From 67d52f090343e49436dca627232b7d8ac97bda8f Mon Sep 17 00:00:00 2001 From: stikman28 Date: Fri, 27 Mar 2026 17:02:25 -0600 Subject: [PATCH] fix(security): replace method wildcards with explicit GET+POST in baseline policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace `method: "*"` with explicit `GET` and `POST` rules on all inference provider endpoints in the baseline sandbox policy: - api.anthropic.com (Claude API) - statsig.anthropic.com (telemetry) - sentry.io (crash reporting) - integrate.api.nvidia.com (NVIDIA inference) - inference-api.nvidia.com (NVIDIA inference alt) The wildcard permits DELETE, PUT, and PATCH methods that these APIs do not require. Inference calls use POST (completions, messages, token counting) and GET (model listing, health checks, usage). Restricting to these two methods reduces the attack surface if an agent or plugin is compromised — it cannot issue destructive HTTP methods against the inference providers. No functional change: all existing agent operations (inference, telemetry, crash reporting) use only GET and POST. --- .../policies/openclaw-sandbox.yaml | 15 +++++++---- test/security-method-wildcards.test.js | 27 +++++++++++++++++++ 2 files changed, 37 insertions(+), 5 deletions(-) create mode 100644 test/security-method-wildcards.test.js diff --git a/nemoclaw-blueprint/policies/openclaw-sandbox.yaml b/nemoclaw-blueprint/policies/openclaw-sandbox.yaml index 4b877aa13..ac02ddb58 100644 --- a/nemoclaw-blueprint/policies/openclaw-sandbox.yaml +++ b/nemoclaw-blueprint/policies/openclaw-sandbox.yaml @@ -53,15 +53,18 @@ network_policies: enforcement: enforce tls: terminate rules: - - allow: { method: "*", path: "/**" } + - allow: { method: GET, path: "/**" } + - allow: { method: POST, path: "/**" } - host: statsig.anthropic.com port: 443 rules: - - allow: { method: "*", path: "/**" } + - allow: { method: GET, path: "/**" } + - allow: { method: POST, path: "/**" } - host: sentry.io port: 443 rules: - - allow: { method: "*", path: "/**" } + - allow: { method: GET, path: "/**" } + - allow: { method: POST, path: "/**" } binaries: - { path: /usr/local/bin/claude } @@ -74,14 +77,16 @@ network_policies: enforcement: enforce tls: terminate rules: - - allow: { method: "*", path: "/**" } + - allow: { method: GET, path: "/**" } + - allow: { method: POST, path: "/**" } - host: inference-api.nvidia.com port: 443 protocol: rest enforcement: enforce tls: terminate rules: - - allow: { method: "*", path: "/**" } + - allow: { method: GET, path: "/**" } + - allow: { method: POST, path: "/**" } binaries: - { path: /usr/local/bin/claude } - { path: /usr/local/bin/openclaw } diff --git a/test/security-method-wildcards.test.js b/test/security-method-wildcards.test.js new file mode 100644 index 000000000..33ab19bf0 --- /dev/null +++ b/test/security-method-wildcards.test.js @@ -0,0 +1,27 @@ +// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 + +import { describe, it, expect } from "vitest"; +import fs from "node:fs"; +import path from "node:path"; + +const BASELINE = path.join(import.meta.dirname, "..", "nemoclaw-blueprint", "policies", "openclaw-sandbox.yaml"); + +describe("method wildcards: baseline policy", () => { + it("no endpoint uses method: \"*\" wildcard", () => { + // method: "*" permits DELETE, PUT, PATCH which inference APIs do not + // require. All endpoints should use explicit method rules (GET, POST). + const yaml = fs.readFileSync(BASELINE, "utf-8"); + const lines = yaml.split("\n"); + const violations = []; + + for (let i = 0; i < lines.length; i++) { + const line = lines[i]; + if (/method:\s*["']\*["']/.test(line)) { + violations.push({ line: i + 1, content: line.trim() }); + } + } + + expect(violations).toEqual([]); + }); +});