Skip to content

fix(openclaw): escape untrusted import fields before writing overlay YAML#775

Merged
bussyjd merged 1 commit into
integration/v0.14.0-rc0from
fix/openclaw-yaml-injection
Jul 16, 2026
Merged

fix(openclaw): escape untrusted import fields before writing overlay YAML#775
bussyjd merged 1 commit into
integration/v0.14.0-rc0from
fix/openclaw-yaml-injection

Conversation

@bussyjd

@bussyjd bussyjd commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Full-surface audit finding (CRITICAL): openclaw.json → Helm values YAML injection

Found by the 2026-07-16 whole-product-surface audit (PR #770), adversarially confirmed (exploit reproduced standalone). Fields from an imported ~/.openclaw/openclaw.json (e.g. agents.defaults.model.primary) were interpolated unescaped into the Helm values YAML via fmt.Fprintf(&b, " agentModel: %s\n", …) in internal/openclaw/openclaw.go, then written to values-obol.yaml and applied with helmfile sync. A value like x\nimage:\n repository: evil injects arbitrary Helm values — including the container image — i.e. RCE on the cluster from a malicious/compromised import file.

Fix

Every untrusted imported field written into the values file is now emitted as a properly-encoded YAML scalar (escaped/quoted per YAML rules) instead of raw string interpolation. All fmt.Fprintf/concat sites in generateOverlayValues (and the provider-block handling) that emit imported data were audited and fixed; internally-derived constants unchanged.

Test: a malicious agentModel/provider value containing \nimage: renders YAML that Unmarshals to the same single scalar — the injected key is absent. go test ./internal/openclaw/... green.

https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk

…YAML

Root cause: generateOverlayValues/TranslateToOverlayYAML hand-formatted
fields imported from ~/.openclaw/openclaw.json (agentModel, provider
name/baseUrl/apiKeyEnvVar, model id/name) straight into values-obol.yaml
via fmt.Fprintf("...: %s\n", untrusted). A value like

    x\nimage:\n  repository: evil

breaks out of its field, injects new top-level YAML keys, and survives the
line-based openclaw:/models: block stripper (the raw newline flips a line
from "skipped" back to "kept" mid-block). Since values-obol.yaml is
applied to the cluster via helmfile sync, this is arbitrary Helm value
injection, including overriding the container image for RCE.

Fix: add yamlScalar(), a small helper that renders a Go string as a
forced double-quoted YAML scalar via gopkg.in/yaml.v3 (already a
dependency), and route every untrusted Fprintf site in
generateOverlayValues/TranslateToOverlayYAML through it. Quoting is
applied at the source (import.go) so the downstream block-stripping in
generateOverlayValues never sees a raw injected newline in the first
place. Internally-derived values (litellm master key, chart image tag,
hostname, agentBaseURL, whitelisted provider API type) are left as-is.

Confirmed Canary402 full-surface audit finding. Verified the added
regression test fails on the pre-fix code (injected image/rbac keys
appear as live top-level YAML) and passes after the fix.

Claude-Session: https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk
@bussyjd bussyjd merged commit f1347c0 into integration/v0.14.0-rc0 Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant