farcasclaudiu/openclaw
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/openclaw.git synced 2026-06-28 21:01:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

test(browser): add file-chooser traversal regression

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 18:17:02 +01:00
parent 29b587e73c
commit 09e2160080
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/browser/server.agent-contract-form-layout-act-commands.test.ts
+17
View File
@@ -488,6 +488,23 @@ describe("browser control server", () => {
expect(typeof shot.path).toBe("string"); expect(typeof shot.path).toBe("string");
}); });
it("blocks file chooser traversal / absolute paths outside uploads dir", async () => {
const base = await startServerAndBase();
const traversal = await postJson<{ error?: string }>(`${base}/hooks/file-chooser`, {
paths: ["../../../../etc/passwd"],
});
expect(traversal.error).toContain("Invalid path");
expect(pwMocks.armFileUploadViaPlaywright).not.toHaveBeenCalled();
const absOutside = path.join(path.parse(DEFAULT_UPLOAD_DIR).root, "etc", "passwd");
const abs = await postJson<{ error?: string }>(`${base}/hooks/file-chooser`, {
paths: [absOutside],
});
expect(abs.error).toContain("Invalid path");
expect(pwMocks.armFileUploadViaPlaywright).not.toHaveBeenCalled();
});
it("agent contract: stop endpoint", async () => { it("agent contract: stop endpoint", async () => {
const base = await startServerAndBase(); const base = await startServerAndBase();