parsePort accepts out-of-range port numbers (> 65535)

[davinci282828]

Severity: medium / Confidence: high / Category: bug
Triage: confirmed-bug
Detected against: openclaw v2026.5.18 (latest stable at time of scan, 2026-05-18)
Tooling: clawpatch 0.3.0 + acpx/claude-sonnet-4-5 via Brad Mills protocol

Evidence

• src/cli/shared/parse-port.ts:3-8 (parsePort)

return parseStrictPositiveInteger(raw) ?? null;

Reasoning

parseStrictPositiveInteger enforces that the value is a positive integer, but imposes no upper bound. Valid TCP/UDP port numbers are 1–65535; any value from 65536 upward is silently returned as a number rather than null. The feature's trust boundary is user-input and process-exec, so hostile or misconfigured input like '99999' reaches callers as a seemingly valid port. Callers that pass the result directly to a bind or connect call will get an OS-level error rather than a clean parsing failure.

Reproduction

parsePort('99999') returns 99999 instead of null.

Recommendation

After the existing parseStrictPositiveInteger call, add an upper-bound check: const n = parseStrictPositiveInteger(raw) ?? null; return n !== null && n <= 65535 ? n : null;

Why existing tests miss this

The feature lists no tests at all (tests: []).

Suggested regression test

it('rejects port numbers above 65535', () => { expect(parsePort(65536)).toBeNull(); expect(parsePort(99999)).toBeNull(); expect(parsePort(65535)).toBe(65535); expect(parsePort(1)).toBe(1); expect(parsePort(0)).toBeNull(); });

Minimum fix scope

Add n <= 65535 guard inside parsePort; no changes to the imported helper required.

---

Standardized clawpatch finding. Persistent in v2026.5.18 (not resolved by upgrading from v2026.5.12). Finding ID: fnd_sig-feat-cli-command-1589b7a20d-_a369155588.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still lets the shared CLI port parser accept values above 65535, even though the CLI error contract and comparable port helpers use the 1-65535 range.

Reproducibility: yes. Source inspection shows parsePort(65536) and parsePort('99999') flow through a positive-integer-only helper, and a Node net probe confirms those ports are invalid at the runtime boundary.

Next step
This is a narrow, source-proven parser bug with clear files and a straightforward regression test path.

Review details

Best possible solution:

Add the 1-65535 bound in the shared parsePort helper and cover boundary values with a focused regression test so all CLI callers share the same contract.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows parsePort(65536) and parsePort('99999') flow through a positive-integer-only helper, and a Node net probe confirms those ports are invalid at the runtime boundary.

Is this the best way to solve the issue?

Yes. The narrow maintainable fix is to cap the shared parser at 65535 and add regression coverage rather than adding more caller-specific checks.

Label justifications:

• P2: This is a bounded CLI input-validation bug with clear source evidence and limited blast radius.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/shared/parse-port.test.ts
• git diff --check

What I checked:

• Current parser lacks an upper bound: parsePort returns parseStrictPositiveInteger(raw) ?? null, so the shared parser only requires a positive integer and does not enforce the documented port maximum. (src/cli/shared/parse-port.ts:7, e9989f3a92e5)
• Positive-integer helper also has no max: parseStrictPositiveInteger accepts any safe integer greater than zero; it does not know TCP/UDP port bounds. (src/infra/parse-finite-number.ts:34, e9989f3a92e5)
• CLI contract already says 1 to 65535: The shared invalid-port messages tell users to use a port number from 1 to 65535, so rejecting values above 65535 matches existing user-facing behavior. (src/cli/error-format.ts:9, e9989f3a92e5)
• Live dependency behavior rejects out-of-range ports: A Node net.createServer().listen() probe accepted 65535 and threw ERR_SOCKET_BAD_PORT for 65536 and 99999, matching the report's expected bound.
• One caller can pass the parsed value onward: openclaw node run uses parsePortWithFallback, which returns any non-null parser result and passes it as gatewayPort without the later install-time range check. (src/cli/node-cli/register.ts:18, e9989f3a92e5)
• Comparable in-repo helpers enforce the same maximum: Other port parsing paths such as scheduled-task parsing and service audit already require parsed ports to be <= 65535. (src/daemon/schtasks.ts:405, e9989f3a92e5)

Likely related people:

• Takhoffman: Current-line blame for src/cli/shared/parse-port.ts points to the commit that rewrote the helper to delegate to parseStrictPositiveInteger, preserving the missing max-bound behavior. (role: current implementation author / recent area contributor; confidence: high; commits: c92ebd6a4104; files: src/cli/shared/parse-port.ts, src/infra/parse-finite-number.ts, src/cli/error-format.ts)
• steipete: History shows the shared parsePort helper was introduced by the CLI dedupe refactor, where it already accepted positive integers without a 65535 cap. (role: shared parser refactor author; confidence: medium; commits: ab45b409b8f0; files: src/cli/shared/parse-port.ts, src/cli/daemon-cli/shared.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9989f3a92e5.