github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 19:24:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enforce inbound attachment root policy across pipelines

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 14:15:34 +01:00
parent cfe8457a0f
commit 1316e57403
16 changed files with 555 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
src/media-understanding/media-understanding-misc.test.ts
View File

@@ -1,3 +1,6 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { afterEach, describe, expect, it, vi } from "vitest";
import { withFetchPreconnect } from "../test-utils/fetch-mock.js";
import { MediaAttachmentCache } from "./attachments.js";
@@ -39,4 +42,60 @@ describe("media understanding attachments SSRF", () => {
expect(fetchSpy).not.toHaveBeenCalled();
});
it("reads local attachments inside configured roots", async () => {
const base = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-media-cache-allowed-"));
try {
const allowedRoot = path.join(base, "allowed");
const attachmentPath = path.join(allowedRoot, "voice-note.m4a");
await fs.mkdir(allowedRoot, { recursive: true });
await fs.writeFile(attachmentPath, "ok");
const cache = new MediaAttachmentCache([{ index: 0, path: attachmentPath }], {
localPathRoots: [allowedRoot],
});
const result = await cache.getBuffer({ attachmentIndex: 0, maxBytes: 1024, timeoutMs: 1000 });
expect(result.buffer.toString()).toBe("ok");
} finally {
await fs.rm(base, { recursive: true, force: true });
}
});
it("blocks local attachments outside configured roots", async () => {
if (process.platform === "win32") {
return;
}
const cache = new MediaAttachmentCache([{ index: 0, path: "/etc/passwd" }], {
localPathRoots: ["/Users/*/Library/Messages/Attachments"],
});
await expect(
cache.getBuffer({ attachmentIndex: 0, maxBytes: 1024, timeoutMs: 1000 }),
).rejects.toThrow(/has no path or URL/i);
});
it("blocks symlink escapes that resolve outside configured roots", async () => {
if (process.platform === "win32") {
return;
}
const base = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-media-cache-symlink-"));
try {
const allowedRoot = path.join(base, "allowed");
const outsidePath = "/etc/passwd";
const symlinkPath = path.join(allowedRoot, "note.txt");
await fs.mkdir(allowedRoot, { recursive: true });
await fs.symlink(outsidePath, symlinkPath);
const cache = new MediaAttachmentCache([{ index: 0, path: symlinkPath }], {
localPathRoots: [allowedRoot],
});
await expect(
cache.getBuffer({ attachmentIndex: 0, maxBytes: 1024, timeoutMs: 1000 }),
).rejects.toThrow(/has no path or URL/i);
} finally {
await fs.rm(base, { recursive: true, force: true });
}
});
});