github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-28 18:18:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): cap Slack media downloads and validate Slack file URLs (#6639)

Browse Source 
* Security: cap Slack media downloads and validate Slack file URLs

* Security: relax web media fetch cap for compression

* Fixes: sync pi-coding-agent options

* Fixes: align system prompt override type

* Slack: clarify fetchImpl assumptions

* fix: respect raw media fetch cap (#6639) (thanks @davidiach)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
David Iach
2026-02-02 10:48:07 +02:00
committed by GitHub
parent 521b121815
commit 4e4ed2ea17
6 changed files with 97 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/slack/monitor/media.test.ts
View File

@@ -40,6 +40,17 @@ describe("fetchWithSlackAuth", () => {
});
});
it("rejects non-Slack hosts to avoid leaking tokens", async () => {
const { fetchWithSlackAuth } = await import("./media.js");
await expect(
fetchWithSlackAuth("https://example.com/test.jpg", "xoxb-test-token"),
).rejects.toThrow(/non-Slack host|non-Slack/i);
// Should fail fast without attempting a fetch.
expect(mockFetch).not.toHaveBeenCalled();
});
it("follows redirects without Authorization header", async () => {
const { fetchWithSlackAuth } = await import("./media.js");