feat: process Slack image attachments with security hardening#31
Open
electronicBlacksmith wants to merge 4 commits intoghostwright:mainfrom
Open
feat: process Slack image attachments with security hardening#31electronicBlacksmith wants to merge 4 commits intoghostwright:mainfrom
electronicBlacksmith wants to merge 4 commits intoghostwright:mainfrom
Conversation
Messages with file attachments (subtype: file_share) were silently dropped by the blanket subtype filter. This downloads attached images to data/uploads/ and appends file paths to the prompt so the agent can read them via its Read tool. Also adds files:read to the Slack app manifest.
The downloadSlackFiles() function used unsanitized Slack filenames directly in join(), allowing crafted names with ../ to write outside the uploads directory. Also, url_private was fetched without hostname validation, enabling SSRF via crafted file records. Fixes: - Extract file handling into slack-files.ts with sanitizeFilename() that strips directory components and null bytes, plus defense-in-depth resolve().startsWith() check (matching isPathSafe in ui/serve.ts) - Add SSRF host allowlist restricting downloads to files.slack.com and files-pri.slack.com - Add Zod schema validation for Slack file records (external input) - Store botToken as private field instead of fragile double-cast through this.app.client 30 new tests covering sanitization, Zod rejection paths, SSRF blocking, download failures, and cleanup lifecycle.
When users attach non-image files (PDF, CSV, etc.) to Slack messages, the files were silently dropped with no indication. Users had no way to know their attachment was ignored. - Add SkippedFileInfo type with structured reasons (unsupported_type, too_large, download_failed) and optional mimetype - Widen InboundAttachment to discriminated union (image | document) for future file type support - Wire skippedFiles through both app_mention and DM event handlers - Append skipped file context to agent prompt so it can naturally inform the user about unsupported attachments - Update slack.test.ts to verify skippedFiles on skip and failure
Bun's mock.module replaces modules process-wide, causing other test files (config, evolution, roles) to lose real fs functions like writeFileSync and mkdirSync. This caused 114 test failures in CI. Replace node:fs mocking with real temp directories for cleanup tests and remove fs-dependent integration tests that are now covered by the unit tests in slack-files.test.ts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Slack messages with file attachments (subtype:
file_share) were silently dropped by the blanket subtype filter. This PR adds image attachment processing with security hardening and user feedback for unsupported file types.Image attachment processing
data/uploads/and append file paths to the agent prompt so it can read them via its Read toolfiles:readOAuth scope to the Slack app manifestapp_mentionevents with file attachments[User sent attached files]fallbackSecurity hardening
sanitizeFilename()strips directory components (../,..\\) and null bytes from Slack filenames, with defense-in-depthresolve().startsWith()check matching the pattern inui/serve.ts:isPathSafefiles.slack.comandfiles-pri.slack.comhostnames only, blocking craftedurl_privatevalues targeting internal endpointsSlackFileSchemabefore processing, rejecting malformed external input at the boundary(this.app.client as unknown as Record<string, unknown>).tokendouble-castUser feedback for unsupported files
SkippedFileInfotype with structured reasons (unsupported_type,too_large,download_failed) surfaced in the agent prompt so it can naturally inform users when their PDF, CSV, or other non-image attachment was skippedInboundAttachmentwidened to discriminated union (image | document) for future file type supportCode extraction
slack.tsintoslack-files.ts(132 lines) as standalone functions, matching the existingslack-formatter.tsandslack-actions.tspatternsTest plan
slack-files.test.ts)tsc --noEmit)biome check)../../../etc/passwd, backslash traversal, null bytes, empty string all sanitized169.254.169.254), localhost, and arbitrary hosts blocked;files.slack.comandfiles-pri.slack.comallowedunsupported_type, oversized returnstoo_large, HTTP failure returnsdownload_failed, mixed batch handled correctly