wangjunxiao/nanoclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sanitize agent sent file names to prevent path traversal

Browse Source
This commit is contained in:
gavrielc
2026-04-30 10:33:46 +03:00
parent 34f3612877
commit 6e5e568da1
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/session-manager.ts
View File

@@ -372,6 +372,11 @@ export function readOutboxFiles(
if (!fs.existsSync(outboxDir)) return undefined; if (!fs.existsSync(outboxDir)) return undefined;
const files: OutboundFile[] = []; const files: OutboundFile[] = [];
for (const filename of filenames) { for (const filename of filenames) {
// Reject any name that isn't a bare basename before touching the filesystem.
if (!isSafeAttachmentName(filename)) {
log.warn('Refused unsafe outbox filename — would escape outbox', { messageId, filename });
continue;
}
const filePath = path.join(outboxDir, filename); const filePath = path.join(outboxDir, filename);
if (fs.existsSync(filePath)) { if (fs.existsSync(filePath)) {
files.push({ filename, data: fs.readFileSync(filePath) }); files.push({ filename, data: fs.readFileSync(filePath) });