github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 10:27:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden session transcript path resolution

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-13 01:27:33 +01:00
parent 3eb6a31b6f
commit 4199f9889f
13 changed files with 322 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/gateway/session-utils.fs.test.ts
View File

@@ -507,3 +507,26 @@ describe("resolveSessionTranscriptCandidates", () => {
);
});
});
describe("resolveSessionTranscriptCandidates safety", () => {
test("drops unsafe session IDs instead of producing traversal paths", () => {
const candidates = resolveSessionTranscriptCandidates(
"../etc/passwd",
"/tmp/openclaw/agents/main/sessions/sessions.json",
);
expect(candidates).toEqual([]);
});
test("drops unsafe sessionFile candidates and keeps safe fallbacks", () => {
const storePath = "/tmp/openclaw/agents/main/sessions/sessions.json";
const candidates = resolveSessionTranscriptCandidates(
"sess-safe",
storePath,
"../../etc/passwd",
);
expect(candidates.some((value) => value.includes("etc/passwd"))).toBe(false);
expect(candidates).toContain(path.join(path.dirname(storePath), "sess-safe.jsonl"));
});
});