Merge df9ee246af into da71eaebd2

Dockerfile

@@ -31,9 +31,34 @@ RUN pnpm ui:build
 
 ENV NODE_ENV=production
 
-# Security hardening: Run as non-root user
+# Install gosu for dropping privileges safely
-# The node:22-bookworm image includes a 'node' user (uid 1000)
+RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/*
-# This reduces the attack surface by preventing container escape via root privileges
-USER node
 
+# Entrypoint script: fix /data permissions, ensure cloud-ready config, then drop to node user
+RUN printf '#!/bin/sh\n\
+if [ -d /data ]; then\n\
+  chown -R node:node /data 2>/dev/null || true\n\
+fi\n\
+# Ensure cloud-ready config exists for Railway/cloud deployments\n\
+if [ -n "$CLAWDBOT_STATE_DIR" ]; then\n\
+  mkdir -p "$CLAWDBOT_STATE_DIR"\n\
+  CONFIG_FILE="$CLAWDBOT_STATE_DIR/clawdbot.json"\n\
+  # If no config or config lacks trustedProxies or allowInsecureAuth, create it\n\
+  if [ ! -f "$CONFIG_FILE" ] || ! grep -q "trustedProxies" "$CONFIG_FILE" 2>/dev/null || ! grep -q "allowInsecureAuth" "$CONFIG_FILE" 2>/dev/null; then\n\
+    cat > "$CONFIG_FILE" << EOF\n\
+{\n\
+  "gateway": {\n\
+    "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"],\n\
+    "controlUi": {\n\
+      "allowInsecureAuth": true\n\
+    }\n\
+  }\n\
+}\n\
+EOF\n\
+  fi\n\
+  chown node:node "$CONFIG_FILE" 2>/dev/null || true\n\
+fi\n\
+exec gosu node "$@"\n' > /entrypoint.sh && chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
 CMD ["node", "dist/index.js"]

src/gateway/net.ts

@@ -48,10 +48,45 @@ function parseRealIp(realIp?: string): string | undefined {
   return normalizeIp(stripOptionalPort(raw));
 }
 
+/**
+ * Check if an IPv4 address falls within a CIDR range.
+ * @param ip - The IP address to check (e.g., "100.64.0.3")
+ * @param cidr - The CIDR range (e.g., "100.64.0.0/10")
+ * @returns True if the IP is within the CIDR range
+ */
+function isIpInCidr(ip: string, cidr: string): boolean {
+  const [range, bitsStr] = cidr.split("/");
+  if (!range || !bitsStr) return false;
+
+  const bits = parseInt(bitsStr, 10);
+  if (Number.isNaN(bits) || bits < 0 || bits > 32) return false;
+
+  const ipParts = ip.split(".").map((p) => parseInt(p, 10));
+  const rangeParts = range.split(".").map((p) => parseInt(p, 10));
+
+  if (ipParts.length !== 4 || rangeParts.length !== 4) return false;
+  if (ipParts.some((p) => Number.isNaN(p)) || rangeParts.some((p) => Number.isNaN(p))) return false;
+
+  const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
+  const rangeNum = (rangeParts[0] << 24) | (rangeParts[1] << 16) | (rangeParts[2] << 8) | rangeParts[3];
+
+  // Create mask: bits=10 means top 10 bits must match
+  const mask = bits === 0 ? 0 : (~0 << (32 - bits)) >>> 0;
+
+  return ((ipNum >>> 0) & mask) === ((rangeNum >>> 0) & mask);
+}
+
 export function isTrustedProxyAddress(ip: string | undefined, trustedProxies?: string[]): boolean {
   const normalized = normalizeIp(ip);
   if (!normalized || !trustedProxies || trustedProxies.length === 0) return false;
-  return trustedProxies.some((proxy) => normalizeIp(proxy) === normalized);
+  return trustedProxies.some((proxy) => {
+    // Check if it's a CIDR range
+    if (proxy.includes("/")) {
+      return isIpInCidr(normalized, proxy);
+    }
+    // Exact match
+    return normalizeIp(proxy) === normalized;
+  });
 }
 
 export function resolveGatewayClientIp(params: {