fix: post-merge fixes for PRs mksglu#183, mksglu#190, mksglu#192

mksglu · claude · mksglu · commit 2b0a8c2a40f5 · 2026-03-28T22:01:33.000+03:00
PR mksglu#183: Restrict sessionKey regex to [a-zA-Z0-9_-]+ and add startsWith containment check to prevent path traversal in writeRoutingInstructions workspace derivation. PR mksglu#190: Fix getRuntimeSummary() bun detection — use endsWith("bun") instead of === "bun" to handle full paths like ~/.bun/bin/bun. PR mksglu#192: Remove trailing whitespace from AGENTS.md blank separator lines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/configs/codex/AGENTS.md b/configs/codex/AGENTS.md
@@ -58,20 +58,20 @@ Search results can flood context. Use `ctx_execute(language: "shell", code: "gre
 | `ctx upgrade` | Call the `upgrade` MCP tool, run the returned shell command, display as checklist |
 
 ## Windows notes
- 
+
 **PowerShell cmdlets in shell scripts** — The sandbox executes scripts via bash. PowerShell
 cmdlets (`Format-List`, `Format-Table`, `Get-Culture`, etc.) do not exist in bash and will fail
 with `command not found`. Wrap them with `pwsh -NoProfile -Command "..."` instead.
- 
+
 **Relative paths** — The sandbox CWD is a temp directory, not your project root. Always convert
 any user-supplied path to an absolute path before passing it to `rg`, `grep`, or `find`.
 Ask the user to confirm the absolute path if it is not already known.
- 
+
 **Windows drive letter paths** — The sandbox runs Git Bash / MSYS2, not WSL. Drive letters must
 use the MSYS2 convention, NOT the WSL convention:
 `X:\path` → `/x/path` (lowercase letter, no `/mnt/` prefix).
 Never emit `/mnt/<letter>/` prefixes regardless of which drive the project is on.
- 
+
 **Always quote paths** — If a path contains spaces, bash splits it into separate arguments.
 Always wrap every path in double quotes: `rg "symbol" "$REPO_ROOT/some dir/Source"`.
 This applies to all tools: `rg`, `grep`, `find`, `ls`, etc.
diff --git a/src/openclaw-plugin.ts b/src/openclaw-plugin.ts
@@ -494,14 +494,18 @@ export default {
           if (key) {
             try {
               const adapter = new OpenClawAdapter();
+              const openclawBase = resolve(homedir(), ".openclaw");
               // Resolve workspace dir from sessionKey (pattern: agent:<name>:*)
-              const wsMatch = key.match(/^agent:([^:]+):/);
+              // Restrict agent name to safe characters to prevent path traversal (#183)
+              const wsMatch = key.match(/^agent:([a-zA-Z0-9_-]+):/);
+              let wsDir: string;
               if (wsMatch) {
-                const wsDir = resolve(homedir(), ".openclaw", `workspace-${wsMatch[1]}`);
-                adapter.writeRoutingInstructions(wsDir, pluginRoot);
+                wsDir = resolve(openclawBase, `workspace-${wsMatch[1]}`);
               } else {
-                // Fallback: main workspace (sessionKey doesn't follow agent:<name>: pattern)
-                const wsDir = resolve(homedir(), ".openclaw", "workspace");
+                wsDir = resolve(openclawBase, "workspace");
+              }
+              // Containment check: never write outside ~/.openclaw/
+              if (wsDir.startsWith(openclawBase)) {
                 adapter.writeRoutingInstructions(wsDir, pluginRoot);
               }
             } catch {
diff --git a/src/runtime.ts b/src/runtime.ts
@@ -150,7 +150,7 @@ export function hasBunRuntime(): boolean {
 
 export function getRuntimeSummary(runtimes: RuntimeMap): string {
   const lines: string[] = [];
-  const bunPreferred = runtimes.javascript === "bun";
+  const bunPreferred = runtimes.javascript?.endsWith("bun") ?? false;
 
   lines.push(
     `  JavaScript: ${runtimes.javascript} (${getVersion(runtimes.javascript)})${bunPreferred ? " ⚡" : ""}`,
diff --git a/tests/core/cli.test.ts b/tests/core/cli.test.ts
@@ -819,3 +819,34 @@ describe("Self-heal covers all hook types (#187)", () => {
     expect(selfHealSection).toContain("context-mode");
   });
 });
+
+// ── PR #183 fix: path traversal prevention in OpenClaw sessionKey ──
+
+describe("OpenClaw sessionKey safety (#183)", () => {
+  const OC_SOURCE = readFileSync(resolve(ROOT, "src/openclaw-plugin.ts"), "utf-8");
+
+  test("sessionKey regex only allows safe characters (no path traversal)", () => {
+    // Must use [a-zA-Z0-9_-]+ not [^:]+ to prevent ../../ in agent name
+    expect(OC_SOURCE).toContain('[a-zA-Z0-9_-]+');
+    expect(OC_SOURCE).not.toMatch(/\[\^:\]\+/);
+  });
+
+  test("workspace path has containment check against .openclaw base", () => {
+    // Must verify resolved path stays inside ~/.openclaw/
+    expect(OC_SOURCE).toContain('startsWith(');
+    expect(OC_SOURCE).toContain('.openclaw');
+  });
+});
+
+// ── PR #190 fix: getRuntimeSummary handles full bun path ──
+
+describe("Runtime summary bun detection (#190)", () => {
+  const RT_SOURCE = readFileSync(resolve(ROOT, "src/runtime.ts"), "utf-8");
+
+  test("getRuntimeSummary does not use exact === bun comparison", () => {
+    // Full path like /home/user/.bun/bin/bun must be detected
+    const summaryStart = RT_SOURCE.indexOf("getRuntimeSummary");
+    const summaryBody = RT_SOURCE.slice(summaryStart, RT_SOURCE.indexOf("\nexport", summaryStart + 10));
+    expect(summaryBody).not.toContain('=== "bun"');
+  });
+});
