mirror of
https://github.com/siteboon/claudecodeui.git
synced 2026-07-07 14:12:40 +08:00
fix: address code review findings
- validate chat image attachments server-side: only files inside the ~/.cloudcli/assets upload store may reach provider file reads - harden asset serving with nosniff and attachment disposition for SVGs to prevent stored XSS - show the timestamp on image-only user messages - serialize git stage/unstage calls and defer the status re-sync so rapid toggles can't interleave or flicker - use a literal hex fallback for commit ref badges (alpha suffix on a var() string produced invalid CSS) - stop binding a URL session to a guening project instead - add the missing attentionRequiredIndicator key to all sidebar locales - clean up dangling conjunctions left the de/ru/tr/ja/zh-CN/zh-TW READMEs
This commit is contained in:
44
server/modules/websocket/tests/chat-image-filter.test.ts
Normal file
44
server/modules/websocket/tests/chat-image-filter.test.ts
Normal file
@@ -0,0 +1,44 @@
|
||||
import assert from 'node:assert/strict';
|
||||
import os from 'node:os';
|
||||
import path from 'node:path';
|
||||
import test from 'node:test';
|
||||
|
||||
import { filterImagesToUploadStore } from '@/modules/websocket/services/chat-websocket.service.js';
|
||||
|
||||
const STORE = path.join(os.tmpdir(), 'cloudcli-assets-store');
|
||||
|
||||
test('images inside the upload store pass through', () => {
|
||||
const inside = path.join(STORE, 'shot.png');
|
||||
const result = filterImagesToUploadStore(
|
||||
[{ path: inside, name: 'shot.png', mimeType: 'image/png' }],
|
||||
STORE,
|
||||
);
|
||||
assert.equal(result.length, 1);
|
||||
assert.equal(result[0].path, inside);
|
||||
});
|
||||
|
||||
test('bare filenames are anchored inside the store', () => {
|
||||
const result = filterImagesToUploadStore(['shot.png'], STORE);
|
||||
assert.equal(result.length, 1);
|
||||
});
|
||||
|
||||
test('paths outside the store, traversal, and subdirs are dropped', () => {
|
||||
const result = filterImagesToUploadStore(
|
||||
[
|
||||
{ path: 'C:/Users/victim/.ssh/id_rsa' },
|
||||
{ path: '/etc/passwd' },
|
||||
{ path: '../outside.png' },
|
||||
{ path: path.join(STORE, '..', 'escaped.png') },
|
||||
{ path: path.join(STORE, 'nested', 'deep.png') },
|
||||
{ path: STORE }, // the store folder itself is not a file
|
||||
],
|
||||
STORE,
|
||||
);
|
||||
assert.deepEqual(result, []);
|
||||
});
|
||||
|
||||
test('malformed payloads yield no images', () => {
|
||||
assert.deepEqual(filterImagesToUploadStore(undefined, STORE), []);
|
||||
assert.deepEqual(filterImagesToUploadStore('nope', STORE), []);
|
||||
assert.deepEqual(filterImagesToUploadStore([{ name: 'no-path' }, 42], STORE), []);
|
||||
});
|
||||
Reference in New Issue
Block a user