fix(security): harden avatar validation and size limits
This commit is contained in:
Peter Steinberger
43
src/shared/avatar-policy.test.ts
Normal file
43
src/shared/avatar-policy.test.ts
Normal file
@@ -0,0 +1,43 @@
|
||||
import path from "node:path";
|
||||
import { describe, expect, it } from "vitest";
|
||||
import {
|
||||
isPathWithinRoot,
|
||||
isSupportedLocalAvatarExtension,
|
||||
isWorkspaceRelativeAvatarPath,
|
||||
looksLikeAvatarPath,
|
||||
resolveAvatarMime,
|
||||
} from "./avatar-policy.js";
|
||||
|
||||
describe("avatar policy", () => {
|
||||
it("accepts workspace-relative avatar paths and rejects URI schemes", () => {
|
||||
expect(isWorkspaceRelativeAvatarPath("avatars/openclaw.png")).toBe(true);
|
||||
expect(isWorkspaceRelativeAvatarPath("C:\\\\avatars\\\\openclaw.png")).toBe(true);
|
||||
expect(isWorkspaceRelativeAvatarPath("https://example.com/avatar.png")).toBe(false);
|
||||
expect(isWorkspaceRelativeAvatarPath("data:image/png;base64,AAAA")).toBe(false);
|
||||
expect(isWorkspaceRelativeAvatarPath("~/avatar.png")).toBe(false);
|
||||
});
|
||||
|
||||
it("checks path containment safely", () => {
|
||||
const root = path.resolve("/tmp/root");
|
||||
expect(isPathWithinRoot(root, path.resolve("/tmp/root/avatars/a.png"))).toBe(true);
|
||||
expect(isPathWithinRoot(root, path.resolve("/tmp/root/../outside.png"))).toBe(false);
|
||||
});
|
||||
|
||||
it("detects avatar-like path strings", () => {
|
||||
expect(looksLikeAvatarPath("avatars/openclaw.svg")).toBe(true);
|
||||
expect(looksLikeAvatarPath("openclaw.webp")).toBe(true);
|
||||
expect(looksLikeAvatarPath("A")).toBe(false);
|
||||
});
|
||||
|
||||
it("supports expected local file extensions", () => {
|
||||
expect(isSupportedLocalAvatarExtension("avatar.png")).toBe(true);
|
||||
expect(isSupportedLocalAvatarExtension("avatar.svg")).toBe(true);
|
||||
expect(isSupportedLocalAvatarExtension("avatar.ico")).toBe(false);
|
||||
});
|
||||
|
||||
it("resolves mime type from extension", () => {
|
||||
expect(resolveAvatarMime("a.svg")).toBe("image/svg+xml");
|
||||
expect(resolveAvatarMime("a.tiff")).toBe("image/tiff");
|
||||
expect(resolveAvatarMime("a.bin")).toBe("application/octet-stream");
|
||||
});
|
||||
});
|
||||
83
src/shared/avatar-policy.ts
Normal file
83
src/shared/avatar-policy.ts
Normal file
@@ -0,0 +1,83 @@
|
||||
import path from "node:path";
|
||||
|
||||
export const AVATAR_MAX_BYTES = 2 * 1024 * 1024;
|
||||
|
||||
const LOCAL_AVATAR_EXTENSIONS = new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg"]);
|
||||
|
||||
const AVATAR_MIME_BY_EXT: Record<string, string> = {
|
||||
".png": "image/png",
|
||||
".jpg": "image/jpeg",
|
||||
".jpeg": "image/jpeg",
|
||||
".webp": "image/webp",
|
||||
".gif": "image/gif",
|
||||
".svg": "image/svg+xml",
|
||||
".bmp": "image/bmp",
|
||||
".tif": "image/tiff",
|
||||
".tiff": "image/tiff",
|
||||
};
|
||||
|
||||
export const AVATAR_DATA_RE = /^data:/i;
|
||||
export const AVATAR_IMAGE_DATA_RE = /^data:image\//i;
|
||||
export const AVATAR_HTTP_RE = /^https?:\/\//i;
|
||||
export const AVATAR_SCHEME_RE = /^[a-z][a-z0-9+.-]*:/i;
|
||||
export const WINDOWS_ABS_RE = /^[a-zA-Z]:[\\/]/;
|
||||
|
||||
const AVATAR_PATH_EXT_RE = /\.(png|jpe?g|gif|webp|svg|ico)$/i;
|
||||
|
||||
export function resolveAvatarMime(filePath: string): string {
|
||||
const ext = path.extname(filePath).toLowerCase();
|
||||
return AVATAR_MIME_BY_EXT[ext] ?? "application/octet-stream";
|
||||
}
|
||||
|
||||
export function isAvatarDataUrl(value: string): boolean {
|
||||
return AVATAR_DATA_RE.test(value);
|
||||
}
|
||||
|
||||
export function isAvatarImageDataUrl(value: string): boolean {
|
||||
return AVATAR_IMAGE_DATA_RE.test(value);
|
||||
}
|
||||
|
||||
export function isAvatarHttpUrl(value: string): boolean {
|
||||
return AVATAR_HTTP_RE.test(value);
|
||||
}
|
||||
|
||||
export function hasAvatarUriScheme(value: string): boolean {
|
||||
return AVATAR_SCHEME_RE.test(value);
|
||||
}
|
||||
|
||||
export function isWindowsAbsolutePath(value: string): boolean {
|
||||
return WINDOWS_ABS_RE.test(value);
|
||||
}
|
||||
|
||||
export function isWorkspaceRelativeAvatarPath(value: string): boolean {
|
||||
if (!value) {
|
||||
return false;
|
||||
}
|
||||
if (value.startsWith("~")) {
|
||||
return false;
|
||||
}
|
||||
if (hasAvatarUriScheme(value) && !isWindowsAbsolutePath(value)) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
export function isPathWithinRoot(rootDir: string, targetPath: string): boolean {
|
||||
const relative = path.relative(rootDir, targetPath);
|
||||
if (relative === "") {
|
||||
return true;
|
||||
}
|
||||
return !relative.startsWith("..") && !path.isAbsolute(relative);
|
||||
}
|
||||
|
||||
export function looksLikeAvatarPath(value: string): boolean {
|
||||
if (/[\\/]/.test(value)) {
|
||||
return true;
|
||||
}
|
||||
return AVATAR_PATH_EXT_RE.test(value);
|
||||
}
|
||||
|
||||
export function isSupportedLocalAvatarExtension(filePath: string): boolean {
|
||||
const ext = path.extname(filePath).toLowerCase();
|
||||
return LOCAL_AVATAR_EXTENSIONS.has(ext);
|
||||
}
|
||||
Reference in New Issue
Block a user