yuanyeex
/
openclaw
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openclaw/src
History
Joao Lisboa b94b220156 Fix path traversal vulnerability in media server 
The /media/:id endpoint was vulnerable to path traversal attacks.
Since this endpoint is exposed via Tailscale Funnel (unlike the
WhatsApp webhook which requires Twilio signature validation),
attackers could directly request paths like /media/%2e%2e%2fwarelay.json
to access sensitive files in ~/.warelay/ (e.g. warelay.json), or even
escape further to the user's home directory via multiple ../ sequences.

Fix: validate resolved paths stay within the media directory.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 		2025-12-02 19:33:21 +01:00
..
agents Tests: cover agents and fix web defaults 2025-12-02 11:08:00 +00:00
auto-reply Tests: cover agents and fix web defaults 2025-12-02 11:08:00 +00:00
cli feat(heartbeat): allow manual message and dry-run for web/twilio 2025-11-28 08:14:07 +01:00
commands Tests: cover agents and fix web defaults 2025-12-02 11:08:00 +00:00
config Agents: add pluggable CLIs 2025-12-02 11:07:46 +00:00
infra chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
media Fix path traversal vulnerability in media server 2025-12-02 19:33:21 +01:00
process chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
providers chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
twilio feat(heartbeat): allow manual message and dry-run for web/twilio 2025-11-28 08:14:07 +01:00
web chore(security): purge session store on logout 2025-12-02 16:33:44 +00:00
webhook chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
env.test.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
env.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
globals.test.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
globals.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
index.commands.test.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
index.core.test.ts Agents: add pluggable CLIs 2025-12-02 11:07:46 +00:00
index.test.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
index.ts Heartbeat defaults and ws guard; format 2025-11-27 18:37:30 +01:00
logger.test.ts chore(logs): rotate daily and prune after 24h 2025-12-02 17:11:43 +00:00
logger.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
logging.ts chore(logs): rotate daily and prune after 24h 2025-12-02 17:11:43 +00:00
provider-web.barrel.test.ts docs: finalize web refactor and coverage 2025-11-26 02:54:43 +01:00
provider-web.ts Heartbeat: harden targeting and support lid mapping 2025-11-26 18:15:57 +01:00
runtime.ts chore: format to 2-space and bump changelog 2025-11-26 00:53:53 +01:00
utils.test.ts Heartbeat: harden targeting and support lid mapping 2025-11-26 18:15:57 +01:00
utils.ts Heartbeat: harden targeting and support lid mapping 2025-11-26 18:15:57 +01:00
version.ts Refactor: derive version from package.json 2025-11-25 17:10:53 +01:00