diff --git a/CHANGELOG.md b/CHANGELOG.md index 6444466d0..f59ef4362 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Docs: https://docs.openclaw.ai Status: beta. ### Changes +- Tools: add HTTP/HTTPS proxy support for web_search and web_fetch via environment variables (HTTP_PROXY/HTTPS_PROXY). - Rebrand: rename the npm package/CLI to `openclaw`, add a `openclaw` compatibility shim, and move extensions to the `@openclaw/*` scope. - Commands: group /help and /commands output with Telegram paging. (#2504) Thanks @hougangdev. - macOS: limit project-local `node_modules/.bin` PATH preference to debug builds (reduce PATH hijacking risk). diff --git a/src/agents/tools/web-search.ts b/src/agents/tools/web-search.ts index bf5741490..12da8447b 100644 --- a/src/agents/tools/web-search.ts +++ b/src/agents/tools/web-search.ts @@ -2,6 +2,7 @@ import { Type } from "@sinclair/typebox"; import type { OpenClawConfig } from "../../config/config.js"; import { formatCliCommand } from "../../cli/command-format.js"; +import { createProxyAgent } from "../../infra/net/ssrf.js"; import type { AnyAgentTool } from "./common.js"; import { jsonResult, readNumberParam, readStringParam } from "./common.js"; import { @@ -273,6 +274,7 @@ async function runPerplexitySearch(params: { timeoutSeconds: number; }): Promise<{ content: string; citations: string[] }> { const endpoint = `${params.baseUrl.replace(/\/$/, "")}/chat/completions`; + const proxyAgent = createProxyAgent(); const res = await fetch(endpoint, { method: "POST", @@ -292,6 +294,8 @@ async function runPerplexitySearch(params: { ], }), signal: withTimeout(undefined, params.timeoutSeconds * 1000), + // @ts-expect-error - undici ProxyAgent dispatcher is not in standard fetch types + dispatcher: proxyAgent, }); if (!res.ok) { @@ -371,6 +375,7 @@ async function runWebSearch(params: { url.searchParams.set("freshness", params.freshness); } + const proxyAgent = createProxyAgent(); const res = await fetch(url.toString(), { method: "GET", headers: { @@ -378,6 +383,8 @@ async function runWebSearch(params: { "X-Subscription-Token": params.apiKey, }, signal: withTimeout(undefined, params.timeoutSeconds * 1000), + // @ts-expect-error - undici ProxyAgent dispatcher is not in standard fetch types + dispatcher: proxyAgent, }); if (!res.ok) { diff --git a/src/infra/net/ssrf.ts b/src/infra/net/ssrf.ts index 297df0f03..95d2885e3 100644 --- a/src/infra/net/ssrf.ts +++ b/src/infra/net/ssrf.ts @@ -1,6 +1,6 @@ import { lookup as dnsLookup } from "node:dns/promises"; import { lookup as dnsLookupCb, type LookupAddress } from "node:dns"; -import { Agent, type Dispatcher } from "undici"; +import { Agent, ProxyAgent, type Dispatcher } from "undici"; type LookupCallback = ( err: NodeJS.ErrnoException | null, @@ -210,7 +210,30 @@ export async function resolvePinnedHostname( }; } +export function createProxyAgent(): ProxyAgent | undefined { + const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy; + const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy; + const proxy = httpsProxy || httpProxy; + + if (!proxy) return undefined; + + try { + return new ProxyAgent(proxy); + } catch (error) { + console.error("Failed to create proxy agent:", error); + return undefined; + } +} + export function createPinnedDispatcher(pinned: PinnedHostname): Dispatcher { + // If proxy is configured, use ProxyAgent instead of pinned Agent + // Note: When using proxy, SSRF protection is bypassed as the proxy handles DNS + const proxyAgent = createProxyAgent(); + if (proxyAgent) { + return proxyAgent; + } + + // Otherwise, use Agent with pinned lookup for SSRF protection return new Agent({ connect: { lookup: pinned.lookup,