Diffs

Package: @openclaw/diffs (npm) Version: 2026.5.7 Description: OpenClaw diff viewer plugin The package implements a diff rendering and viewing tool designed to function as an OpenClaw plugin. It uses `playwright-core` to render diffs to PNG/PDF files and hosts an interactive HTML viewer via the OpenClaw gateway. The code demonstrates strong security practices essential for handling potentially untrusted content (diff inputs) and external processes (browser rendering): 1. **Input Validation & Limits:** Strict size limits are enforced on `before`, `after`, and `patch` input to prevent Denial of Service (DoS) via excessively large data. 2. **Artifact Security & Path Traversal Prevention:** The `DiffArtifactStore` enforces strict boundary checks (`assertWithinRoot`) ensuring all stored artifacts (HTML, PNG, PDF) are confined to the designated temporary directory, successfully mitigating path traversal vulnerabilities. 3. **Network Isolation (SSRF Mitigation):** When using `playwright-core` for rendering files, the package implements custom request routing to prevent the headless browser instance from making external network connections. The browser instance is strictly limited to accessing loopback assets served by the plugin itself, preventing Server-Side Request Forgery (SSRF) triggered by malicious content embedded in the diff. 4. **Viewer Access Control:** The plugin defaults to loopback-only access for the hosted viewer (`127.0.0.1`), requiring explicit configuration (`security.allowRemoteViewer`) to expose the viewer URL remotely. Remote access attempts resulting in failure are rate-limited to prevent brute-force attacks against artifact tokens. 5. **Content Security Policy (CSP):** The hosted diff viewer HTML includes a strict CSP (`default-src 'none'`) to isolate the content and prevent unwanted resource loading or scripting.