ts, navigation.ts, etc.) - **Took THEIRS**: Security fixes in core files (pi-tool-definition-adapter.ts) - **Resolved conflicts**: Prioritized security updates where no dashboard functionality impacted ## Version: v2026.2.3-security-dashboard-v2 - Base: Upstream v2026.2.3 - Enhanced: Dashboard v2.0 autonomy system - Security: All critical upstream security patches
uxcu
pushed a commit
to uxcu/kook-openclaw
that referenced
this pull request
Feb 5, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
bestNiu
pushed a commit
to bestNiu/clawdbot
that referenced
this pull request
Feb 5, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
3 tasks
batao9
pushed a commit
to batao9/openclaw
that referenced
this pull request
Feb 7, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
6 tasks
hughdidit
pushed a commit
to hughdidit/DAISy-Agency
that referenced
this pull request
Feb 8, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test (cherry picked from commit 1bdd9e3) # Conflicts: # src/web/accounts.ts
6 tasks
battman21
pushed a commit
to battman21/openclaw
that referenced
this pull request
Feb 12, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
battman21
pushed a commit
to battman21/openclaw
that referenced
this pull request
Feb 12, 2026
…penclaw#4610) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes openclaw#2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test
jamie-dit
pushed a commit
to jamie-dit/zulip-claw
that referenced
this pull request
Feb 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
accountIdinresolveDefaultAuthDir()to prevent path traversal via malicious config values (e.g.../../../etc)normalizeAccountId()fromsrc/routing/session-key.tswhich strips all characters except[a-z0-9_-]Problem
resolveDefaultAuthDir()insrc/web/accounts.tspasses theaccountIdparameter directly topath.join()without sanitization. A malicious config withaccountId: "../../../etc"escapes the intended directory structure. Risk increases in multi-user deployments, shared configs, and plugin systems.Solution
Import and apply
normalizeAccountId()(already exported fromrouting/session-key.ts) which:_and-"default"for empty valuesThis follows the same defense-in-depth pattern already used by Telegram (
src/telegram/update-offset-store.ts).Test plan
pnpm lint-- 0 warnings, 0 errorspnpm format-- all files formatted correctlypnpm build-- TypeScript compiles without errorspnpm vitest run src/web/accounts.test.ts-- 4/4 tests pass../../../etc/passwdis sanitized/and\are stripped"default"my-account-1is preservedAI Assistance Disclosure
This PR was AI-assisted. Fix follows existing codebase patterns. Human reviewed.
Fixes #2692