github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 00:38:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

security(web): sanitize WhatsApp accountId to prevent path traversal (#4610)

Browse Source 
* security(web): sanitize WhatsApp accountId to prevent path traversal

Apply normalizeAccountId() from routing/session-key to
resolveDefaultAuthDir() so that malicious config values like
"../../../etc" cannot escape the intended auth directory.

Fixes #2692

* fix(web): check sanitized segment instead of full path in Windows test

* style(web): fix oxfmt formatting in accounts test
This commit is contained in:
Leszek Szpunar
2026-02-01 23:29:53 +01:00
committed by GitHub
parent 9d2784cdb9
commit 1bdd9e313f
2 changed files with 49 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/web/accounts.ts
View File

@@ -3,7 +3,7 @@ import path from "node:path";
import type { OpenClawConfig } from "../config/config.js";
import type { DmPolicy, GroupPolicy, WhatsAppAccountConfig } from "../config/types.js";
import { resolveOAuthDir } from "../config/paths.js";
import { DEFAULT_ACCOUNT_ID } from "../routing/session-key.js";
import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
import { resolveUserPath } from "../utils.js";
import { hasWebCredsSync } from "./auth-store.js";
@@ -95,7 +95,7 @@ function resolveAccountConfig(
}
function resolveDefaultAuthDir(accountId: string): string {
return path.join(resolveOAuthDir(), "whatsapp", accountId);
return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
}
function resolveLegacyAuthDir(): string {