bluebubbles: harden local media path handling against LFI (#16322)

* bluebubbles: harden local media path handling * bluebubbles: remove racy post-open symlink lstat * fix: bluebubbles mediaLocalRoots docs + typing fix (#16322) (thanks @mbelinky)
2026-04-18 10:37:27 +00:00 · 2026-02-14 17:43:44 +00:00
parent bfa7d21e99
commit 71f357d949
7 changed files with 417 additions and 8 deletions
--- a/docs/channels/bluebubbles.md
+++ b/docs/channels/bluebubbles.md
@@ -300,6 +300,7 @@ Provider options:
 - `channels.bluebubbles.textChunkLimit`: Outbound chunk size in chars (default: 4000).
 - `channels.bluebubbles.chunkMode`: `length` (default) splits only when exceeding `textChunkLimit`; `newline` splits on blank lines (paragraph boundaries) before length chunking.
 - `channels.bluebubbles.mediaMaxMb`: Inbound media cap in MB (default: 8).
+- `channels.bluebubbles.mediaLocalRoots`: Explicit allowlist of absolute local directories permitted for outbound local media paths. Local path sends are denied by default unless this is configured. Per-account override: `channels.bluebubbles.accounts.<accountId>.mediaLocalRoots`.
 - `channels.bluebubbles.historyLimit`: Max group messages for context (0 disables).
 - `channels.bluebubbles.dmHistoryLimit`: DM history limit.
 - `channels.bluebubbles.actions`: Enable/disable specific actions.