github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-11 02:54:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden sandbox media reads against TOCTOU escapes

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 01:03:40 +00:00
parent 4320cde91d
commit c823a85302
12 changed files with 223 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/media/server.outside-workspace.test.ts
View File

@@ -5,7 +5,7 @@ import path from "node:path";
import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
const mocks = vi.hoisted(() => ({
openFileWithinRoot: vi.fn(),
readFileWithinRoot: vi.fn(),
cleanOldMedia: vi.fn().mockResolvedValue(undefined),
}));
@@ -15,7 +15,7 @@ vi.mock("../infra/fs-safe.js", async (importOriginal) => {
const actual = await importOriginal<typeof import("../infra/fs-safe.js")>();
return {
...actual,
openFileWithinRoot: mocks.openFileWithinRoot,
readFileWithinRoot: mocks.readFileWithinRoot,
};
});
@@ -48,7 +48,7 @@ describe("media server outside-workspace mapping", () => {
});
it("returns 400 with a specific outside-workspace message", async () => {
mocks.openFileWithinRoot.mockRejectedValueOnce(
mocks.readFileWithinRoot.mockRejectedValueOnce(
new SafeOpenError("outside-workspace", "file is outside workspace root"),
);