# 漏洞总结 ## 漏洞概述 OpenCLaw 设备配对功能存在安全漏洞,攻击者可通过构造恶意请求绕过设备配对验证机制,获取未授权的设备访问权限。 ## 影响范围 - 所有使用 OpenCLaw 设备配对功能的用户 - 涉及设备 bootstrap 验证逻辑 ## 修复方案 1. 修改 `src/infra/device-bootstrap.ts` 中的 `verifyDeviceBootstrapToken` 函数 2. 增加对 token 有效性的严格验证 3. 修复设备配对流程中的权限验证逻辑 ## POC 代码 ```typescript // src/infra/device-bootstrap.test.ts it("rejects bootstrap verification when role or scopes exceed the issued profile", async () => { const baseDir = await createTempDir(); const issued = await issueDeviceBootstrapToken({ baseDir }); await expect( verifyBootstrapToken(baseDir, issued.token, { role: "operator", scopes: ["operator.admin"], }) ).resolves.toEqual({ ok: false, reason: "bootstrap_token_invalid" }); }); it("accepts trimmed bootstrap tokens and still consumes them once", async () => { const baseDir = await createTempDir(); const issued = await issueDeviceBootstrapToken({ baseDir }); const raw = await fs.readFile(resolveBootstrapPath(baseDir), "utf8"); expect(raw).toContain(issued.token); }); it("accepts legacy records that only stored issuedATMs and prunes expired tokens", async () => { vi.useFakeTimers(); const baseDir = await createTempDir(); const bootstrapPath = resolveBootstrapPath(baseDir); await expect(verifyBootstrapToken(baseDir, "legacyToken")).resolves.toEqual({ ok: true }); await expect(verifyBootstrapToken(baseDir, "legacyToken")).resolves.toEqual({ ok: false, reason: "bootstrap_token_invalid", }); }); ```