github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 04:22:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(media): guard local media reads + accept all path types in MEDIA directive

Browse Source
This commit is contained in:
buddyh
2026-02-08 23:52:11 -05:00
committed by the sun gif man
parent 029b77c85b
commit 4baa43384a
5 changed files with 170 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/web/media.test.ts
View File

@@ -292,3 +292,43 @@ describe("web media loading", () => {
expect(result.buffer.length).toBeLessThanOrEqual(cap);
});
});
describe("local media root guard", () => {
it("rejects local paths outside allowed roots", async () => {
const pngBuffer = await sharp({
create: { width: 10, height: 10, channels: 3, background: "#00ff00" },
})
.png()
.toBuffer();
const file = await writeTempFile(pngBuffer, ".png");
// Explicit roots that don't contain the temp file.
await expect(
loadWebMedia(file, 1024 * 1024, { localRoots: ["/nonexistent-root"] }),
).rejects.toThrow(/not under an allowed directory/i);
});
it("allows local paths under an explicit root", async () => {
const pngBuffer = await sharp({
create: { width: 10, height: 10, channels: 3, background: "#00ff00" },
})
.png()
.toBuffer();
const file = await writeTempFile(pngBuffer, ".png");
const result = await loadWebMedia(file, 1024 * 1024, { localRoots: [os.tmpdir()] });
expect(result.kind).toBe("image");
});
it("allows any path when localRoots is 'any'", async () => {
const pngBuffer = await sharp({
create: { width: 10, height: 10, channels: 3, background: "#00ff00" },
})
.png()
.toBuffer();
const file = await writeTempFile(pngBuffer, ".png");
const result = await loadWebMedia(file, 1024 * 1024, { localRoots: "any" });
expect(result.kind).toBe("image");
});
});