github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 00:14:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden sandbox media reads against TOCTOU escapes

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 01:03:40 +00:00
parent 4320cde91d
commit c823a85302
12 changed files with 223 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/agents/tools/image-tool.ts
View File

@@ -12,6 +12,7 @@ import { resolveConfiguredModelRef } from "../model-selection.js";
import { ensureOpenClawModelsJson } from "../models-config.js";
import { discoverAuthStorage, discoverModels } from "../pi-model-discovery.js";
import {
createSandboxBridgeReadFile,
resolveSandboxedBridgeMediaPath,
type SandboxedBridgeMediaPathConfig,
} from "../sandbox-media-paths.js";
@@ -496,8 +497,7 @@ export function createImageTool(options?: {
? await loadWebMedia(resolvedPath ?? resolvedImage, {
maxBytes,
sandboxValidated: true,
readFile: (filePath) =>
sandboxConfig.bridge.readFile({ filePath, cwd: sandboxConfig.root }),
readFile: createSandboxBridgeReadFile({ sandbox: sandboxConfig }),
})
: await loadWebMedia(resolvedPath ?? resolvedImage, {
maxBytes,