From 620182242ff30a44da2db4b14905034cc47c7fc7 Mon Sep 17 00:00:00 2001 From: pranav-singhal Date: Tue, 27 Jan 2026 00:01:21 +0530 Subject: [PATCH 1/5] fix: add entrypoint to fix Railway volume permissions --- Dockerfile | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 642cfd612..4eff8b546 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,9 +32,15 @@ RUN pnpm ui:build ENV NODE_ENV=production -# Security hardening: Run as non-root user -# The node:22-bookworm image includes a 'node' user (uid 1000) -# This reduces the attack surface by preventing container escape via root privileges -USER node +# Install gosu for dropping privileges safely +RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/* +# Entrypoint script: fix /data permissions then drop to node user +RUN printf '#!/bin/sh\n\ +if [ -d /data ]; then\n\ + chown -R node:node /data 2>/dev/null || true\n\ +fi\n\ +exec gosu node "$@"\n' > /entrypoint.sh && chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] CMD ["node", "dist/index.js"] From 261fa7a6bf20cb13c289eb7f097b7b2fc0705da0 Mon Sep 17 00:00:00 2001 From: pranav-singhal Date: Tue, 27 Jan 2026 00:14:43 +0530 Subject: [PATCH 2/5] added trusted proxies --- Dockerfile | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4eff8b546..083337b87 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,11 +35,23 @@ ENV NODE_ENV=production # Install gosu for dropping privileges safely RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/* -# Entrypoint script: fix /data permissions then drop to node user +# Entrypoint script: fix /data permissions, create Railway config, then drop to node user RUN printf '#!/bin/sh\n\ if [ -d /data ]; then\n\ chown -R node:node /data 2>/dev/null || true\n\ fi\n\ +# Create initial config with trustedProxies for Railway/cloud deployments\n\ +if [ -n "$CLAWDBOT_STATE_DIR" ] && [ ! -f "$CLAWDBOT_STATE_DIR/clawdbot.json" ]; then\n\ + mkdir -p "$CLAWDBOT_STATE_DIR"\n\ + cat > "$CLAWDBOT_STATE_DIR/clawdbot.json" << EOF\n\ +{\n\ + "gateway": {\n\ + "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"]\n\ + }\n\ +}\n\ +EOF\n\ + chown node:node "$CLAWDBOT_STATE_DIR/clawdbot.json"\n\ +fi\n\ exec gosu node "$@"\n' > /entrypoint.sh && chmod +x /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] From 1e07b0987b228afb776cb4a0acdca6f4d6e8b7a8 Mon Sep 17 00:00:00 2001 From: pranav-singhal Date: Tue, 27 Jan 2026 00:33:41 +0530 Subject: [PATCH 3/5] added fallback --- Dockerfile | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 083337b87..3f23ac593 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,22 +35,26 @@ ENV NODE_ENV=production # Install gosu for dropping privileges safely RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/* -# Entrypoint script: fix /data permissions, create Railway config, then drop to node user +# Entrypoint script: fix /data permissions, ensure trustedProxies config, then drop to node user RUN printf '#!/bin/sh\n\ if [ -d /data ]; then\n\ chown -R node:node /data 2>/dev/null || true\n\ fi\n\ -# Create initial config with trustedProxies for Railway/cloud deployments\n\ -if [ -n "$CLAWDBOT_STATE_DIR" ] && [ ! -f "$CLAWDBOT_STATE_DIR/clawdbot.json" ]; then\n\ +# Ensure trustedProxies config exists for Railway/cloud deployments\n\ +if [ -n "$CLAWDBOT_STATE_DIR" ]; then\n\ mkdir -p "$CLAWDBOT_STATE_DIR"\n\ - cat > "$CLAWDBOT_STATE_DIR/clawdbot.json" << EOF\n\ + CONFIG_FILE="$CLAWDBOT_STATE_DIR/clawdbot.json"\n\ + # If no config or config lacks trustedProxies, create/update it\n\ + if [ ! -f "$CONFIG_FILE" ] || ! grep -q "trustedProxies" "$CONFIG_FILE" 2>/dev/null; then\n\ + cat > "$CONFIG_FILE" << EOF\n\ {\n\ "gateway": {\n\ "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"]\n\ }\n\ }\n\ EOF\n\ - chown node:node "$CLAWDBOT_STATE_DIR/clawdbot.json"\n\ + fi\n\ + chown node:node "$CONFIG_FILE" 2>/dev/null || true\n\ fi\n\ exec gosu node "$@"\n' > /entrypoint.sh && chmod +x /entrypoint.sh From 269329ea49c3c9af07add1108f03c2b3c30eaca2 Mon Sep 17 00:00:00 2001 From: pranav-singhal Date: Tue, 27 Jan 2026 00:44:37 +0530 Subject: [PATCH 4/5] fixed net.ts --- src/gateway/net.ts | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/src/gateway/net.ts b/src/gateway/net.ts index 6702e0e8b..3814e730d 100644 --- a/src/gateway/net.ts +++ b/src/gateway/net.ts @@ -48,10 +48,45 @@ function parseRealIp(realIp?: string): string | undefined { return normalizeIp(stripOptionalPort(raw)); } +/** + * Check if an IPv4 address falls within a CIDR range. + * @param ip - The IP address to check (e.g., "100.64.0.3") + * @param cidr - The CIDR range (e.g., "100.64.0.0/10") + * @returns True if the IP is within the CIDR range + */ +function isIpInCidr(ip: string, cidr: string): boolean { + const [range, bitsStr] = cidr.split("/"); + if (!range || !bitsStr) return false; + + const bits = parseInt(bitsStr, 10); + if (Number.isNaN(bits) || bits < 0 || bits > 32) return false; + + const ipParts = ip.split(".").map((p) => parseInt(p, 10)); + const rangeParts = range.split(".").map((p) => parseInt(p, 10)); + + if (ipParts.length !== 4 || rangeParts.length !== 4) return false; + if (ipParts.some((p) => Number.isNaN(p)) || rangeParts.some((p) => Number.isNaN(p))) return false; + + const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3]; + const rangeNum = (rangeParts[0] << 24) | (rangeParts[1] << 16) | (rangeParts[2] << 8) | rangeParts[3]; + + // Create mask: bits=10 means top 10 bits must match + const mask = bits === 0 ? 0 : (~0 << (32 - bits)) >>> 0; + + return ((ipNum >>> 0) & mask) === ((rangeNum >>> 0) & mask); +} + export function isTrustedProxyAddress(ip: string | undefined, trustedProxies?: string[]): boolean { const normalized = normalizeIp(ip); if (!normalized || !trustedProxies || trustedProxies.length === 0) return false; - return trustedProxies.some((proxy) => normalizeIp(proxy) === normalized); + return trustedProxies.some((proxy) => { + // Check if it's a CIDR range + if (proxy.includes("/")) { + return isIpInCidr(normalized, proxy); + } + // Exact match + return normalizeIp(proxy) === normalized; + }); } export function resolveGatewayClientIp(params: { From df9ee246afdd0780f35167f9eb990e2e88b4ef9b Mon Sep 17 00:00:00 2001 From: pranav-singhal Date: Tue, 27 Jan 2026 00:53:03 +0530 Subject: [PATCH 5/5] fix: update entrypoint script to ensure cloud-ready config with allowInsecureAuth --- Dockerfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3f23ac593..d9a0d04d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,21 +35,24 @@ ENV NODE_ENV=production # Install gosu for dropping privileges safely RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/* -# Entrypoint script: fix /data permissions, ensure trustedProxies config, then drop to node user +# Entrypoint script: fix /data permissions, ensure cloud-ready config, then drop to node user RUN printf '#!/bin/sh\n\ if [ -d /data ]; then\n\ chown -R node:node /data 2>/dev/null || true\n\ fi\n\ -# Ensure trustedProxies config exists for Railway/cloud deployments\n\ +# Ensure cloud-ready config exists for Railway/cloud deployments\n\ if [ -n "$CLAWDBOT_STATE_DIR" ]; then\n\ mkdir -p "$CLAWDBOT_STATE_DIR"\n\ CONFIG_FILE="$CLAWDBOT_STATE_DIR/clawdbot.json"\n\ - # If no config or config lacks trustedProxies, create/update it\n\ - if [ ! -f "$CONFIG_FILE" ] || ! grep -q "trustedProxies" "$CONFIG_FILE" 2>/dev/null; then\n\ + # If no config or config lacks trustedProxies or allowInsecureAuth, create it\n\ + if [ ! -f "$CONFIG_FILE" ] || ! grep -q "trustedProxies" "$CONFIG_FILE" 2>/dev/null || ! grep -q "allowInsecureAuth" "$CONFIG_FILE" 2>/dev/null; then\n\ cat > "$CONFIG_FILE" << EOF\n\ {\n\ "gateway": {\n\ - "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"]\n\ + "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"],\n\ + "controlUi": {\n\ + "allowInsecureAuth": true\n\ + }\n\ }\n\ }\n\ EOF\n\