github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 09:01:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden avatar validation and size limits

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 08:35:23 +01:00
parent 049b8b14bc
commit e0db04a50d
9 changed files with 200 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/gateway/assistant-identity.ts
View File

@@ -3,6 +3,11 @@ import { resolveAgentIdentity } from "../agents/identity.js";
import { loadAgentIdentity } from "../commands/agents.config.js";
import type { OpenClawConfig } from "../config/config.js";
import { normalizeAgentId } from "../routing/session-key.js";
import {
isAvatarHttpUrl,
isAvatarImageDataUrl,
looksLikeAvatarPath,
} from "../shared/avatar-policy.js";
const MAX_ASSISTANT_NAME = 50;
const MAX_ASSISTANT_AVATAR = 200;
@@ -36,14 +41,7 @@ function coerceIdentityValue(value: string | undefined, maxLength: number): stri
}
function isAvatarUrl(value: string): boolean {
return /^https?:\/\//i.test(value) || /^data:image\//i.test(value);
}
function looksLikeAvatarPath(value: string): boolean {
if (/[\\/]/.test(value)) {
return true;
}
return /\.(png|jpe?g|gif|webp|svg|ico)$/i.test(value);
return isAvatarHttpUrl(value) || isAvatarImageDataUrl(value);
}
function normalizeAvatarValue(value: string | undefined): string | undefined {