github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 04:47:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): lock sandbox tmp media paths to openclaw roots

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:09:34 +00:00
parent bf8ca07deb
commit d3da67c7a9
13 changed files with 364 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/media-understanding/runner.entries.ts
View File

@@ -1,5 +1,4 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import {
collectProviderApiKeysForExecution,
@@ -14,6 +13,7 @@ import type {
MediaUnderstandingModelConfig,
} from "../config/types.tools.js";
import { logVerbose, shouldLogVerbose } from "../globals.js";
import { resolvePreferredOpenClawTmpDir } from "../infra/tmp-openclaw-dir.js";
import { runExec } from "../process/exec.js";
import { MediaAttachmentCache } from "./attachments.js";
import {
@@ -566,7 +566,9 @@ export async function runCliEntry(params: {
maxBytes,
timeoutMs,
});
const outputDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-media-cli-"));
const outputDir = await fs.mkdtemp(
path.join(resolvePreferredOpenClawTmpDir(), "openclaw-media-cli-"),
);
const mediaPath = pathResult.path;
const outputBase = path.join(outputDir, path.parse(mediaPath).name);