github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 03:23:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(tools): honor fsPolicy.workspaceOnly in image/pdf tool localRoots

Browse Source 
PR #28822 fixed the Write/Edit tools to respect `tools.fs.workspaceOnly`,
but the image and PDF tools still unconditionally include default local
roots (`~/.openclaw/media`, `~/.openclaw/agents`, etc.) when computing
the `localRoots` allowlist for non-sandbox mode.

When `fsPolicy.workspaceOnly` is true, restrict `localRoots` to only the
workspace directory so that files outside the workspace are rejected by
`assertLocalMediaAllowed()`.

Relates to #31716

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
justinhuangcode
2026-03-02 16:18:02 +00:00
committed by Peter Steinberger
parent aab87ec880
commit 14baadda2c
4 changed files with 73 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/agents/tools/pdf-tool.ts
View File

@@ -339,8 +339,11 @@ export function createPdfTool(options?: {
: DEFAULT_MAX_PAGES;
const localRoots = (() => {
const roots = getDefaultLocalRoots();
const workspaceDir = normalizeWorkspaceDir(options?.workspaceDir);
if (options?.fsPolicy?.workspaceOnly) {
return workspaceDir ? [workspaceDir] : [];
}
const roots = getDefaultLocalRoots();
if (!workspaceDir) {
return roots;
}