PR #68754: fix: remove unconditional heredoc approval in allowlist mode

• Repository: openclaw/openclaw
• Author: Kailigithub
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/68754

Description (problem / solution / changelog)

Problem

Closes #68661

In allowlist security mode, any command containing a heredoc (<<) unconditionally triggers an approval prompt, even when:

1. The target binary is in the allowlist (allowlistSatisfied === true)
2. Command analysis passes (analysisOk === true)
3. The heredoc is safe (quoted <<'EOF' or no command substitution)

Example that should auto-execute but prompts instead:

cat <<'EOF
hello world
EOF

This is a regression — PR #13811 previously fixed heredoc handling, but the extra requiresHeredocApproval gate was added later and overrides the analysis result.

Root Cause

src/agents/bash-tools.exec-host-gateway.ts:161-165:

const requiresHeredocApproval =
    hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && hasHeredocSegment;

This unconditionally forces approval for ALL heredoc commands when in allowlist mode, regardless of whether the heredoc has already been validated as safe by the analysis layer.

Fix

Remove the requiresHeredocApproval gate entirely:

• Delete hasHeredocSegment and requiresHeredocApproval variables
• Remove from the requiresAsk condition
• Remove the associated warning message

The analysis layer (exec-approvals-analysis.ts) already fully validates heredoc safety:

• Quoted heredoc (<<'EOF'): no expansion → safe ✓
• Unquoted, no substitution: safe ✓
• Unquoted with $(...) or backticks: rejected by analysis ✓
• Unterminated heredoc: rejected by analysis ✓

Dangerous heredocs never reach this code path, so the extra gate is redundant.

Testing

# Should now auto-execute (was prompting before):
cat <<'EOF
hello world
EOF

# Should still be blocked by analysis:
cat <<EOF
$(whoami)
EOF

Impact

• 1 file changed, 2 insertions(+), 13 deletions(-)
• Only affects allowlist mode + heredoc commands
• No changes to analysis or non-heredoc approval paths

Changed files

• src/agents/bash-tools.exec-host-gateway.ts (modified, +2/-13)

PR #68824: fix: remove blanket heredoc approval gate in allowlist mode

• Repository: openclaw/openclaw
• Author: tianhaocui
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/68824

Description (problem / solution / changelog)

Fixes #68661

Summary

Removes the overly broad requiresHeredocApproval gate in bash-tools.exec-host-gateway.ts that forces an approval prompt for all heredoc commands in allowlist mode, even when the target binary is already in the allowlist.

Root Cause

A security hardening added after PR #13811 introduced a blanket requiresHeredocApproval check that fires whenever any segment contains a << token — regardless of whether the heredoc is safe (quoted delimiter, no expansion tokens). This regressed the original fix.

Why This Is Safe

The analysis layer (splitShellPipeline in exec-approvals-analysis.ts) already handles security:

• Unquoted heredocs containing $(...), backticks, or ${...} return ok: false with reason "command substitution in unquoted heredoc"
• This causes analysisOk to be false, which makes requiresExecApproval return true and force approval

Safe heredocs (quoted delimiters like <<'EOF') parse as ok: true and should pass through the allowlist without an extra approval prompt.

Changes

• Removed hasHeredocSegment and requiresHeredocApproval variables
• Removed requiresHeredocApproval from the requiresAsk OR chain
• Removed the heredoc warning push

Net: 11 lines deleted, 0 lines added.

Test Plan

• Configure an agent with security: "allowlist" and ask: "off"
• Add /usr/bin/cat to the allowlist
• Run cat <<'EOF'\nhello world\nEOF
• Verify: command runs without approval prompt
• Run cat <<EOF\n$(whoami)\nEOF (unquoted with expansion)
• Verify: approval is still required (handled by splitShellPipeline)

Changed files

• src/agents/bash-tools.exec-host-gateway.ts (modified, +0/-11)

PR #68854: fix(security): allow quoted heredocs in allowlist mode without extra approval

• Repository: openclaw/openclaw
• Author: armorbreak001
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/68854

Description (problem / solution / changelog)

Summary

Fixes #68661

Commands with << heredoc syntax trigger an approval prompt in allowlist mode even when the target binary is in the allowlist. This regressed from the original fix (#13811) after a security hardening (f23da067).

Root Cause

The hardening commit added requiresHeredocApproval that triggers for any heredoc token (token.startsWith("<<")), without distinguishing between safe (quoted) and potentially unsafe (unquoted) heredocs.

Fix

• Quoted heredocs (<<'EOF', <<"EOF", <<-'EOF', <<-"EOF"): No longer require extra approval. The shell treats the body as literal text — no variable expansion, no command substitution.
• Unquoted heredocs (<<EOF, <<-EOF): Still require explicit approval. $() and backtick commands inside the body get evaluated by the shell, which is a real security concern.

Examples

Testing

• Updated warning message test to match new wording
• Existing ReDoS guard test still passes (uses quoted heredoc)

Changed files

• src/agents/bash-tools.exec-host-gateway.test.ts (modified, +95/-0)
• src/agents/bash-tools.exec-host-gateway.ts (modified, +11/-4)
• src/agents/pi-embedded-subscribe.handlers.tools.test.ts (modified, +1/-1)