A 644593eaea fix(security): propagate path normalization to all cloud modules (#2693) ... * fix(security): propagate path normalization to all cloud upload/download functions PR #2690 added normalize() before path traversal checks in AWS but not the other clouds. Apply the same defense-in-depth to GCP, DigitalOcean, Hetzner, Sprite, and shared validateRemotePath. Agent: code-health Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(security): use normalized path in all file transfer operations Addresses code review: replace original remotePath with normalizedRemote in scp commands and bash operations to prevent validation bypass. - digitalocean: use normalizedRemote in uploadFile scp and derive expandedPath from normalizedRemote in downloadFile - hetzner: same pattern for uploadFile/downloadFile - gcp: derive expandedPath from normalizedRemote.replace(...) in both uploadFile and downloadFile - sprite: use normalizedRemote in bash mkdir/mv command and derive expandedPath from normalizedRemote in downloadFile Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): close validation bypass in agent-setup and AWS file ops validateRemotePath() validated the normalized path but returned void, so the caller still used the original unsanitized remotePath in shell commands — bypassing the normalization check entirely. Fix: return the normalized path and use it in all file operations. Also fix AWS uploadFile/downloadFile which validated normalizedRemote but used the original remotePath in scp commands. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>		2026-03-16 14:48:59 -07:00
..
cli	fix(security): propagate path normalization to all cloud modules (#2693)	2026-03-16 14:48:59 -07:00
shared	feat: add downloadFile to CloudRunner + local OpenClaw config merge (#2636)	2026-03-14 15:47:32 -07:00