fix(whatsapp): strip control characters from outbound document fileName

[masatohoshino]

Summary

• Problem: createWebSendApi document branch applied only .trim() to sendOptions?.fileName before passing it to Baileys; a caller supplying a fileName containing CR, LF, or other C0/DEL control characters could embed those bytes in the outbound document message metadata, enabling CWE-93-style header injection via Baileys' HTTP-like send path.
• Why it matters: The fileName value originates from documentMessage.fileName on the inbound WhatsApp wire (forwarded through monitor.ts), so a message sender can supply arbitrary bytes. The old code did not sanitize this surface.
• What changed: resolveWhatsAppDocumentFileName() in extensions/whatsapp/src/document-filename.ts now strips \x00-\x1f and \x7f (all C0 control characters + DEL) from fileName before .trim(), and falls back to a MIME-derived filename (e.g., "file.pdf" for application/pdf) when the stripped result is empty. Three tests in extensions/whatsapp/src/document-filename.test.ts cover CRLF injection, control-character strip, and the all-control fallback. The lint-suppression allowlist in test/scripts/lint-suppressions.test.ts records the intentional no-control-regex suppress comment.
• What did NOT change (scope boundary): mimetype passthrough (B-4), caption Bidi/control strip (C-4), inbound media.ts/monitor.ts chain, src/media/sanitize-filename.ts (B-1, blocked on PR fix(media): strip control and bidi characters from outbound filenames #72973), CHANGELOG.md, docs.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related fix(whatsapp): respect audioAsVoice flag in outbound delivery #68744 (closed PR, close message: "split/reviewed separately" — resubmit confirmed OK)
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: The document-send branch only called .trim(), which removes leading/trailing whitespace but leaves CR, LF, and other control characters intact anywhere in the string.
• Missing detection / guardrail: No test for injection payloads in fileName; existing tests passed only clean filenames.
• Contributing context (if known): fileName propagates verbatim from the inbound WhatsApp documentMessage.fileName field through monitor.ts → sendOptions.fileName, so any peer can supply arbitrary bytes.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/whatsapp/src/document-filename.test.ts
• Scenario the test should lock in: (1) CRLF-containing fileName reaches resolveWhatsAppDocumentFileName with CR/LF stripped; (2) C0/DEL control characters stripped, valid chars preserved; (3) all-control filename falls back to MIME-derived name (e.g., "file.pdf" for application/pdf).
• Why this is the smallest reliable guardrail: The sanitizer is a pure function; injection can be asserted by calling it directly with attacker-controlled inputs and verifying the return value.
• Existing test that already covers this (if any): None — no prior test exercised control-character inputs.
• If no new test is added, why not: N/A — 3 tests added.

User-visible / Behavior Changes

Documents sent with filenames containing control characters will have those characters stripped before delivery. Filenames consisting entirely of control characters will fall back to a MIME-derived filename (e.g., "file.pdf" for application/pdf). Clean filenames are unaffected.

Diagram (if applicable)

Before:
[sendOptions.fileName = "evil.pdf\r\nX-Injected: bad"]
  -> .trim()
  -> fileName = "evil.pdf\r\nX-Injected: bad"  (injection survives)

After:
[sendOptions.fileName = "evil.pdf\r\nX-Injected: bad"]
  -> strip [\x00-\x1f\x7f]
  -> .trim()
  -> fileName = "evil.pdfX-Injected: bad"  (CR/LF removed)

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux (Ubuntu 22.04)
• Runtime/container: Node 22, pnpm
• Model/provider: N/A
• Integration/channel (if any): WhatsApp (Baileys)
• Relevant config (redacted): N/A

Steps

1. Before fix: call sendMessage(jid, "doc", buffer, "application/pdf", { fileName: "evil.pdf\r\nX-Injected: bad" }).
2. Observe sendMessage mock receives fileName: "evil.pdf\r\nX-Injected: bad" (injection present).
3. After fix: same call passes fileName: "evil.pdfX-Injected: bad" (CR/LF stripped).

Expected

fileName passed to Baileys contains no C0 control characters or DEL.

Actual (before fix)

CR and LF bytes survived .trim() in the middle of the string.

Evidence

• Baileys outbound document payload boundary — real Baileys runtime spy-through (see Real behavior proof section below)

# document-filename.test.ts (6 tests, PR HEAD 1f377fe0ed):
Test Files  1 passed (1)
     Tests  6 passed (6)
  Duration  411ms

# lint-suppressions.test.ts (3 tests):
Test Files  1 passed (1)
     Tests  3 passed (3)

Human Verification (required)

• Verified scenarios: CRLF strip (middle-of-string), NUL + US + DEL strip (non-printable C0/DEL), all-control fallback to MIME-derived name, clean fileName passthrough (regression).
• Edge cases checked: \r\n\x00\x1f all-control → "file.pdf" (MIME fallback for application/pdf); "invoice.pdf" unchanged; "a\x00b\x1fc\x7f.pdf" → "abc.pdf".
• What you did not verify: live Baileys wire behavior (requires a running WhatsApp session); no E2E or live test run.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: A fileName containing valid text that begins/ends with whitespace (but no control chars) is already trimmed by the old code. The new code strips control chars first, then trims — same trim behavior, narrower bypass window.
  • Mitigation: The regression test "returns plain filename unchanged when no control characters present" passes a clean "document.pdf" and verifies it reaches the sanitizer unchanged.

Real behavior proof

Behavior addressed: WhatsApp outbound document fileName values containing C0 control characters and DEL — including CR, LF, NUL, US, and DEL — are stripped before reaching the Baileys document payload. If the stripped filename becomes empty, the existing MIME-aware fallback is used. Clean filenames are preserved.

Real environment tested: Linux/Ubuntu, Node v22.22.2, pnpm 11.1.0, PR HEAD 1f377fe0ed. PR source modules loaded directly from this branch via tsx — extensions/whatsapp/src/inbound/send-api.ts (createWebSendApi) and extensions/whatsapp/src/document-filename.ts (resolveWhatsAppDocumentFileName). The socket is a real Baileys 7.0.0-rc11 WhatsApp Web client (makeWASocket + useMultiFileAuthState), paired via requestPairingCode to a dedicated proof account that owns the recipient number, and the recipient is the same account's own self chat. No mock sock, no fake recorder: a 1-deep sendMessage spy wrapper captures payload.fileName / payload.mimetype and then unconditionally awaits the original Baileys sock.sendMessage bound to the same socket instance, so every captured send is also a real send.

Exact steps or command run after this patch:

From a clean checkout of this branch on a host with pnpm install completed, and with an own WhatsApp account number available for proof-only pairing.

First, create a proof-only auth store outside the repo, mode 0700:

mkdir -p "$HOME/.openclaw/credentials/proof-77114-whatsapp"
chmod 700 "$HOME/.openclaw/credentials/proof-77114-whatsapp"

Then run the proof script interactively. The script connects a real Baileys 7.0.0-rc11 WhatsApp Web socket, requests a pairing code (it handles the restartRequired (515) re-connect after the phone accepts the code), then routes ONE document send through createWebSendApi (the PR-modified boundary). sock.sendMessage is wrapped as a spy that LOGS payload.fileName and ALWAYS delegates to the real Baileys sock.sendMessage. The phone number is read from env, never echoed; the recipient JID and WA message id are not printed and are redacted in the public proof. Enter the printed pairing code on the primary phone (WhatsApp → Linked Devices → Link with phone number instead).

WA_PROOF_PHONE_DIGITS=<digits-only own number> \
WA_PROOF_AUTH_DIR="$HOME/.openclaw/credentials/proof-77114-whatsapp" \
node_modules/.bin/tsx --tsconfig tsconfig.json \
  scripts/proof-77114-baileys-runtime.ts

Evidence after fix:

Output captured on PR HEAD 1f377fe0ed, Node v22.22.2, baileys 7.0.0-rc11, one live Baileys session paired against the proof account. The phone number is never echoed; the recipient JID and WA message id are fully redacted.

connection_opened           : true
real_socket_used            : true (baileys 7.0.0-rc11)
spy_wrapper_used            : true (LOG + always delegate)
delegated_to_original       : true
fake_sock_used              : false (no recorder; spy ALWAYS calls original)
recipient_jid               : <redacted>
payload_keys                : ["document","fileName","caption","mimetype"]
payload_mimetype            : "text/plain"
input_fileName_escaped      : "oc-proof-\r\ninjected\x00\x1f\x7f.txt"
input_fileName_hex          : \x6f\x63\x2d\x70\x72\x6f\x6f\x66\x2d\x0d\x0a\x69\x6e\x6a\x65\x63\x74\x65\x64\x00\x1f\x7f\x2e\x74\x78\x74
actual_payload_fileName     : "oc-proof-injected.txt"
actual_payload_fileName_hex : \x6f\x63\x2d\x70\x72\x6f\x6f\x66\x2d\x69\x6e\x6a\x65\x63\x74\x65\x64\x2e\x74\x78\x74
expected_sanitized_fileName : "oc-proof-injected.txt"
fileName_matches_expected   : true
send_result_exists          : true
send_result_message_id      : <redacted>

Observed result after fix:

The five control bytes present in the input filename hex — \x0d (CR), \x0a (LF), \x00 (NUL), \x1f (US), \x7f (DEL) — are all absent from the payload hex handed to real Baileys sock.sendMessage. resolveWhatsAppDocumentFileName collapsed the dirty filename to "oc-proof-injected.txt" before createWebSendApi constructed the document payload, and the same value reached the real WhatsApp Web socket (the spy wrapper delegated, the socket returned a real message id). For an all-control input, the existing MIME-aware fallback path is exercised by the unit tests in extensions/whatsapp/src/document-filename.test.ts (case "3. all-control → MIME fallback"); the live boundary capture above covers the non-empty injection case, which is the realistic CWE-93 vector.

Phone-side verification also confirmed the delivered WhatsApp document displayed as oc-proof-injected.txt with caption OpenClaw #77114 proof; no phone number, JID, contact list, or message id is included in the public proof.

What was not tested:

• The other WhatsApp content paths (image / audio / video / mentions / quote / caption) are not exercised by this proof. Caption / mentions sanitization is tracked separately (PR-CANDIDATES C-4).
• Inbound documentMessage.fileName propagation through media.ts / monitor.ts is observed only indirectly: the inbound surface is what supplies attacker-controlled bytes, and this PR's sanitizer sits at the outbound boundary.
• The proof socket is short-lived (paired, one send, closed). Long-running session behavior is not exercised.
• No phone number, full recipient JID, full WA message id, credential, token, or chat-list metadata was logged or captured. The proof-only Baileys auth state lives in a directory outside the repo (mode 0700) and is never committed.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 28, 2026, 12:07 AM ET / 04:07 UTC.

Summary
The PR strips C0 control characters and DEL from WhatsApp outbound document filenames in resolveWhatsAppDocumentFileName, adds regression tests, and records the required lint suppression.

PR surface: Source +3, Tests +53. Total +56 across 3 files.

Reproducibility: yes. Source inspection on current main shows the resolver only trims and the send API forwards the resulting fileName into the Baileys document payload; the PR body also provides before/after Baileys runtime proof for the sanitized path.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• [P2] No repair lane is needed; the remaining action is ordinary maintainer review, required checks, and merge gating for the open PR.

Security
Cleared: The diff narrows an outbound WhatsApp document metadata surface and does not add dependencies, scripts, permissions, secrets handling, or new network calls.

Review details

Best possible solution:

Land the narrow helper-level sanitization after required checks; keep broader filename or caption hardening as separately scoped follow-up work rather than expanding this PR.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows the resolver only trims and the send API forwards the resulting fileName into the Baileys document payload; the PR body also provides before/after Baileys runtime proof for the sanitized path.

Is this the best way to solve the issue?

Yes. Centralizing the strip in resolveWhatsAppDocumentFileName is the narrow maintainable fix for both document branches that already use the helper, without changing config, provider routing, or Baileys integration semantics.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 736e04cb9099.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live Baileys runtime output showing the sanitized filename reaching a real sock.sendMessage, and the latest head only changes the related test coverage.

Label justifications:

• P2: This is a bounded WhatsApp security hardening fix for outbound document metadata with limited channel-specific blast radius.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live Baileys runtime output showing the sanitized filename reaching a real sock.sendMessage, and the latest head only changes the related test coverage.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live Baileys runtime output showing the sanitized filename reaching a real sock.sendMessage, and the latest head only changes the related test coverage.

Evidence reviewed

PR surface:

Source +3, Tests +53. Total +56 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	4	1	+3
Tests	2	53	0	+53
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	57	1	+56

What I checked:

• Root repository policy read: Read the full root AGENTS.md; its OpenClaw review policy and plugin-boundary guidance were applied to this PR review. (AGENTS.md:1, 736e04cb9099)
• Scoped extension policy read: Read extensions/AGENTS.md; the touched WhatsApp files stay inside the plugin boundary and do not add core or cross-plugin imports. (extensions/AGENTS.md:1, 736e04cb9099)
• Current main behavior: Current main resolves WhatsApp document filenames with only .trim() or MIME fallback, so embedded CR/LF, NUL, US, and DEL can remain when not at trim boundaries. (extensions/whatsapp/src/document-filename.ts:16, 736e04cb9099)
• Current send path forwards the helper result: createWebSendApi passes sendOptions?.fileName through resolveWhatsAppDocumentFileName before assigning the Baileys document payload fileName. (extensions/whatsapp/src/inbound/send-api.ts:89, 736e04cb9099)
• Latest release still has the old behavior: The latest release tag v2026.5.26 contains the same .trim()-only resolver, so this hardening is not already shipped. (extensions/whatsapp/src/document-filename.ts:16, 10ad3aa16068)
• PR implementation: PR head strips [�-��], trims after stripping, and falls back to the existing MIME-derived default when the stripped value is empty. (extensions/whatsapp/src/document-filename.ts:18, f419b4809c0c)

Likely related people:

• scoootscooob: Commit 16505718e8278e6c8dff0e5227a5cb5a9f7c56df moved the WhatsApp channel implementation, including inbound/send-api.ts, into extensions/whatsapp. (role: introduced current extension send surface; confidence: medium; commits: 16505718e827; files: extensions/whatsapp/src/inbound/send-api.ts, extensions/whatsapp/src/inbound/send-api.test.ts)
• bobbyt74: Commit cae1d9bc6d6c0e601e3b9ff0f6c2f9e9a1fcaa0d added WhatsApp MIME fallback behavior and tests in the same inbound send API area. (role: adjacent fallback behavior contributor; confidence: medium; commits: cae1d9bc6d6c; files: extensions/whatsapp/src/inbound/send-api.ts, extensions/whatsapp/src/inbound/send-api.test.ts)
• mcaxtr: The MIME fallback commit records mcaxtr as reviewer/co-author, and the latest PR head commit tightens the DEL regression test on this exact sanitizer surface. (role: recent reviewer and adjacent owner; confidence: high; commits: cae1d9bc6d6c, f419b4809c0c; files: extensions/whatsapp/src/inbound/send-api.ts, extensions/whatsapp/src/document-filename.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[masatohoshino]

@byungskers Thanks for the thoughtful review!

I did a quick pass over the WhatsApp filename-like metadata paths, and I agree this is worth tracking separately. A couple of related document filename paths should be covered by the shared media filename sanitization work in #72973, and at least one remaining path looks better suited for an independent follow-up.

I’d still keep this PR scoped to the outbound document fileName boundary covered by the regression tests here. Captions/location fields look semantically different since they flow as message text rather than filename/header-like metadata.

Thanks again — I’ll treat the remaining paths as follow-up candidates rather than blockers for this PR.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Neon Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: hums during re-review.
Image traits: location branch lighthouse; accessory rollback rope; palette plum, gold, and soft gray; mood focused; pose pointing at a small proof artifact; shell smooth pearl shell; lighting tiny status-light glow; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Neon Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[mcaxtr]

Merged via squash.

• Prepared head SHA: 5417a8ee2c7b06c1540e4bb267dbdb4fa95e726f
• Merge commit: 313d6ae1b3c42e6cc42f80d18c27b56f76b3334c

Thanks @masatohoshino!