negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

refactor(security): harden temp-path handling for inbound media

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 14:06:11 +01:00
parent 9f9cd5cbb2
commit ec232a9e2d
10 changed files with 235 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
extensions/feishu/src/bot.ts
View File

@@ -7,11 +7,14 @@ import {
DEFAULT_GROUP_HISTORY_LIMIT,
type HistoryEntry,
} from "openclaw/plugin-sdk";
import type { FeishuMessageContext, FeishuMediaInfo, ResolvedFeishuAccount } from "./types.js";
import type { DynamicAgentCreationConfig } from "./types.js";
import { resolveFeishuAccount } from "./accounts.js";
import { createFeishuClient } from "./client.js";
import { tryRecordMessage } from "./dedup.js";
import { maybeCreateDynamicAgent } from "./dynamic-agent.js";
import { downloadImageFeishu, downloadMessageResourceFeishu } from "./media.js";
import { normalizeFeishuExternalKey } from "./external-keys.js";
import { downloadMessageResourceFeishu } from "./media.js";
import { extractMentionTargets, extractMessageBody, isMentionForwardRequest } from "./mention.js";
import {
resolveFeishuGroupConfig,
@@ -22,8 +25,6 @@ import {
import { createFeishuReplyDispatcher } from "./reply-dispatcher.js";
import { getFeishuRuntime } from "./runtime.js";
import { getMessageFeishu, sendMessageFeishu } from "./send.js";
import type { FeishuMessageContext, FeishuMediaInfo, ResolvedFeishuAccount } from "./types.js";
import type { DynamicAgentCreationConfig } from "./types.js";
// --- Permission error extraction ---
// Extract permission grant URL from Feishu API error response.
@@ -224,18 +225,20 @@ function parseMediaKeys(
} {
try {
const parsed = JSON.parse(content);
const imageKey = normalizeFeishuExternalKey(parsed.image_key);
const fileKey = normalizeFeishuExternalKey(parsed.file_key);
switch (messageType) {
case "image":
return { imageKey: parsed.image_key };
return { imageKey };
case "file":
return { fileKey: parsed.file_key, fileName: parsed.file_name };
return { fileKey, fileName: parsed.file_name };
case "audio":
return { fileKey: parsed.file_key };
return { fileKey };
case "video":
// Video has both file_key (video) and image_key (thumbnail)
return { fileKey: parsed.file_key, imageKey: parsed.image_key };
return { fileKey, imageKey };
case "sticker":
return { fileKey: parsed.file_key };
return { fileKey };
default:
return {};
}
@@ -277,7 +280,10 @@ function parsePostContent(content: string): {
}
} else if (element.tag === "img" && element.image_key) {
// Embedded image
imageKeys.push(element.image_key);
const imageKey = normalizeFeishuExternalKey(element.image_key);
if (imageKey) {
imageKeys.push(imageKey);
}
}
}
textContent += "\n";