refactor(security): harden temp-path handling for inbound media

2026-05-07 21:51:24 +00:00 · 2026-02-19 14:06:11 +01:00
parent 9f9cd5cbb2
commit ec232a9e2d
10 changed files with 235 additions and 41 deletions
--- a/src/media-understanding/attachments.ts
+++ b/src/media-understanding/attachments.ts
@@ -1,17 +1,16 @@
-import crypto from "node:crypto";
 import fs from "node:fs/promises";
-import os from "node:os";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import type { MsgContext } from "../auto-reply/templating.js";
 import type { MediaUnderstandingAttachmentsConfig } from "../config/types.tools.js";
+import type { MediaAttachment, MediaUnderstandingCapability } from "./types.js";
 import { logVerbose, shouldLogVerbose } from "../globals.js";
 import { isAbortError } from "../infra/unhandled-rejections.js";
 import { fetchRemoteMedia, MediaFetchError } from "../media/fetch.js";
 import { detectMime, getFileExtension, isAudioFileName, kindFromMime } from "../media/mime.js";
+import { buildRandomTempFilePath } from "../plugin-sdk/temp-path.js";
 import { MediaUnderstandingSkipError } from "./errors.js";
 import { fetchWithTimeout } from "./providers/shared.js";
-import type { MediaAttachment, MediaUnderstandingCapability } from "./types.js";

 type MediaBufferResult = {
  buffer: Buffer;
@@ -352,7 +351,10 @@ export class MediaAttachmentCache {
      timeoutMs: params.timeoutMs,
    });
    const extension = path.extname(bufferResult.fileName || "") || "";
-    const tmpPath = path.join(os.tmpdir(), `openclaw-media-${crypto.randomUUID()}${extension}`);
+    const tmpPath = buildRandomTempFilePath({
+      prefix: "openclaw-media",
+      extension,
+    });
    await fs.writeFile(tmpPath, bufferResult.buffer);
    entry.tempPath = tmpPath;
    entry.tempCleanup = async () => {