fix: validate windows task script file names

pgondhi987 · pgondhi987 · commit b4c1a551b96b · 2026-05-21T18:45:48.000Z
diff --git a/src/daemon/schtasks.test.ts b/src/daemon/schtasks.test.ts
@@ -149,9 +149,32 @@ describe("resolveTaskScriptPath", () => {
       env: { HOME: "/home/test", OPENCLAW_PROFILE: "default" },
       expected: path.join("/home/test", ".openclaw", "gateway.cmd"),
     },
+    {
+      name: "uses a custom task script file name inside the state directory",
+      env: {
+        USERPROFILE: "C:\\Users\\test",
+        OPENCLAW_TASK_SCRIPT_NAME: "gateway-node.cmd",
+      },
+      expected: path.join("C:\\Users\\test", ".openclaw", "gateway-node.cmd"),
+    },
   ])("$name", ({ env, expected }) => {
     expect(resolveTaskScriptPath(env)).toBe(expected);
   });
+
+  it.each([
+    "../gateway.cmd",
+    "..\\gateway.cmd",
+    "nested/gateway.cmd",
+    "nested\\gateway.cmd",
+    "gateway..cmd",
+  ])("rejects non-file task script name %s", (scriptName) => {
+    expect(() =>
+      resolveTaskScriptPath({
+        USERPROFILE: "C:\\Users\\test",
+        OPENCLAW_TASK_SCRIPT_NAME: scriptName,
+      }),
+    ).toThrow("OPENCLAW_TASK_SCRIPT_NAME must be a file name only");
+  });
 });
 
 describe("readScheduledTaskCommand", () => {
diff --git a/src/daemon/schtasks.ts b/src/daemon/schtasks.ts
@@ -50,6 +50,11 @@ export function resolveTaskScriptPath(env: GatewayServiceEnv): string {
     return override;
   }
   const scriptName = env.OPENCLAW_TASK_SCRIPT_NAME?.trim() || "gateway.cmd";
+  if (/[/\\]|\.\./.test(scriptName)) {
+    throw new Error(
+      `OPENCLAW_TASK_SCRIPT_NAME must be a file name only, not a path: ${scriptName}`,
+    );
+  }
   const stateDir = resolveGatewayStateDir(env);
   return path.join(stateDir, scriptName);
 }

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,11 @@ export function resolveTaskScriptPath(env: GatewayServiceEnv): string {`
`50`	`50`	`return override;`
`51`	`51`	`}`
`52`	`52`	`const scriptName = env.OPENCLAW_TASK_SCRIPT_NAME?.trim() \|\| "gateway.cmd";`
	`53`	`+ if (/[/\\]\|\.\./.test(scriptName)) {`
	`54`	`+ throw new Error(`
	`55`	+ `OPENCLAW_TASK_SCRIPT_NAME must be a file name only, not a path: ${scriptName}`,
	`56`	`+ );`
	`57`	`+ }`
`53`	`58`	`const stateDir = resolveGatewayStateDir(env);`
`54`	`59`	`return path.join(stateDir, scriptName);`
`55`	`60`	`}`