github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 23:51:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(media): block symlink traversal

Browse Source
This commit is contained in:
Peter Steinberger
2025-12-02 18:37:15 +00:00
parent b94b220156
commit 2cf134668c
3 changed files with 31 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/media/server.test.ts
View File

@@ -59,4 +59,17 @@ describe("media server", () => {
expect(await res.text()).toBe("invalid path");
await new Promise((r) => server.close(r));
});
it("blocks symlink escaping outside media dir", async () => {
const target = path.join(process.cwd(), "package.json"); // outside MEDIA_DIR
const link = path.join(MEDIA_DIR, "link-out");
await fs.symlink(target, link);
const server = await startMediaServer(0, 5_000);
const port = (server.address() as AddressInfo).port;
const res = await fetch(`http://localhost:${port}/media/link-out`);
expect(res.status).toBe(400);
expect(await res.text()).toBe("invalid path");
await new Promise((r) => server.close(r));
});
});