AssertSecurePath verifies that a file/command path is safe for use with OpenClaw SecretRef resolution. On success it returns the effective path (the symlink target, if the input was a symlink and allowed). The check is a short, ordered pipeline — each step below is both a read of the contract and a
(params AuditParams)
| 30 | // The check is a short, ordered pipeline — each step below is both a read of |
| 31 | // the contract and a pointer to the helper that enforces it. |
| 32 | func AssertSecurePath(params AuditParams) (string, error) { |
| 33 | target := params.TargetPath |
| 34 | label := params.Label |
| 35 | |
| 36 | if err := requireAbsolutePath(target, label); err != nil { |
| 37 | return "", err |
| 38 | } |
| 39 | |
| 40 | linfo, err := lstatNonDir(target, label) |
| 41 | if err != nil { |
| 42 | return "", err |
| 43 | } |
| 44 | |
| 45 | effectivePath, err := resolveSymlinkIfAllowed(target, linfo, params) |
| 46 | if err != nil { |
| 47 | return "", err |
| 48 | } |
| 49 | |
| 50 | if err := requireInTrustedDirs(effectivePath, params.TrustedDirs, label); err != nil { |
| 51 | return "", err |
| 52 | } |
| 53 | |
| 54 | if params.AllowInsecurePath { |
| 55 | return effectivePath, nil |
| 56 | } |
| 57 | |
| 58 | if err := auditFilePermissions(effectivePath, params.AllowReadableByOthers, label); err != nil { |
| 59 | return "", err |
| 60 | } |
| 61 | if err := checkOwnerUID(effectivePath, label); err != nil { |
| 62 | return "", err |
| 63 | } |
| 64 | return effectivePath, nil |
| 65 | } |
| 66 | |
| 67 | // requireAbsolutePath rejects relative paths; relative paths would depend on |
| 68 | // the process cwd and defeat the point of a static audit. Shell-style |