github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 09:42:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

perf(test): fold discord voice hardening into web media suite

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 00:15:24 +00:00
parent ba3a0e7adb
commit acb2a1ce37
2 changed files with 22 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/discord/send.voice-message.security.test.ts
View File

@@ -1,24 +0,0 @@
import path from "node:path";
import { describe, expect, it } from "vitest";
import { sendVoiceMessageDiscord } from "./send.js";
describe("sendVoiceMessageDiscord - media hardening", () => {
it("rejects local paths outside allowed media roots (prevents local file exfiltration)", async () => {
const candidate = path.join(process.cwd(), "package.json");
await expect(sendVoiceMessageDiscord("channel:123", candidate)).rejects.toThrow(
/Local media path is not under an allowed directory/,
);
});
it("blocks SSRF targets when given a private-network URL", async () => {
await expect(
sendVoiceMessageDiscord("channel:123", "http://127.0.0.1/voice.ogg"),
).rejects.toThrow(/Failed to fetch media|Blocked/);
});
it("does not allow non-http URL schemes to reach ffmpeg/ffprobe", async () => {
await expect(
sendVoiceMessageDiscord("channel:123", "rtsp://example.com/voice.ogg"),
).rejects.toThrow(/Local media path is not under an allowed directory|ENOENT|no such file/i);
});
});

22
src/web/media.test.ts
View File

@@ -3,6 +3,7 @@ import os from "node:os";
import path from "node:path"; import path from "node:path";
import sharp from "sharp"; import sharp from "sharp";
import { afterAll, afterEach, beforeAll, describe, expect, it, vi } from "vitest"; import { afterAll, afterEach, beforeAll, describe, expect, it, vi } from "vitest";
import { sendVoiceMessageDiscord } from "../discord/send.js";
import * as ssrf from "../infra/net/ssrf.js"; import * as ssrf from "../infra/net/ssrf.js";
import { optimizeImageToPng } from "../media/image-ops.js"; import { optimizeImageToPng } from "../media/image-ops.js";
import { captureEnv } from "../test-utils/env.js"; import { captureEnv } from "../test-utils/env.js";
@@ -333,6 +334,27 @@ describe("web media loading", () => {
}); });
}); });
describe("Discord voice message input hardening", () => {
it("rejects local paths outside allowed media roots", async () => {
const candidate = path.join(process.cwd(), "package.json");
await expect(sendVoiceMessageDiscord("channel:123", candidate)).rejects.toThrow(
/Local media path is not under an allowed directory/i,
);
});
it("blocks SSRF targets when given a private-network URL", async () => {
await expect(
sendVoiceMessageDiscord("channel:123", "http://127.0.0.1/voice.ogg"),
).rejects.toThrow(/Failed to fetch media|Blocked|private|internal/i);
});
it("rejects non-http URL schemes", async () => {
await expect(
sendVoiceMessageDiscord("channel:123", "rtsp://example.com/voice.ogg"),
).rejects.toThrow(/Local media path is not under an allowed directory|ENOENT|no such file/i);
});
});
describe("local media root guard", () => { describe("local media root guard", () => {
it("rejects local paths outside allowed roots", async () => { it("rejects local paths outside allowed roots", async () => {
// Explicit roots that don't contain the temp file. // Explicit roots that don't contain the temp file.