openclaw

Commit Graph

Author	SHA1	Message	Date
Leszek Szpunar	1bdd9e313f	security(web): sanitize WhatsApp accountId to prevent path traversal (#4610 ) * security(web): sanitize WhatsApp accountId to prevent path traversal Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes #2692 * fix(web): check sanitized segment instead of full path in Windows test * style(web): fix oxfmt formatting in accounts test	2026-02-01 14:29:53 -08:00

Author

SHA1

Message

Date

Leszek Szpunar

1bdd9e313f

security(web): sanitize WhatsApp accountId to prevent path traversal (#4610 )

* security(web): sanitize WhatsApp accountId to prevent path traversal

Apply normalizeAccountId() from routing/session-key to
resolveDefaultAuthDir() so that malicious config values like
"../../../etc" cannot escape the intended auth directory.

Fixes #2692

* fix(web): check sanitized segment instead of full path in Windows test

* style(web): fix oxfmt formatting in accounts test

2026-02-01 14:29:53 -08:00

1 Commits (6c42d3461080b5b7ddb4f5cbc29f7283ff71d9a4)