Skip to content

fix(security): add binaries restrictions to all messaging and preset policies #645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ericksoa merged 4 commits into from
Mar 24, 2026
Merged

fix(security): add binaries restrictions to all messaging and preset policies #645

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d3cd6df
fix(security): add binaries restrictions to all messaging and preset …
ericksoa Mar 22, 2026
77c03c3
fix: add interpreter binaries to npm/pypi presets, strengthen test regex
ericksoa Mar 22, 2026
ecb2da2
fix: convert node:test to vitest in security-binaries-restriction.tes…
cv Mar 23, 2026
cad8cd0
Merge upstream/main into fix/messaging-binaries-restriction
cv Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions nemoclaw-blueprint/policies/openclaw-sandbox.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,9 @@ network_policies:
- { path: /usr/local/bin/openclaw }
- { path: /usr/local/bin/npm }

# ── Messaging — pre-allowed for agent notifications ────────────
# Telegram and Discord are open by default so the agent can send
# notifications and respond to chats without triggering approval.
# ── Messaging — pre-allowed for OpenClaw agent notifications ────
# Restricted to node processes to prevent arbitrary data exfiltration
# via curl, wget, python, etc. (See: #272)
telegram:
name: telegram
endpoints:
Expand All @@ -171,6 +171,8 @@ network_policies:
rules:
- allow: { method: GET, path: "/bot*/**" }
- allow: { method: POST, path: "/bot*/**" }
binaries:
- { path: /usr/local/bin/node }

discord:
name: discord
Expand Down Expand Up @@ -198,3 +200,5 @@ network_policies:
tls: terminate
rules:
- allow: { method: GET, path: "/**" }
binaries:
- { path: /usr/local/bin/node }
2 changes: 2 additions & 0 deletions nemoclaw-blueprint/policies/presets/discord.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,5 @@ network_policies:
tls: terminate
rules:
- allow: { method: GET, path: "/**" }
binaries:
- { path: /usr/local/bin/node }
2 changes: 2 additions & 0 deletions nemoclaw-blueprint/policies/presets/docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,5 @@ network_policies:
rules:
- allow: { method: GET, path: "/**" }
- allow: { method: POST, path: "/**" }
binaries:
- { path: /usr/bin/docker }
3 changes: 3 additions & 0 deletions nemoclaw-blueprint/policies/presets/huggingface.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,6 @@ network_policies:
rules:
- allow: { method: GET, path: "/**" }
- allow: { method: POST, path: "/**" }
binaries:
- { path: /usr/local/bin/python3 }
- { path: /usr/local/bin/node }
2 changes: 2 additions & 0 deletions nemoclaw-blueprint/policies/presets/jira.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,5 @@ network_policies:
rules:
- allow: { method: GET, path: "/**" }
- allow: { method: POST, path: "/**" }
binaries:
- { path: /usr/local/bin/node }
2 changes: 2 additions & 0 deletions nemoclaw-blueprint/policies/presets/outlook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,5 @@ network_policies:
rules:
- allow: { method: GET, path: "/**" }
- allow: { method: POST, path: "/**" }
binaries:
- { path: /usr/local/bin/node }
2 changes: 2 additions & 0 deletions nemoclaw-blueprint/policies/presets/slack.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,5 @@ network_policies:
rules:
- allow: { method: GET, path: "/**" }
- allow: { method: POST, path: "/**" }
binaries:
- { path: /usr/local/bin/node }
2 changes: 2 additions & 0 deletions nemoclaw-blueprint/policies/presets/telegram.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,5 @@ network_policies:
rules:
- allow: { method: GET, path: "/bot*/**" }
- allow: { method: POST, path: "/bot*/**" }
binaries:
- { path: /usr/local/bin/node }
64 changes: 64 additions & 0 deletions test/security-binaries-restriction.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

import { describe, it, expect } from "vitest";
import fs from "node:fs";
import path from "node:path";

const BASELINE = path.join(import.meta.dirname, "..", "nemoclaw-blueprint", "policies", "openclaw-sandbox.yaml");
const PRESETS_DIR = path.join(import.meta.dirname, "..", "nemoclaw-blueprint", "policies", "presets");

describe("binaries restriction: baseline policy", () => {
it("every network_policies entry has a binaries section", () => {
// Parse YAML manually (no yaml dependency) — find all top-level keys under network_policies
// and verify each has a "binaries:" line within its block
const yaml = fs.readFileSync(BASELINE, "utf-8");
const lines = yaml.split("\n");
let inNetworkPolicies = false;
let currentBlock = null;
const blocks = [];

for (let i = 0; i < lines.length; i++) {
const line = lines[i];
if (/^network_policies:/.test(line)) { inNetworkPolicies = true; continue; }
if (inNetworkPolicies && /^\S/.test(line) && line.trim() !== "") {
if (currentBlock) blocks.push(currentBlock);
currentBlock = null;
inNetworkPolicies = false;
continue;
}
if (!inNetworkPolicies) continue;
// Top-level entry under network_policies (2-space indent, not a comment)
if (/^ (?!#)\S.*:\s*$/.test(line)) {
if (currentBlock) blocks.push(currentBlock);
currentBlock = { name: line.trim().replace(/:$/, ""), startLine: i + 1, lines: [line] };
continue;
}
if (currentBlock) currentBlock.lines.push(line);
}
if (currentBlock) blocks.push(currentBlock);

expect(blocks.length).toBeGreaterThan(0);

const violators = blocks.filter(b => !b.lines.some(l => /^\s+binaries:/.test(l)));

expect(violators.map(b => b.name)).toEqual([]);
});
});

describe("binaries restriction: policy presets", () => {
it("every preset YAML has a binaries section", () => {
const presets = fs.readdirSync(PRESETS_DIR).filter(f => f.endsWith(".yaml"));
expect(presets.length).toBeGreaterThan(0);

const missing = [];
for (const file of presets) {
const content = fs.readFileSync(path.join(PRESETS_DIR, file), "utf-8");
Copy link
Copy Markdown
Contributor

@cv cv Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This substring check would pass if binaries: appeared in a YAML comment. The baseline test already does proper structure-aware parsing — this should be at least a regex match for a real YAML key:

Suggested change
const content = fs.readFileSync(path.join(PRESETS_DIR, file), "utf-8");
if (!/^\s+binaries:\s*$/m.test(content)) {

if (!/^\s+binaries:\s*$/m.test(content)) {
missing.push(file);
Comment thread
coderabbitai[bot] marked this conversation as resolved.
}
}

expect(missing).toEqual([]);
});
});