github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 00:41:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security: harden tool media paths

Browse Source
This commit is contained in:
Shadow
2026-02-20 13:31:40 -06:00
parent 67edc7790f
commit c378439246
10 changed files with 120 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/web/media.ts
View File

@@ -73,9 +73,9 @@ async function assertLocalMediaAllowed(
resolved = path.resolve(mediaPath);
}
// Hardening: the default allowlist includes `os.tmpdir()`, and tests/CI may
// Hardening: the default allowlist includes the OpenClaw temp dir, and tests/CI may
// override the state dir into tmp. Avoid accidentally allowing per-agent
// `workspace-*` state roots via the tmpdir prefix match; require explicit
// `workspace-*` state roots via the temp-root prefix match; require explicit
// localRoots for those.
if (localRoots === undefined) {
const workspaceRoot = roots.find((root) => path.basename(root) === "workspace");