github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 16:04:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Browser: accept canonical upload paths for symlinked roots

Browse Source
This commit is contained in:
Vignesh Natarajan
2026-02-21 21:54:57 -08:00
parent 98b2b16ac3
commit 54e5f80424
3 changed files with 108 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
src/browser/paths.test.ts
View File

@@ -138,6 +138,60 @@ describe("resolveExistingPathsWithinRoot", () => {
});
},
);
it.runIf(process.platform !== "win32")(
"accepts canonical absolute paths when upload root is a symlink alias",
async () => {
await withFixtureRoot(async ({ baseDir }) => {
const canonicalUploadsDir = path.join(baseDir, "canonical", "uploads");
const aliasedUploadsDir = path.join(baseDir, "uploads-link");
await fs.mkdir(canonicalUploadsDir, { recursive: true });
await fs.symlink(canonicalUploadsDir, aliasedUploadsDir);
const filePath = path.join(canonicalUploadsDir, "ok.txt");
await fs.writeFile(filePath, "ok", "utf8");
const canonicalPath = await fs.realpath(filePath);
const firstPass = await resolveWithinUploads({
uploadsDir: aliasedUploadsDir,
requestedPaths: [path.join(aliasedUploadsDir, "ok.txt")],
});
expect(firstPass.ok).toBe(true);
const secondPass = await resolveWithinUploads({
uploadsDir: aliasedUploadsDir,
requestedPaths: [canonicalPath],
});
expect(secondPass.ok).toBe(true);
if (secondPass.ok) {
expect(secondPass.paths).toEqual([canonicalPath]);
}
});
},
);
it.runIf(process.platform !== "win32")(
"rejects canonical absolute paths outside symlinked upload root",
async () => {
await withFixtureRoot(async ({ baseDir }) => {
const canonicalUploadsDir = path.join(baseDir, "canonical", "uploads");
const aliasedUploadsDir = path.join(baseDir, "uploads-link");
await fs.mkdir(canonicalUploadsDir, { recursive: true });
await fs.symlink(canonicalUploadsDir, aliasedUploadsDir);
const outsideDir = path.join(baseDir, "outside");
await fs.mkdir(outsideDir, { recursive: true });
const outsideFile = path.join(outsideDir, "secret.txt");
await fs.writeFile(outsideFile, "secret", "utf8");
const result = await resolveWithinUploads({
uploadsDir: aliasedUploadsDir,
requestedPaths: [await fs.realpath(outsideFile)],
});
expectInvalidResult(result, "must stay within uploads directory");
});
},
);
});
describe("resolvePathWithinRoot", () => {