fix(feishu): propagate mediaLocalRoots for local file sends (#27884)#27928
Merged
Takhoffman merged 2 commits intoopenclaw:mainfrom Feb 27, 2026
Merged
fix(feishu): propagate mediaLocalRoots for local file sends (#27884)#27928Takhoffman merged 2 commits intoopenclaw:mainfrom
Takhoffman merged 2 commits intoopenclaw:mainfrom
Conversation
openclaw-barnacle
bot
added
channel: feishu
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d5be2c0ade
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const loaded = await getFeishuRuntime().media.loadWebMedia(mediaUrl, { | ||
| maxBytes: mediaMaxBytes, | ||
| optimizeImages: false, | ||
| localRoots: mediaLocalRoots?.length ? mediaLocalRoots : undefined, |
There was a problem hiding this comment.
The new forwarding logic converts an explicitly empty mediaLocalRoots array into undefined, which changes caller intent from “deny all local paths” to “use default roots.” In loadWebMedia, undefined triggers getDefaultLocalRoots() while [] would reject all local paths, so a caller that passes mediaLocalRoots: [] (for strict lockdown) will now unexpectedly allow reads under default directories. This should pass mediaLocalRoots through unchanged so empty arrays remain fail-closed.
Useful? React with 👍 / 👎.
Contributor
Greptile SummaryFixes #27884 by propagating Key changes:
The implementation is clean, well-tested, and consistent with security requirements. Confidence Score: 5/5
Last reviewed commit: d5be2c0 |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8554abf101
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const loaded = await getFeishuRuntime().media.loadWebMedia(mediaUrl, { | ||
| maxBytes: mediaMaxBytes, | ||
| optimizeImages: false, | ||
| localRoots: mediaLocalRoots?.length ? mediaLocalRoots : undefined, |
There was a problem hiding this comment.
The new localRoots assignment treats an explicit empty allowlist as undefined (mediaLocalRoots?.length ? mediaLocalRoots : undefined), which changes behavior from “deny all local paths” to “use default roots.” In loadWebMedia/assertLocalMediaAllowed, undefined falls back to getDefaultLocalRoots() while [] would reject every local path, so callers that intentionally pass mediaLocalRoots: [] (fail-closed) now silently allow reads under default directories.
Useful? React with 👍 / 👎.
Takhoffman
force-pushed
the
fix/feishu-local-media-roots
branch
from
a6f64d5 to
ece162b
Compare
openclaw-barnacle
bot
added
size: XS
and removed
app: macos
Contributor
|
PR #27928 - fix(feishu): propagate mediaLocalRoots for local file sends (#27884) (#27928) Merged via squash.
Thanks @joelnishanth! |
This was referenced Feb 27, 2026
r4jiv007
pushed a commit
to r4jiv007/openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
xiexikang
pushed a commit
to C-clawd/cclawd
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
mylukin
pushed a commit
to mylukin/openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 6a83767)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit 6a83767)
vincentkoc
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
vincentkoc
pushed a commit
to rylena/rylen-openclaw
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
newtontech
pushed a commit
to newtontech/openclaw-fork
that referenced
this pull request
Feb 28, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Mar 1, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Mar 1, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
6 tasks
hughdidit
pushed a commit
to hughdidit/DAISy-Agency
that referenced
this pull request
Mar 1, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0) # Conflicts: # CHANGELOG.md # extensions/feishu/src/media.test.ts # extensions/feishu/src/media.ts # extensions/feishu/src/outbound.ts
ansh
pushed a commit
to vibecode/openclaw
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
steipete
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
safzanpirani
pushed a commit
to safzanpirani/clawdbot
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
steipete
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
venjiang
pushed a commit
to venjiang/openclaw
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
robertchang-ga
pushed a commit
to robertchang-ga/openclaw
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
execute008
pushed a commit
to execute008/openclaw
that referenced
this pull request
Mar 2, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
hughdidit
pushed a commit
to hughdidit/DAISy-Agency
that referenced
this pull request
Mar 3, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0) # Conflicts: # CHANGELOG.md # extensions/feishu/src/media.test.ts # extensions/feishu/src/media.ts # extensions/feishu/src/outbound.ts
dorgonman
pushed a commit
to kanohorizonia/openclaw
that referenced
this pull request
Mar 3, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
eminemead
pushed a commit
to eminemead/evi
that referenced
this pull request
Mar 3, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
sachinkundu
pushed a commit
to sachinkundu/openclaw
that referenced
this pull request
Mar 6, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
zooqueen
pushed a commit
to hanzoai/bot
that referenced
this pull request
Mar 6, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 15, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
alexey-pelykh
added a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 15, 2026
…#27884) (openclaw#27928) thanks @joelnishanth (#1449) Verified: - pnpm build - pnpm check - pnpm test:macmini (cherry picked from commit ad804b0) Co-authored-by: OfflynAI <[email protected]> Co-authored-by: Tak Hoffman <[email protected]>
eminemead
pushed a commit
to eminemead/evi
that referenced
this pull request
Mar 27, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
eminemead
pushed a commit
to eminemead/evi
that referenced
this pull request
Mar 27, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
eminemead
pushed a commit
to eminemead/evi
that referenced
this pull request
Mar 27, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
eminemead
pushed a commit
to eminemead/evi
that referenced
this pull request
Mar 27, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
eminemead
pushed a commit
to eminemead/evi
that referenced
this pull request
Mar 27, 2026
…#27884) (openclaw#27928) thanks @joelnishanth Verified: - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: joelnishanth <[email protected]> Co-authored-by: Tak Hoffman <[email protected]> (cherry picked from commit ad804b0)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #27884 -- Feishu extension cannot send local files after CVE-2026-26321 security patch.
Root cause: After CVE-2026-26321,
loadWebMediarequires explicitlocalRootsto allow reading local file paths. The Feishu outbound adapter was not propagatingmediaLocalRootsfrom theChannelOutboundContextthrough tosendMediaFeishu/loadWebMedia, so any local path was rejected with a path-not-allowed error.Fix: Thread
mediaLocalRootsfrom the outbound context throughfeishuOutbound.sendMediaintosendMediaFeishu, which passes it aslocalRootstoloadWebMedia. This matches the pattern already used by Telegram, Discord, Slack, Signal, iMessage, and WhatsApp adapters.Changes
extensions/feishu/src/media.ts-- addmediaLocalRootsparameter tosendMediaFeishu; pass it aslocalRootstoloadWebMediaextensions/feishu/src/outbound.ts-- destructuremediaLocalRootsfrom outbound context and forward tosendMediaFeishuextensions/feishu/src/media.test.ts-- add regression test assertingmediaLocalRootsflows through aslocalRootsTest plan
pnpm test extensions/feishu/src/media.test.ts)mediaLocalRootsis empty/undefined, falls back to default roots (fail-closed)