Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(exec): only set security=full when elevated mode is full #1616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
steipete merged 1 commit into from
Jan 24, 2026
Merged

fix(exec): only set security=full when elevated mode is full #1616

steipete merged 1 commit into from
Jan 24, 2026

Conversation

@ivancasco
Copy link
Contributor

@ivancasco ivancasco commented Jan 24, 2026

fix(exec): only set security=full when elevated mode is full

Problem

When using elevated ASK mode, the exec approval flow was being bypassed entirely. Commands like crontab that weren't on the allowlist would run without requiring approval.

Root Cause

In bash-tools.exec.ts line 794:

if (elevatedRequested) {
  security = "full";
}

This set security = "full" for all elevated modes (ASK and FULL), not just FULL mode.

Since requiresExecApproval() only requires approval when security === "allowlist":

return (
  params.ask === "always" ||
  (params.ask === "on-miss" &&
    params.security === "allowlist" &&  // <-- "full" ≠ "allowlist"
    (!params.analysisOk || !params.allowlistSatisfied))
);

The approval check was always skipped in ASK mode because security was "full" instead of "allowlist".

Fix

Only set security = "full" when elevatedMode === "full":

if (elevatedRequested && elevatedMode === "full") {
  security = "full";
}

This allows ASK mode to properly enforce the approval flow for non-allowlisted commands.

Testing

  • Build passes (npm run build)
  • Verified the logic flow through code review

steipete added a commit that referenced this pull request Jan 24, 2026
@steipete
fix: keep approvals for elevated ask (#1616) (thanks @ivancasco)
a482845
@steipete steipete merged commit fe7436a into openclaw:main Jan 24, 2026
21 of 22 checks passed
@steipete
Copy link
Contributor

steipete commented Jan 24, 2026

Landed via temp rebase onto main.\n\n- Gate: pnpm lint && pnpm build && pnpm test\n- Land commit: fe7436a\n- Merge commit: fe7436a\n\nThanks @ivancasco!

@steipete steipete mentioned this pull request Jan 24, 2026
Merged
mcinteerj pushed a commit to mcinteerj/moltbot that referenced this pull request Jan 25, 2026
@ivancasco
fix(exec): only set security=full when elevated mode is full (opencla…
656f00e 
…w#1616)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ivancasco @steipete