github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 02:24:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden sandbox media reads against TOCTOU escapes

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 01:03:40 +00:00
parent 4320cde91d
commit c823a85302
12 changed files with 223 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/agents/sandbox-media-paths.ts
View File

@@ -8,6 +8,16 @@ export type SandboxedBridgeMediaPathConfig = {
workspaceOnly?: boolean;
};
export function createSandboxBridgeReadFile(params: {
sandbox: Pick<SandboxedBridgeMediaPathConfig, "root" | "bridge">;
}): (filePath: string) => Promise<Buffer> {
return async (filePath: string) =>
await params.sandbox.bridge.readFile({
filePath,
cwd: params.sandbox.root,
});
}
export async function resolveSandboxedBridgeMediaPath(params: {
sandbox: SandboxedBridgeMediaPathConfig;
mediaPath: string;