diff --git a/src/media-understanding/apply.test.ts b/src/media-understanding/apply.test.ts index 03f39b7b4..7f1d8c3b5 100644 --- a/src/media-understanding/apply.test.ts +++ b/src/media-understanding/apply.test.ts @@ -547,39 +547,42 @@ describe("applyMediaUnderstanding", () => { expect(ctx.Body).toContain("a\tb\tc"); }); - it.skipIf(process.platform === "win32")("escapes XML special characters in filenames to prevent injection", async () => { - const { applyMediaUnderstanding } = await loadApply(); - const dir = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-media-")); - // Create file with XML special characters in the name (what filesystem allows) - // Note: The sanitizeFilename in store.ts would strip most dangerous chars, - // but we test that even if some slip through, they get escaped in output - const filePath = path.join(dir, "file.txt"); - await fs.writeFile(filePath, "safe content"); + it.skipIf(process.platform === "win32")( + "escapes XML special characters in filenames to prevent injection", + async () => { + const { applyMediaUnderstanding } = await loadApply(); + const dir = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-media-")); + // Create file with XML special characters in the name (what filesystem allows) + // Note: The sanitizeFilename in store.ts would strip most dangerous chars, + // but we test that even if some slip through, they get escaped in output + const filePath = path.join(dir, "file.txt"); + await fs.writeFile(filePath, "safe content"); - const ctx: MsgContext = { - Body: "", - MediaPath: filePath, - MediaType: "text/plain", - }; - const cfg: MoltbotConfig = { - tools: { - media: { - audio: { enabled: false }, - image: { enabled: false }, - video: { enabled: false }, + const ctx: MsgContext = { + Body: "", + MediaPath: filePath, + MediaType: "text/plain", + }; + const cfg: MoltbotConfig = { + tools: { + media: { + audio: { enabled: false }, + image: { enabled: false }, + video: { enabled: false }, + }, }, - }, - }; + }; - const result = await applyMediaUnderstanding({ ctx, cfg }); + const result = await applyMediaUnderstanding({ ctx, cfg }); - expect(result.appliedFile).toBe(true); - // Verify XML special chars are escaped in the output - expect(ctx.Body).toContain("<"); - expect(ctx.Body).toContain(">"); - // The raw < and > should not appear unescaped in the name attribute - expect(ctx.Body).not.toMatch(/name="[^"]*<[^"]*"/); - }); + expect(result.appliedFile).toBe(true); + // Verify XML special chars are escaped in the output + expect(ctx.Body).toContain("<"); + expect(ctx.Body).toContain(">"); + // The raw < and > should not appear unescaped in the name attribute + expect(ctx.Body).not.toMatch(/name="[^"]*<[^"]*"/); + }, + ); it("normalizes MIME types to prevent attribute injection", async () => { const { applyMediaUnderstanding } = await loadApply();