github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 09:27:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden sandbox tmp media validation (#17892) (thanks @dashed)

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 00:23:55 +01:00
parent 2958a8414d
commit d3991d6aa9
3 changed files with 39 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/agents/sandbox-paths.ts
View File

@@ -90,10 +90,11 @@ export async function resolveSandboxedMediaSource(params: {
throw new Error(`Invalid file:// URL for sandboxed media: ${raw}`);
}
}
// Allow files under os.tmpdir() — consistent with buildMediaLocalRoots() defaults.
const resolved = path.resolve(params.sandboxRoot, candidate);
const tmpDir = os.tmpdir();
if (resolved === tmpDir || resolved.startsWith(tmpDir + path.sep)) {
const resolved = path.resolve(resolveSandboxInputPath(candidate, params.sandboxRoot));
const tmpDir = path.resolve(os.tmpdir());
const candidateIsAbsolute = path.isAbsolute(expandPath(candidate));
if (candidateIsAbsolute && isPathInside(tmpDir, resolved)) {
await assertNoSymlinkEscape(path.relative(tmpDir, resolved), tmpDir);
return resolved;
}
const sandboxResult = await assertSandboxPath({