fix: enforce workspaceOnly for native prompt image autoload

2026-05-12 09:11:12 +00:00 · 2026-02-24 14:47:22 +00:00
parent c3680c2277
commit 370d115549
6 changed files with 93 additions and 3 deletions
--- a/src/agents/pi-embedded-runner/run/images.test.ts
+++ b/src/agents/pi-embedded-runner/run/images.test.ts
@@ -3,6 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
 import { createHostSandboxFsBridge } from "../../test-helpers/host-sandbox-fs-bridge.js";
+import { createUnsafeMountedSandbox } from "../../test-helpers/unsafe-mounted-sandbox.js";
 import {
  detectAndLoadPromptImages,
  detectImageReferences,
@@ -275,4 +276,76 @@ describe("detectAndLoadPromptImages", () => {
    expect(result.images).toHaveLength(0);
    expect(result.historyImagesByIndex.size).toBe(0);
  });
+
+  it("blocks prompt image refs outside workspace when sandbox workspaceOnly is enabled", async () => {
+    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-native-image-sandbox-"));
+    const sandboxRoot = path.join(stateDir, "sandbox");
+    const agentRoot = path.join(stateDir, "agent");
+    await fs.mkdir(sandboxRoot, { recursive: true });
+    await fs.mkdir(agentRoot, { recursive: true });
+    const pngB64 =
+      "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/woAAn8B9FD5fHAAAAAASUVORK5CYII=";
+    await fs.writeFile(path.join(agentRoot, "secret.png"), Buffer.from(pngB64, "base64"));
+    const sandbox = createUnsafeMountedSandbox({ sandboxRoot, agentRoot });
+    const bridge = sandbox.fsBridge;
+    if (!bridge) {
+      throw new Error("sandbox fs bridge missing");
+    }
+
+    try {
+      const result = await detectAndLoadPromptImages({
+        prompt: "Inspect /agent/secret.png",
+        workspaceDir: sandboxRoot,
+        model: { input: ["text", "image"] },
+        workspaceOnly: true,
+        sandbox: { root: sandbox.workspaceDir, bridge },
+      });
+
+      expect(result.detectedRefs).toHaveLength(1);
+      expect(result.loadedCount).toBe(0);
+      expect(result.skippedCount).toBe(1);
+      expect(result.images).toHaveLength(0);
+    } finally {
+      await fs.rm(stateDir, { recursive: true, force: true });
+    }
+  });
+
+  it("blocks history image refs outside workspace when sandbox workspaceOnly is enabled", async () => {
+    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-native-image-sandbox-"));
+    const sandboxRoot = path.join(stateDir, "sandbox");
+    const agentRoot = path.join(stateDir, "agent");
+    await fs.mkdir(sandboxRoot, { recursive: true });
+    await fs.mkdir(agentRoot, { recursive: true });
+    const pngB64 =
+      "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/woAAn8B9FD5fHAAAAAASUVORK5CYII=";
+    await fs.writeFile(path.join(agentRoot, "secret.png"), Buffer.from(pngB64, "base64"));
+    const sandbox = createUnsafeMountedSandbox({ sandboxRoot, agentRoot });
+    const bridge = sandbox.fsBridge;
+    if (!bridge) {
+      throw new Error("sandbox fs bridge missing");
+    }
+
+    try {
+      const result = await detectAndLoadPromptImages({
+        prompt: "No inline image in this turn.",
+        workspaceDir: sandboxRoot,
+        model: { input: ["text", "image"] },
+        workspaceOnly: true,
+        historyMessages: [
+          {
+            role: "user",
+            content: [{ type: "text", text: "Previous image /agent/secret.png" }],
+          },
+        ],
+        sandbox: { root: sandbox.workspaceDir, bridge },
+      });
+
+      expect(result.detectedRefs).toHaveLength(1);
+      expect(result.loadedCount).toBe(0);
+      expect(result.skippedCount).toBe(1);
+      expect(result.historyImagesByIndex.size).toBe(0);
+    } finally {
+      await fs.rm(stateDir, { recursive: true, force: true });
+    }
+  });
 });