Merge 6b1fe51 into 0f35ec2

mjamiv · web-flow · commit d5e97245d9b8 · 2026-05-25T22:18:50.000Z
diff --git a/src/auto-reply/reply/reply-media-paths.test.ts b/src/auto-reply/reply/reply-media-paths.test.ts
@@ -252,6 +252,28 @@ describe("createReplyMediaPathNormalizer", () => {
     expect(resolveOutboundAttachmentFromUrl).not.toHaveBeenCalled();
   });
 
+  it("stages absolute workspace media paths before sandbox mapping", async () => {
+    ensureSandboxWorkspaceForSession.mockResolvedValue({
+      workspaceDir: "/tmp/sandboxes/session-1",
+      containerWorkdir: "/workspace",
+    });
+    const absolutePath = "/Users/peter/.openclaw/workspace/reports/screenshot.png";
+    const normalize = createReplyMediaPathNormalizer({
+      cfg: {},
+      sessionKey: "session-key",
+      workspaceDir: "/Users/peter/.openclaw/workspace",
+    });
+
+    const result = await normalize({
+      mediaUrls: [absolutePath],
+    });
+
+    expectMedia(result, "/tmp/outbound-media/screenshot.png", [
+      "/tmp/outbound-media/screenshot.png",
+    ]);
+    expectOutboundAttachmentCall(0, absolutePath, 5 * 1024 * 1024);
+  });
+
   it("stages absolute workspace media paths so the PR scenario now works", async () => {
     const absolutePath = "/Users/peter/.openclaw/workspace/exports/images/chart.png";
     const normalize = createReplyMediaPathNormalizer({
diff --git a/src/auto-reply/reply/reply-media-paths.ts b/src/auto-reply/reply/reply-media-paths.ts
@@ -144,6 +144,17 @@ export function createReplyMediaPathNormalizer(params: {
     return resolvePathFromInput(relativeWorkspacePath, params.workspaceDir);
   };
 
+  const resolveAbsoluteWorkspaceMedia = (media: string): string | undefined => {
+    if (FILE_URL_RE.test(media) || (!path.isAbsolute(media) && !WINDOWS_DRIVE_RE.test(media))) {
+      return undefined;
+    }
+    try {
+      return resolveWorkspaceRelativeMedia(media);
+    } catch {
+      return undefined;
+    }
+  };
+
   const normalizeMediaSource = async (raw: string): Promise<string> => {
     const media = raw.trim();
     if (!media) {
@@ -153,6 +164,10 @@ export function createReplyMediaPathNormalizer(params: {
     if (isPassThroughRemoteMediaSource(media)) {
       return media;
     }
+    const absoluteWorkspaceMedia = resolveAbsoluteWorkspaceMedia(media);
+    if (absoluteWorkspaceMedia) {
+      return await persistLocalReplyMedia(absoluteWorkspaceMedia);
+    }
     const isRelativeLocalMedia =
       isLikelyLocalMediaSource(media) &&
       !FILE_URL_RE.test(media) &&
diff --git a/src/media/web-media.test.ts b/src/media/web-media.test.ts
@@ -759,6 +759,20 @@ describe("loadWebMedia", () => {
     expect(result.contentType).toBe("text/markdown");
   });
 
+  it("rejects host-read HTML files without a separate security-boundary approval", async () => {
+    const htmlFile = path.join(fixtureRoot, "report.html");
+    await fs.writeFile(htmlFile, "<!doctype html><title>Report</title><h1>Report</h1>\n", "utf8");
+    await expectLoadWebMediaErrorCode(
+      loadWebMedia(htmlFile, {
+        maxBytes: 1024 * 1024,
+        localRoots: "any",
+        readFile: async (filePath) => await fs.readFile(filePath),
+        hostReadCapability: true,
+      }),
+      "path-not-allowed",
+    );
+  });
+
   it.each([
     {
       label: "ZIP",
@@ -819,6 +833,7 @@ describe("loadWebMedia", () => {
 
   it.each([
     { label: "CSV", fileName: "opaque.csv" },
+    { label: "HTML", fileName: "opaque.html" },
     { label: "Markdown", fileName: "opaque.md" },
   ])("rejects opaque non-NUL binary data disguised as %s", async ({ fileName }) => {
     const fakeTextFile = path.join(fixtureRoot, fileName);
@@ -840,6 +855,7 @@ describe("loadWebMedia", () => {
 
   it.each([
     { label: "CSV", fileName: "prefix-tail.csv" },
+    { label: "HTML", fileName: "prefix-tail.html" },
     { label: "Markdown", fileName: "prefix-tail.md" },
   ])(
     "rejects %s files with a text prefix and binary tail after the old sample window",
@@ -907,6 +923,7 @@ describe("loadWebMedia", () => {
 
   it.each([
     { label: "CSV", fileName: "nul-padded.csv" },
+    { label: "HTML", fileName: "nul-padded.html" },
     { label: "Markdown", fileName: "nul-padded.md" },
   ])("rejects NUL-padded binary data disguised as %s", async ({ fileName }) => {
     const fakeTextFile = path.join(fixtureRoot, fileName);
@@ -930,6 +947,7 @@ describe("loadWebMedia", () => {
 
   it.each([
     { label: "CSV", fileName: "bom-binary.csv" },
+    { label: "HTML", fileName: "bom-binary.html" },
     { label: "Markdown", fileName: "bom-binary.md" },
   ])("rejects UTF-16 BOM-prefixed binary data disguised as %s", async ({ fileName }) => {
     const fakeTextFile = path.join(fixtureRoot, fileName);
@@ -953,6 +971,7 @@ describe("loadWebMedia", () => {
 
   it.each([
     { label: "CSV", fileName: "alternating-high.csv" },
+    { label: "HTML", fileName: "alternating-high.html" },
     { label: "Markdown", fileName: "alternating-high.md" },
   ])("rejects alternating ASCII/high-byte data disguised as %s", async ({ fileName }) => {
     const fakeTextFile = path.join(fixtureRoot, fileName);
@@ -977,6 +996,7 @@ describe("loadWebMedia", () => {
 
   it.each([
     { label: "CSV", fileName: "high-bytes.csv" },
+    { label: "HTML", fileName: "high-bytes.html" },
     { label: "Markdown", fileName: "high-bytes.md" },
   ])("rejects high-byte opaque data disguised as %s", async ({ fileName }) => {
     const fakeTextFile = path.join(fixtureRoot, fileName);
diff --git a/src/media/web-media.ts b/src/media/web-media.ts
@@ -151,9 +151,13 @@ const HOST_READ_ALLOWED_DOCUMENT_MIMES = new Set([
   "text/csv",
   "text/markdown",
 ]);
-// file-type returns undefined (no magic bytes) for plain-text formats like CSV and
-// Markdown, so host-read needs an explicit "this really decodes as text" fallback.
+// file-type returns undefined (no magic bytes) for plain-text formats like CSV
+// and Markdown, so host-read needs an explicit text validation fallback.
 const HOST_READ_TEXT_PLAIN_ALIASES = new Set(["text/csv", "text/markdown"]);
+// HTML remains deliberately outside the host-read allowlist pending a separate
+// security-boundary review, but extension-declared .html files still need to
+// fail closed instead of falling through to binary/media sniffing.
+const HOST_READ_DECLARED_TEXT_MIMES = new Set([...HOST_READ_TEXT_PLAIN_ALIASES, "text/html"]);
 const MB = 1024 * 1024;
 
 function getTextStats(text: string): { printableRatio: number } {
@@ -268,12 +272,17 @@ function assertHostReadMediaAllowed(params: {
 }): void {
   const declaredMime = normalizeMimeType(mimeTypeFromFilePath(params.filePath));
   const normalizedMime = normalizeMimeType(params.contentType);
-  // For extension-declared plain-text aliases such as .csv/.md, trust only the
+  // For extension-declared plain-text aliases such as .csv/.html/.md, trust only the
   // text validator path. Some opaque blobs can still produce bogus binary MIME
   // hits (for example BOM-prefixed 0xFF data sniffing as audio/mpeg), and
   // host-read should reject those instead of returning early on the sniff.
-  if (declaredMime && HOST_READ_TEXT_PLAIN_ALIASES.has(declaredMime)) {
-    if (!params.sniffedContentType && params.buffer && isValidatedHostReadText(params.buffer)) {
+  if (declaredMime && HOST_READ_DECLARED_TEXT_MIMES.has(declaredMime)) {
+    if (
+      HOST_READ_TEXT_PLAIN_ALIASES.has(declaredMime) &&
+      !params.sniffedContentType &&
+      params.buffer &&
+      isValidatedHostReadText(params.buffer)
+    ) {
       return;
     }
     throw new LocalMediaAccessError(
