test(media): dedupe temp roots and cover directory attachment rejection

src/media-understanding/media-understanding-misc.test.ts

@@ -24,6 +24,15 @@ describe("media understanding scope", () => {
 
 const originalFetch = globalThis.fetch;
 
+async function withTempRoot<T>(prefix: string, run: (base: string) => Promise<T>): Promise<T> {
+  const base = await fs.mkdtemp(path.join(os.tmpdir(), prefix));
+  try {
+    return await run(base);
+  } finally {
+    await fs.rm(base, { recursive: true, force: true });
+  }
+}
+
 describe("media understanding attachments SSRF", () => {
   afterEach(() => {
     globalThis.fetch = originalFetch;
@@ -44,8 +53,7 @@ describe("media understanding attachments SSRF", () => {
   });
 
   it("reads local attachments inside configured roots", async () => {
-    const base = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-media-cache-allowed-"));
+    await withTempRoot("openclaw-media-cache-allowed-", async (base) => {
-    try {
       const allowedRoot = path.join(base, "allowed");
       const attachmentPath = path.join(allowedRoot, "voice-note.m4a");
       await fs.mkdir(allowedRoot, { recursive: true });
@@ -57,9 +65,7 @@ describe("media understanding attachments SSRF", () => {
 
       const result = await cache.getBuffer({ attachmentIndex: 0, maxBytes: 1024, timeoutMs: 1000 });
       expect(result.buffer.toString()).toBe("ok");
-    } finally {
+    });
-      await fs.rm(base, { recursive: true, force: true });
-    }
   });
 
   it("blocks local attachments outside configured roots", async () => {
@@ -75,12 +81,27 @@ describe("media understanding attachments SSRF", () => {
     ).rejects.toThrow(/has no path or URL/i);
   });
 
+  it("blocks directory attachments even inside configured roots", async () => {
+    await withTempRoot("openclaw-media-cache-dir-", async (base) => {
+      const allowedRoot = path.join(base, "allowed");
+      const attachmentPath = path.join(allowedRoot, "nested");
+      await fs.mkdir(attachmentPath, { recursive: true });
+
+      const cache = new MediaAttachmentCache([{ index: 0, path: attachmentPath }], {
+        localPathRoots: [allowedRoot],
+      });
+
+      await expect(
+        cache.getBuffer({ attachmentIndex: 0, maxBytes: 1024, timeoutMs: 1000 }),
+      ).rejects.toThrow(/has no path or URL/i);
+    });
+  });
+
   it("blocks symlink escapes that resolve outside configured roots", async () => {
     if (process.platform === "win32") {
       return;
     }
-    const base = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-media-cache-symlink-"));
+    await withTempRoot("openclaw-media-cache-symlink-", async (base) => {
-    try {
       const allowedRoot = path.join(base, "allowed");
       const outsidePath = "/etc/passwd";
       const symlinkPath = path.join(allowedRoot, "note.txt");
@@ -94,8 +115,6 @@ describe("media understanding attachments SSRF", () => {
       await expect(
         cache.getBuffer({ attachmentIndex: 0, maxBytes: 1024, timeoutMs: 1000 }),
       ).rejects.toThrow(/has no path or URL/i);
-    } finally {
+    });
-      await fs.rm(base, { recursive: true, force: true });
-    }
   });
 });