liuyu/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-06 05:51:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

lint: move managed proxy guard to codeql

Browse Source
This commit is contained in:
jesse-merhi
2026-05-07 17:03:30 +10:00
committed by Jesse Merhi
parent dd0a9bf869
commit cf9e9cd119
5 changed files with 342 additions and 1024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/codeql/codeql-raw-socket-boundary-critical-quality.yml → .github/codeql/codeql-network-runtime-boundary-critical-quality.yml vendored
View File

@@ -1,9 +1,10 @@
name: openclaw-codeql-raw-socket-boundary-critical-quality
name: openclaw-codeql-network-runtime-boundary-critical-quality
disable-default-queries: true
queries:
- uses: ./.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql
- uses: ./.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql
paths:
- src

325
.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql vendored Normal file
View File

@@ -0,0 +1,325 @@
/**
* @name Managed proxy runtime mutation
* @description Proxy-related process.env and GLOBAL_AGENT runtime mutations must stay in managed proxy owner scopes.
* @kind problem
* @problem.severity error
* @precision high
* @id js/openclaw/managed-proxy-runtime-mutation
* @tags maintainability
* security
* external/cwe/cwe-441
*/
import javascript
predicate forbiddenEnvKey(string key) {
key =
[
"HTTP_PROXY",
"HTTPS_PROXY",
"http_proxy",
"https_proxy",
"NO_PROXY",
"no_proxy",
"GLOBAL_AGENT_HTTP_PROXY",
"GLOBAL_AGENT_HTTPS_PROXY",
"GLOBAL_AGENT_NO_PROXY",
"GLOBAL_AGENT_FORCE_GLOBAL_AGENT",
"OPENCLAW_PROXY_ACTIVE",
"OPENCLAW_PROXY_LOOPBACK_MODE"
]
}
predicate forbiddenGlobalAgentKey(string key) { key = ["HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY"] }
predicate relevantSourceFile(File file) {
exists(string path |
path = file.getRelativePath() and
path.regexpMatch("^(src|extensions)/.*\\.(ts|mts|js|mjs)$") and
not path.regexpMatch(".*\\.(test|spec)\\.(ts|mts|js|mjs)$") and
not path.regexpMatch(".*\\.(test-utils|test-harness|e2e-harness)\\.ts$") and
not path.regexpMatch(".*/test-support/.*") and
not path.regexpMatch(".*/vendor/.*") and
not path.regexpMatch(".*\\.min\\.js$") and
not path.regexpMatch("^extensions/diffs/assets/.*")
)
}
predicate namedExpr(Expr expr, string name) {
expr.getUnderlyingValue().(Identifier).getName() = name
}
predicate directProcessEnvExpr(Expr expr) {
exists(PropAccess access |
expr.getUnderlyingValue() = access and
access.getPropertyName() = "env" and
namedExpr(access.getBase(), "process")
)
}
predicate envAlias(Variable variable) {
exists(VariableDeclarator decl |
decl.getBindingPattern().getAVariable() = variable and
directProcessEnvExpr(decl.getInit())
)
or
exists(VariableDeclarator decl, ObjectPattern pattern, PropertyPattern property |
decl.getBindingPattern() = pattern and
namedExpr(decl.getInit(), "process") and
property = pattern.getAPropertyPattern() and
property.getName() = "env" and
property.getValuePattern().(BindingPattern).getAVariable() = variable
)
}
predicate processEnvExpr(Expr expr) {
directProcessEnvExpr(expr)
or
exists(VarAccess access |
expr.getUnderlyingValue() = access and
envAlias(access.getVariable())
)
}
predicate stringConst(Variable variable, string value) {
exists(VariableDeclarator decl |
decl.getBindingPattern().getAVariable() = variable and
value = decl.getInit().getStringValue()
)
}
predicate stringArrayContains(Variable variable, string value) {
exists(VariableDeclarator decl, ArrayExpr array, Expr element |
decl.getBindingPattern().getAVariable() = variable and
decl.getInit().getUnderlyingValue() = array and
element = array.getAnElement().getUnderlyingValue() and
value = element.getStringValue()
)
or
exists(VariableDeclarator decl, ArrayExpr array, SpreadElement spread, VarAccess access |
decl.getBindingPattern().getAVariable() = variable and
decl.getInit().getUnderlyingValue() = array and
spread = array.getAnElement().getUnderlyingValue() and
spread.getOperand().getUnderlyingValue() = access and
stringArrayContains(access.getVariable(), value)
)
}
predicate forbiddenEnvLoopVariable(Variable variable) {
exists(ForOfStmt loop, VarAccess domain, string key |
variable = loop.getAnIterationVariable() and
loop.getIterationDomain().getUnderlyingValue() = domain and
stringArrayContains(domain.getVariable(), key) and
forbiddenEnvKey(key)
)
}
predicate envKeyExprForbidden(Expr keyExpr) {
forbiddenEnvKey(keyExpr.getStringValue())
or
exists(VarAccess access, string key |
keyExpr.getUnderlyingValue() = access and
stringConst(access.getVariable(), key) and
forbiddenEnvKey(key)
)
or
exists(VarAccess access |
keyExpr.getUnderlyingValue() = access and
forbiddenEnvLoopVariable(access.getVariable())
)
}
predicate globalAgentKeyExprForbidden(Expr keyExpr) {
forbiddenGlobalAgentKey(keyExpr.getStringValue())
or
exists(VarAccess access, string key |
keyExpr.getUnderlyingValue() = access and
stringConst(access.getVariable(), key) and
forbiddenGlobalAgentKey(key)
)
}
predicate directGlobalExpr(Expr expr) {
namedExpr(expr, "global")
or
namedExpr(expr, "globalThis")
}
predicate globalAlias(Variable variable) {
exists(VariableDeclarator decl |
decl.getBindingPattern().getAVariable() = variable and
directGlobalExpr(decl.getInit())
)
}
predicate globalExpr(Expr expr) {
directGlobalExpr(expr)
or
exists(VarAccess access |
expr.getUnderlyingValue() = access and
globalAlias(access.getVariable())
)
}
predicate directGlobalAgentExpr(Expr expr) {
exists(PropAccess access |
expr.getUnderlyingValue() = access and
access.getPropertyName() = "GLOBAL_AGENT" and
globalExpr(access.getBase())
)
}
predicate globalAgentAlias(Variable variable) {
exists(VariableDeclarator decl |
decl.getBindingPattern().getAVariable() = variable and
directGlobalAgentExpr(decl.getInit())
)
}
predicate globalAgentExpr(Expr expr) {
directGlobalAgentExpr(expr)
or
exists(VarAccess access |
expr.getUnderlyingValue() = access and
globalAgentAlias(access.getVariable())
)
}
predicate envMutationTarget(Expr target) {
exists(PropAccess access |
target.getUnderlyingReference() = access and
processEnvExpr(access.getBase()) and
(
forbiddenEnvKey(access.getPropertyName())
or
envKeyExprForbidden(access.getPropertyNameExpr())
)
)
}
predicate globalAgentMutationTarget(Expr target) {
globalAgentExpr(target)
or
exists(PropAccess access |
target.getUnderlyingReference() = access and
globalAgentExpr(access.getBase()) and
(
forbiddenGlobalAgentKey(access.getPropertyName())
or
globalAgentKeyExprForbidden(access.getPropertyNameExpr())
)
)
}
predicate objectPropertyWithKey(Expr expr, string key) {
exists(ObjectExpr object, Property property |
expr.getUnderlyingValue() = object and
property = object.getAProperty() and
property.getName() = key
)
}
Expr managedProxyRuntimeMutation() {
exists(Assignment assignment |
result = assignment and
(
envMutationTarget(assignment.getTarget())
or
globalAgentMutationTarget(assignment.getTarget())
)
)
or
exists(DeleteExpr delete |
result = delete and
(
envMutationTarget(delete.getOperand())
or
globalAgentMutationTarget(delete.getOperand())
)
)
or
exists(MethodCallExpr call |
result = call and
namedExpr(call.getReceiver(), "Object") and
call.getMethodName() = "assign" and
(
processEnvExpr(call.getArgument(0)) and
exists(string key |
forbiddenEnvKey(key) and
objectPropertyWithKey(call.getArgument(1), key)
)
or
globalAgentExpr(call.getArgument(0)) and
exists(string key |
forbiddenGlobalAgentKey(key) and
objectPropertyWithKey(call.getArgument(1), key)
)
)
)
or
exists(MethodCallExpr call |
result = call and
namedExpr(call.getReceiver(), "Object") and
call.getMethodName() = "defineProperty" and
(
processEnvExpr(call.getArgument(0)) and
envKeyExprForbidden(call.getArgument(1))
or
globalAgentExpr(call.getArgument(0)) and
globalAgentKeyExprForbidden(call.getArgument(1))
)
)
}
predicate allowedFunctionOwnerScope(Expr mutation, string path, string functionName) {
exists(Function owner |
mutation.getFile().getRelativePath() = path and
owner.getFile() = mutation.getFile() and
owner.getName() = functionName and
mutation.getParent*() = owner.getBody()
)
}
predicate allowedMethodOwnerScope(Expr mutation, string path, string methodName) {
exists(MethodDeclaration method |
mutation.getFile().getRelativePath() = path and
method.getFile() = mutation.getFile() and
method.getDeclaringType().getName() + "." + method.getName() = methodName and
mutation.getParent*() = method.getBody().getBody()
)
}
predicate allowedManagedProxyRuntimeMutation(Expr mutation) {
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "applyProxyEnv")
or
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "restoreProxyEnv")
or
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
"restoreGlobalAgentRuntime")
or
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
"restoreNodeHttpStack")
or
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
"bootstrapNodeHttpStack")
or
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
"writeGlobalAgentNoProxy")
or
allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
"disableGlobalAgentProxyForIpv6GatewayLoopback")
or
allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts",
"NoProxyLeaseManager.acquire")
or
allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts",
"NoProxyLeaseManager.release")
}
from Expr mutation
where
managedProxyRuntimeMutation() = mutation and
relevantSourceFile(mutation.getFile()) and
not allowedManagedProxyRuntimeMutation(mutation)
select mutation,
"Only managed proxy owner scopes may mutate proxy-related process.env or GLOBAL_AGENT runtime state."

28
.github/workflows/codeql-critical-quality.yml vendored
View File

@@ -21,7 +21,7 @@ on:
- plugin-sdk-package-contract
- plugin-sdk-reply-runtime
- provider-runtime-boundary
- raw-socket-boundary
- network-runtime-boundary
- session-diagnostics-boundary
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
@@ -164,7 +164,7 @@ jobs:
plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }}
plugin_sdk_reply: ${{ steps.detect.outputs.plugin_sdk_reply }}
provider: ${{ steps.detect.outputs.provider }}
raw_socket: ${{ steps.detect.outputs.raw_socket }}
network_runtime: ${{ steps.detect.outputs.network_runtime }}
session_diagnostics: ${{ steps.detect.outputs.session_diagnostics }}
steps:
- name: Detect PR shard paths
@@ -188,7 +188,7 @@ jobs:
plugin_sdk_package=false
plugin_sdk_reply=false
provider=false
raw_socket=false
network_runtime=false
session_diagnostics=false
if [[ "${EVENT_NAME}" != "pull_request" ]]; then
@@ -203,7 +203,7 @@ jobs:
plugin_sdk_package=true
plugin_sdk_reply=true
provider=true
raw_socket=true
network_runtime=true
session_diagnostics=true
else
while IFS= read -r file; do
@@ -220,11 +220,11 @@ jobs:
plugin_sdk_package=true
plugin_sdk_reply=true
provider=true
raw_socket=true
network_runtime=true
session_diagnostics=true
;;
src/*.ts|src/**/*.ts|extensions/*.ts|extensions/**/*.ts)
raw_socket=true
network_runtime=true
;;
src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/pi-embedded-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
agent=true
@@ -308,7 +308,7 @@ jobs:
echo "plugin_sdk_package=${plugin_sdk_package}"
echo "plugin_sdk_reply=${plugin_sdk_reply}"
echo "provider=${provider}"
echo "raw_socket=${raw_socket}"
echo "network_runtime=${network_runtime}"
echo "session_diagnostics=${session_diagnostics}"
} >> "${GITHUB_OUTPUT}"
@@ -404,10 +404,10 @@ jobs:
with:
category: "/codeql-critical-quality/channel-runtime-boundary"
raw-socket-boundary:
name: Critical Quality (raw-socket-boundary)
network-runtime-boundary:
name: Critical Quality (network-runtime-boundary)
needs: quality-shards
if: ${{ needs.quality-shards.outputs.raw_socket == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'raw-socket-boundary') }}
if: ${{ needs.quality-shards.outputs.network_runtime == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'network-runtime-boundary') }}
runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25
steps:
@@ -420,16 +420,16 @@ jobs:
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
languages: javascript-typescript
config-file: ./.github/codeql/codeql-raw-socket-boundary-critical-quality.yml
config-file: ./.github/codeql/codeql-network-runtime-boundary-critical-quality.yml
- name: Analyze
id: analyze
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
output: sarif-results
category: "/codeql-critical-quality/raw-socket-boundary"
category: "/codeql-critical-quality/network-runtime-boundary"
- name: Fail on raw socket findings
- name: Fail on network runtime boundary findings
env:
SARIF_OUTPUT: sarif-results
run: |
@@ -447,7 +447,7 @@ jobs:
exit 0
fi
echo "Found ${findings} unclassified raw socket client callsite(s):" >&2
echo "Found ${findings} network runtime boundary finding(s):" >&2
jq -r '
.runs[]?.results[]?
| .locations[0].physicalLocation as $location

512
security/opengrep/precise.yml
View File

@@ -5,7 +5,7 @@
#
# Source rules dir: security/opengrep/rules/openclaw-policy
# Generated at : 2026-05-07T04:40:02.803Z
# Rule count : 154
# Rule count : 148
rules:
- id: ghsa-25gx-x37c-7pph.openclaw-novnc-x11vnc-missing-auth
message: x11vnc starts without VNC authentication; avoid -nopw and require password auth when exposing noVNC observer access.
@@ -5010,513 +5010,3 @@ rules:
- "**/*.test.mjs"
patterns:
- pattern: http2.connect(...)
- id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-process-env-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate proxy-related process.env runtime state.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- CWE-441
category: security
confidence: HIGH
detector-bucket: precise
source-rule-id: managed-proxy-process-env-mutation
source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
paths:
include:
- src/**/*.ts
- src/**/*.mts
- src/**/*.js
- src/**/*.mjs
- extensions/**/*.ts
- extensions/**/*.mts
- extensions/**/*.js
- extensions/**/*.mjs
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- pattern: process.env.$KEY = ...
- pattern: process.env[$KEY] = ...
- pattern: delete process.env.$KEY
- pattern: delete process.env[$KEY]
- pattern: Object.defineProperty(process.env, $KEY, ...)
- pattern: |
Object.assign(process.env, { $KEY: ... })
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$
- pattern-not-inside: |
function applyProxyEnv(...) {
...
}
- pattern-not-inside: |
function restoreProxyEnv(...) {
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
acquire(...) {
...
}
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
release(...) {
...
}
...
}
- id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-process-env-alias-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate proxy-related process.env aliases.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- CWE-441
category: security
confidence: HIGH
detector-bucket: precise
source-rule-id: managed-proxy-process-env-alias-mutation
source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
paths:
include:
- src/**/*.ts
- src/**/*.mts
- src/**/*.js
- src/**/*.mjs
- extensions/**/*.ts
- extensions/**/*.mts
- extensions/**/*.js
- extensions/**/*.mjs
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
const $ENV = process.env;
...
- pattern-either:
- pattern: $ENV.$KEY = ...
- pattern: $ENV[$KEY] = ...
- pattern: delete $ENV.$KEY
- pattern: delete $ENV[$KEY]
- pattern: Object.defineProperty($ENV, $KEY, ...)
- pattern: |
Object.assign($ENV, { $KEY: ... })
- patterns:
- pattern-inside: |
const { env } = process;
...
- pattern-either:
- pattern: env.$KEY = ...
- pattern: env[$KEY] = ...
- pattern: delete env.$KEY
- pattern: delete env[$KEY]
- pattern: Object.defineProperty(env, $KEY, ...)
- pattern: |
Object.assign(env, { $KEY: ... })
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$
- pattern-not-inside: |
function applyProxyEnv(...) {
...
}
- pattern-not-inside: |
function restoreProxyEnv(...) {
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
acquire(...) {
...
}
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
release(...) {
...
}
...
}
- id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-process-env-dynamic-key-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate process.env through proxy-related dynamic keys.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- CWE-441
category: security
confidence: HIGH
detector-bucket: precise
source-rule-id: managed-proxy-process-env-dynamic-key-mutation
source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
paths:
include:
- src/**/*.ts
- src/**/*.mts
- src/**/*.js
- src/**/*.mjs
- extensions/**/*.ts
- extensions/**/*.mts
- extensions/**/*.js
- extensions/**/*.mjs
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
const $KEYS = [..., $FORBIDDEN, ...];
...
for (const $KEY of $KEYS) {
...
}
- pattern-either:
- pattern: process.env[$KEY] = ...
- pattern: delete process.env[$KEY]
- patterns:
- pattern-inside: |
const $SOURCE_KEYS = [..., $FORBIDDEN, ...];
...
const $KEYS = [..., ...$SOURCE_KEYS, ...];
...
for (const $KEY of $KEYS) {
...
}
- pattern-either:
- pattern: process.env[$KEY] = ...
- pattern: delete process.env[$KEY]
- patterns:
- pattern-inside: |
const $ENV = process.env;
...
const $KEYS = [..., $FORBIDDEN, ...];
...
for (const $KEY of $KEYS) {
...
}
- pattern-either:
- pattern: $ENV[$KEY] = ...
- pattern: delete $ENV[$KEY]
- metavariable-regex:
metavariable: $FORBIDDEN
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$
- pattern-not-inside: |
function applyProxyEnv(...) {
...
}
- pattern-not-inside: |
function restoreProxyEnv(...) {
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
acquire(...) {
...
}
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
release(...) {
...
}
...
}
- id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-global-agent-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate GLOBAL_AGENT proxy runtime state.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- CWE-441
category: security
confidence: HIGH
detector-bucket: precise
source-rule-id: managed-proxy-global-agent-mutation
source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
paths:
include:
- src/**/*.ts
- src/**/*.mts
- src/**/*.js
- src/**/*.mjs
- extensions/**/*.ts
- extensions/**/*.mts
- extensions/**/*.js
- extensions/**/*.mjs
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- pattern: global.GLOBAL_AGENT = ...
- pattern: globalThis.GLOBAL_AGENT = ...
- pattern: global["GLOBAL_AGENT"] = ...
- pattern: globalThis["GLOBAL_AGENT"] = ...
- pattern: global.GLOBAL_AGENT.$KEY = ...
- pattern: global.GLOBAL_AGENT[$KEY] = ...
- pattern: globalThis.GLOBAL_AGENT.$KEY = ...
- pattern: globalThis.GLOBAL_AGENT[$KEY] = ...
- pattern: global["GLOBAL_AGENT"][$KEY] = ...
- pattern: globalThis["GLOBAL_AGENT"][$KEY] = ...
- pattern: delete global.GLOBAL_AGENT
- pattern: delete globalThis.GLOBAL_AGENT
- pattern: delete global["GLOBAL_AGENT"]
- pattern: delete globalThis["GLOBAL_AGENT"]
- pattern: delete global.GLOBAL_AGENT.$KEY
- pattern: delete global.GLOBAL_AGENT[$KEY]
- pattern: delete globalThis.GLOBAL_AGENT.$KEY
- pattern: delete globalThis.GLOBAL_AGENT[$KEY]
- pattern: Object.defineProperty(global.GLOBAL_AGENT, $KEY, ...)
- pattern: Object.defineProperty(globalThis.GLOBAL_AGENT, $KEY, ...)
- pattern: |
Object.assign(global.GLOBAL_AGENT, { $KEY: ... })
- pattern: |
Object.assign(globalThis.GLOBAL_AGENT, { $KEY: ... })
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$
- pattern-not-inside: |
function restoreGlobalAgentRuntime(...) {
...
}
- pattern-not-inside: |
function restoreNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function bootstrapNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function writeGlobalAgentNoProxy(...) {
...
}
- pattern-not-inside: |
function disableGlobalAgentProxyForIpv6GatewayLoopback(...) {
...
}
- id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-global-agent-object-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may replace or delete GLOBAL_AGENT runtime state.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- CWE-441
category: security
confidence: HIGH
detector-bucket: precise
source-rule-id: managed-proxy-global-agent-object-mutation
source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
paths:
include:
- src/**/*.ts
- src/**/*.mts
- src/**/*.js
- src/**/*.mjs
- extensions/**/*.ts
- extensions/**/*.mts
- extensions/**/*.js
- extensions/**/*.mjs
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- pattern: global.GLOBAL_AGENT = ...
- pattern: globalThis.GLOBAL_AGENT = ...
- pattern: global["GLOBAL_AGENT"] = ...
- pattern: globalThis["GLOBAL_AGENT"] = ...
- pattern: delete global.GLOBAL_AGENT
- pattern: delete globalThis.GLOBAL_AGENT
- pattern: delete global["GLOBAL_AGENT"]
- pattern: delete globalThis["GLOBAL_AGENT"]
- patterns:
- pattern-inside: |
const $GLOBAL = global;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- patterns:
- pattern-inside: |
const $GLOBAL = global as $TYPE;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- pattern-not-inside: |
function restoreNodeHttpStack(...) {
...
}
- id: openclaw-policy-managed-proxy-runtime-mutation.managed-proxy-global-agent-alias-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate GLOBAL_AGENT aliases.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- CWE-441
category: security
confidence: HIGH
detector-bucket: precise
source-rule-id: managed-proxy-global-agent-alias-mutation
source-file: security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
paths:
include:
- src/**/*.ts
- src/**/*.mts
- src/**/*.js
- src/**/*.mjs
- extensions/**/*.ts
- extensions/**/*.mts
- extensions/**/*.js
- extensions/**/*.mjs
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
const $AGENT = global.GLOBAL_AGENT;
...
- pattern-either:
- pattern: $AGENT.$KEY = ...
- pattern: $AGENT[$KEY] = ...
- pattern: delete $AGENT.$KEY
- pattern: delete $AGENT[$KEY]
- pattern: Object.defineProperty($AGENT, $KEY, ...)
- pattern: |
Object.assign($AGENT, { $KEY: ... })
- patterns:
- pattern-inside: |
const $AGENT = global["GLOBAL_AGENT"];
...
- pattern-either:
- pattern: $AGENT.$KEY = ...
- pattern: $AGENT[$KEY] = ...
- pattern: delete $AGENT.$KEY
- pattern: delete $AGENT[$KEY]
- pattern: Object.defineProperty($AGENT, $KEY, ...)
- pattern: |
Object.assign($AGENT, { $KEY: ... })
- patterns:
- pattern-inside: |
const $AGENT = (global as $TYPE)["GLOBAL_AGENT"] as $AGENT_TYPE;
...
- pattern-either:
- pattern: $AGENT.$KEY = ...
- pattern: $AGENT[$KEY] = ...
- pattern: delete $AGENT.$KEY
- pattern: delete $AGENT[$KEY]
- pattern: Object.defineProperty($AGENT, $KEY, ...)
- pattern: |
Object.assign($AGENT, { $KEY: ... })
- patterns:
- pattern-inside: |
const $GLOBAL = global;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ...
- pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ...
- pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY
- pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY]
- pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY]
- patterns:
- pattern-inside: |
const $GLOBAL = global as $TYPE;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ...
- pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ...
- pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY
- pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY]
- pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY]
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$
- pattern-not-inside: |
function restoreGlobalAgentRuntime(...) {
...
}
- pattern-not-inside: |
function restoreNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function bootstrapNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function writeGlobalAgentNoProxy(...) {
...
}
- pattern-not-inside: |
function disableGlobalAgentProxyForIpv6GatewayLoopback(...) {
...
}

498
security/opengrep/rules/openclaw-policy/managed-proxy-runtime-mutation.yml
View File

@@ -1,498 +0,0 @@
rules:
- id: managed-proxy-process-env-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate proxy-related process.env runtime state.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- "CWE-441"
category: security
confidence: HIGH
paths:
include:
- "src/**/*.ts"
- "src/**/*.mts"
- "src/**/*.js"
- "src/**/*.mjs"
- "extensions/**/*.ts"
- "extensions/**/*.mts"
- "extensions/**/*.js"
- "extensions/**/*.mjs"
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- pattern: process.env.$KEY = ...
- pattern: process.env[$KEY] = ...
- pattern: delete process.env.$KEY
- pattern: delete process.env[$KEY]
- pattern: Object.defineProperty(process.env, $KEY, ...)
- pattern: |
Object.assign(process.env, { $KEY: ... })
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$
- pattern-not-inside: |
function applyProxyEnv(...) {
...
}
- pattern-not-inside: |
function restoreProxyEnv(...) {
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
acquire(...) {
...
}
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
release(...) {
...
}
...
}
- id: managed-proxy-process-env-alias-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate proxy-related process.env aliases.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- "CWE-441"
category: security
confidence: HIGH
paths:
include:
- "src/**/*.ts"
- "src/**/*.mts"
- "src/**/*.js"
- "src/**/*.mjs"
- "extensions/**/*.ts"
- "extensions/**/*.mts"
- "extensions/**/*.js"
- "extensions/**/*.mjs"
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
const $ENV = process.env;
...
- pattern-either:
- pattern: $ENV.$KEY = ...
- pattern: $ENV[$KEY] = ...
- pattern: delete $ENV.$KEY
- pattern: delete $ENV[$KEY]
- pattern: Object.defineProperty($ENV, $KEY, ...)
- pattern: |
Object.assign($ENV, { $KEY: ... })
- patterns:
- pattern-inside: |
const { env } = process;
...
- pattern-either:
- pattern: env.$KEY = ...
- pattern: env[$KEY] = ...
- pattern: delete env.$KEY
- pattern: delete env[$KEY]
- pattern: Object.defineProperty(env, $KEY, ...)
- pattern: |
Object.assign(env, { $KEY: ... })
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$
- pattern-not-inside: |
function applyProxyEnv(...) {
...
}
- pattern-not-inside: |
function restoreProxyEnv(...) {
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
acquire(...) {
...
}
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
release(...) {
...
}
...
}
- id: managed-proxy-process-env-dynamic-key-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate process.env through proxy-related dynamic keys.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- "CWE-441"
category: security
confidence: HIGH
paths:
include:
- "src/**/*.ts"
- "src/**/*.mts"
- "src/**/*.js"
- "src/**/*.mjs"
- "extensions/**/*.ts"
- "extensions/**/*.mts"
- "extensions/**/*.js"
- "extensions/**/*.mjs"
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
const $KEYS = [..., $FORBIDDEN, ...];
...
for (const $KEY of $KEYS) {
...
}
- pattern-either:
- pattern: process.env[$KEY] = ...
- pattern: delete process.env[$KEY]
- patterns:
- pattern-inside: |
const $SOURCE_KEYS = [..., $FORBIDDEN, ...];
...
const $KEYS = [..., ...$SOURCE_KEYS, ...];
...
for (const $KEY of $KEYS) {
...
}
- pattern-either:
- pattern: process.env[$KEY] = ...
- pattern: delete process.env[$KEY]
- patterns:
- pattern-inside: |
const $ENV = process.env;
...
const $KEYS = [..., $FORBIDDEN, ...];
...
for (const $KEY of $KEYS) {
...
}
- pattern-either:
- pattern: $ENV[$KEY] = ...
- pattern: delete $ENV[$KEY]
- metavariable-regex:
metavariable: $FORBIDDEN
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|http_proxy|https_proxy|NO_PROXY|no_proxy|GLOBAL_AGENT_HTTP_PROXY|GLOBAL_AGENT_HTTPS_PROXY|GLOBAL_AGENT_NO_PROXY|GLOBAL_AGENT_FORCE_GLOBAL_AGENT|OPENCLAW_PROXY_ACTIVE|OPENCLAW_PROXY_LOOPBACK_MODE)["']?$
- pattern-not-inside: |
function applyProxyEnv(...) {
...
}
- pattern-not-inside: |
function restoreProxyEnv(...) {
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
acquire(...) {
...
}
...
}
- pattern-not-inside: |
class NoProxyLeaseManager {
...
release(...) {
...
}
...
}
- id: managed-proxy-global-agent-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate GLOBAL_AGENT proxy runtime state.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- "CWE-441"
category: security
confidence: HIGH
paths:
include:
- "src/**/*.ts"
- "src/**/*.mts"
- "src/**/*.js"
- "src/**/*.mjs"
- "extensions/**/*.ts"
- "extensions/**/*.mts"
- "extensions/**/*.js"
- "extensions/**/*.mjs"
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- pattern: global.GLOBAL_AGENT = ...
- pattern: globalThis.GLOBAL_AGENT = ...
- pattern: global["GLOBAL_AGENT"] = ...
- pattern: globalThis["GLOBAL_AGENT"] = ...
- pattern: global.GLOBAL_AGENT.$KEY = ...
- pattern: global.GLOBAL_AGENT[$KEY] = ...
- pattern: globalThis.GLOBAL_AGENT.$KEY = ...
- pattern: globalThis.GLOBAL_AGENT[$KEY] = ...
- pattern: global["GLOBAL_AGENT"][$KEY] = ...
- pattern: globalThis["GLOBAL_AGENT"][$KEY] = ...
- pattern: delete global.GLOBAL_AGENT
- pattern: delete globalThis.GLOBAL_AGENT
- pattern: delete global["GLOBAL_AGENT"]
- pattern: delete globalThis["GLOBAL_AGENT"]
- pattern: delete global.GLOBAL_AGENT.$KEY
- pattern: delete global.GLOBAL_AGENT[$KEY]
- pattern: delete globalThis.GLOBAL_AGENT.$KEY
- pattern: delete globalThis.GLOBAL_AGENT[$KEY]
- pattern: Object.defineProperty(global.GLOBAL_AGENT, $KEY, ...)
- pattern: Object.defineProperty(globalThis.GLOBAL_AGENT, $KEY, ...)
- pattern: |
Object.assign(global.GLOBAL_AGENT, { $KEY: ... })
- pattern: |
Object.assign(globalThis.GLOBAL_AGENT, { $KEY: ... })
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$
- pattern-not-inside: |
function restoreGlobalAgentRuntime(...) {
...
}
- pattern-not-inside: |
function restoreNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function bootstrapNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function writeGlobalAgentNoProxy(...) {
...
}
- pattern-not-inside: |
function disableGlobalAgentProxyForIpv6GatewayLoopback(...) {
...
}
- id: managed-proxy-global-agent-object-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may replace or delete GLOBAL_AGENT runtime state.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- "CWE-441"
category: security
confidence: HIGH
paths:
include:
- "src/**/*.ts"
- "src/**/*.mts"
- "src/**/*.js"
- "src/**/*.mjs"
- "extensions/**/*.ts"
- "extensions/**/*.mts"
- "extensions/**/*.js"
- "extensions/**/*.mjs"
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- pattern: global.GLOBAL_AGENT = ...
- pattern: globalThis.GLOBAL_AGENT = ...
- pattern: global["GLOBAL_AGENT"] = ...
- pattern: globalThis["GLOBAL_AGENT"] = ...
- pattern: delete global.GLOBAL_AGENT
- pattern: delete globalThis.GLOBAL_AGENT
- pattern: delete global["GLOBAL_AGENT"]
- pattern: delete globalThis["GLOBAL_AGENT"]
- patterns:
- pattern-inside: |
const $GLOBAL = global;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- patterns:
- pattern-inside: |
const $GLOBAL = global as $TYPE;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- pattern-not-inside: |
function restoreNodeHttpStack(...) {
...
}
- id: managed-proxy-global-agent-alias-mutation
languages:
- typescript
- javascript
severity: ERROR
message: Only managed proxy owner scopes may mutate GLOBAL_AGENT aliases.
metadata:
advisory-id: OPENCLAW-POLICY-MANAGED-PROXY-RUNTIME-MUTATION
advisory-url: https://github.com/openclaw/openclaw/pull/77126
cwe:
- "CWE-441"
category: security
confidence: HIGH
paths:
include:
- "src/**/*.ts"
- "src/**/*.mts"
- "src/**/*.js"
- "src/**/*.mjs"
- "extensions/**/*.ts"
- "extensions/**/*.mts"
- "extensions/**/*.js"
- "extensions/**/*.mjs"
exclude:
- "**/*.test.*"
- "**/*.spec.*"
- "**/*.min.js"
- "**/vendor/**"
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
const $AGENT = global.GLOBAL_AGENT;
...
- pattern-either:
- pattern: $AGENT.$KEY = ...
- pattern: $AGENT[$KEY] = ...
- pattern: delete $AGENT.$KEY
- pattern: delete $AGENT[$KEY]
- pattern: Object.defineProperty($AGENT, $KEY, ...)
- pattern: |
Object.assign($AGENT, { $KEY: ... })
- patterns:
- pattern-inside: |
const $AGENT = global["GLOBAL_AGENT"];
...
- pattern-either:
- pattern: $AGENT.$KEY = ...
- pattern: $AGENT[$KEY] = ...
- pattern: delete $AGENT.$KEY
- pattern: delete $AGENT[$KEY]
- pattern: Object.defineProperty($AGENT, $KEY, ...)
- pattern: |
Object.assign($AGENT, { $KEY: ... })
- patterns:
- pattern-inside: |
const $AGENT = (global as $TYPE)["GLOBAL_AGENT"] as $AGENT_TYPE;
...
- pattern-either:
- pattern: $AGENT.$KEY = ...
- pattern: $AGENT[$KEY] = ...
- pattern: delete $AGENT.$KEY
- pattern: delete $AGENT[$KEY]
- pattern: Object.defineProperty($AGENT, $KEY, ...)
- pattern: |
Object.assign($AGENT, { $KEY: ... })
- patterns:
- pattern-inside: |
const $GLOBAL = global;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ...
- pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ...
- pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY
- pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY]
- pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY]
- patterns:
- pattern-inside: |
const $GLOBAL = global as $TYPE;
...
- pattern-either:
- pattern: $GLOBAL.GLOBAL_AGENT = ...
- pattern: $GLOBAL["GLOBAL_AGENT"] = ...
- pattern: $GLOBAL.GLOBAL_AGENT.$KEY = ...
- pattern: $GLOBAL.GLOBAL_AGENT[$KEY] = ...
- pattern: $GLOBAL["GLOBAL_AGENT"][$KEY] = ...
- pattern: delete $GLOBAL.GLOBAL_AGENT
- pattern: delete $GLOBAL["GLOBAL_AGENT"]
- pattern: delete $GLOBAL.GLOBAL_AGENT.$KEY
- pattern: delete $GLOBAL.GLOBAL_AGENT[$KEY]
- pattern: delete $GLOBAL["GLOBAL_AGENT"][$KEY]
- metavariable-regex:
metavariable: $KEY
regex: ^["']?(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)["']?$
- pattern-not-inside: |
function restoreGlobalAgentRuntime(...) {
...
}
- pattern-not-inside: |
function restoreNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function bootstrapNodeHttpStack(...) {
...
}
- pattern-not-inside: |
function writeGlobalAgentNoProxy(...) {
...
}
- pattern-not-inside: |
function disableGlobalAgentProxyForIpv6GatewayLoopback(...) {
...
}