github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 19:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden avatar validation and size limits

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 08:35:23 +01:00
parent 049b8b14bc
commit e0db04a50d
9 changed files with 200 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/agents/identity-avatar.e2e.test.ts
View File

@@ -3,6 +3,7 @@ import os from "node:os";
import path from "node:path";
import { afterEach, describe, expect, it } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import { AVATAR_MAX_BYTES } from "../shared/avatar-policy.js";
import { resolveAgentAvatar } from "./identity-avatar.js";
async function writeFile(filePath: string, contents = "avatar") {
@@ -127,6 +128,26 @@ describe("resolveAgentAvatar", () => {
}
});
it("rejects local avatars larger than max bytes", async () => {
const root = await createTempAvatarRoot();
const workspace = path.join(root, "work");
const avatarPath = path.join(workspace, "avatars", "too-big.png");
await fs.mkdir(path.dirname(avatarPath), { recursive: true });
await fs.writeFile(avatarPath, Buffer.alloc(AVATAR_MAX_BYTES + 1));
const cfg: OpenClawConfig = {
agents: {
list: [{ id: "main", workspace, identity: { avatar: "avatars/too-big.png" } }],
},
};
const resolved = resolveAgentAvatar(cfg, "main");
expect(resolved.kind).toBe("none");
if (resolved.kind === "none") {
expect(resolved.reason).toBe("too_large");
}
});
it("accepts remote and data avatars", () => {
const cfg: OpenClawConfig = {
agents: {