github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 07:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(media): harden localRoots bypass (#16739)

Browse Source 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 89dce69f50
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
This commit is contained in:
Peter Steinberger
2026-02-15 03:27:01 +01:00
committed by GitHub
parent b607c41a52
commit 683aa09b55
9 changed files with 73 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/web/media.test.ts
View File

@@ -329,10 +329,22 @@ describe("local media root guard", () => {
});
it("allows any path when localRoots is 'any'", async () => {
const result = await loadWebMedia(tinyPngFile, 1024 * 1024, { localRoots: "any" });
const result = await loadWebMedia(tinyPngFile, {
maxBytes: 1024 * 1024,
localRoots: "any",
readFile: (filePath) => fs.readFile(filePath),
});
expect(result.kind).toBe("image");
});
it("rejects filesystem root entries in localRoots", async () => {
await expect(
loadWebMedia(tinyPngFile, 1024 * 1024, {
localRoots: [path.parse(tinyPngFile).root],
}),
).rejects.toThrow(/refuses filesystem root/i);
});
it("allows default OpenClaw state workspace and sandbox roots", async () => {
const { STATE_DIR } = await import("../config/paths.js");
const readFile = vi.fn(async () => Buffer.from("generated-media"));