fix(openclaw): escape untrusted import fields before writing overlay YAML#775
Merged
Merged
Conversation
…YAML
Root cause: generateOverlayValues/TranslateToOverlayYAML hand-formatted
fields imported from ~/.openclaw/openclaw.json (agentModel, provider
name/baseUrl/apiKeyEnvVar, model id/name) straight into values-obol.yaml
via fmt.Fprintf("...: %s\n", untrusted). A value like
x\nimage:\n repository: evil
breaks out of its field, injects new top-level YAML keys, and survives the
line-based openclaw:/models: block stripper (the raw newline flips a line
from "skipped" back to "kept" mid-block). Since values-obol.yaml is
applied to the cluster via helmfile sync, this is arbitrary Helm value
injection, including overriding the container image for RCE.
Fix: add yamlScalar(), a small helper that renders a Go string as a
forced double-quoted YAML scalar via gopkg.in/yaml.v3 (already a
dependency), and route every untrusted Fprintf site in
generateOverlayValues/TranslateToOverlayYAML through it. Quoting is
applied at the source (import.go) so the downstream block-stripping in
generateOverlayValues never sees a raw injected newline in the first
place. Internally-derived values (litellm master key, chart image tag,
hostname, agentBaseURL, whitelisted provider API type) are left as-is.
Confirmed Canary402 full-surface audit finding. Verified the added
regression test fails on the pre-fix code (injected image/rbac keys
appear as live top-level YAML) and passes after the fix.
Claude-Session: https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Full-surface audit finding (CRITICAL): openclaw.json → Helm values YAML injection
Found by the 2026-07-16 whole-product-surface audit (PR #770), adversarially confirmed (exploit reproduced standalone). Fields from an imported
~/.openclaw/openclaw.json(e.g.agents.defaults.model.primary) were interpolated unescaped into the Helm values YAML viafmt.Fprintf(&b, " agentModel: %s\n", …)ininternal/openclaw/openclaw.go, then written tovalues-obol.yamland applied withhelmfile sync. A value likex\nimage:\n repository: evilinjects arbitrary Helm values — including the container image — i.e. RCE on the cluster from a malicious/compromised import file.Fix
Every untrusted imported field written into the values file is now emitted as a properly-encoded YAML scalar (escaped/quoted per YAML rules) instead of raw string interpolation. All
fmt.Fprintf/concat sites ingenerateOverlayValues(and the provider-block handling) that emit imported data were audited and fixed; internally-derived constants unchanged.Test: a malicious
agentModel/provider value containing\nimage:renders YAML thatUnmarshals to the same single scalar — the injected key is absent.go test ./internal/openclaw/...green.https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk