security(web): sanitize WhatsApp accountId to prevent path traversal

Apply normalizeAccountId() from routing/session-key to resolveDefaultAuthDir() so that malicious config values like "../../../etc" cannot escape the intended auth directory. Fixes #2692
2026-01-30 12:40:55 +01:00 · 2026-01-30 12:40:55 +01:00 · 8090328146
commit 8090328146
parent fa9ec6e854
2 changed files with 48 additions and 2 deletions
--- a/src/web/accounts.test.ts
+++ b/src/web/accounts.test.ts
@ -0,0 +1,46 @@
+import path from "node:path";
+
+import { describe, expect, it } from "vitest";
+
+import { resolveWhatsAppAuthDir } from "./accounts.js";
+
+describe("resolveWhatsAppAuthDir", () => {
+  const stubCfg = { channels: { whatsapp: { accounts: {} } } } as Parameters<
+    typeof resolveWhatsAppAuthDir
+  >[0]["cfg"];
+
+  it("sanitizes path traversal sequences in accountId", () => {
+    const { authDir } = resolveWhatsAppAuthDir({
+      cfg: stubCfg,
+      accountId: "../../../etc/passwd",
+    });
+    // Sanitized accountId must not escape the whatsapp auth directory.
+    expect(authDir).not.toContain("..");
+    expect(path.basename(authDir)).not.toContain("/");
+  });
+
+  it("sanitizes special characters in accountId", () => {
+    const { authDir } = resolveWhatsAppAuthDir({
+      cfg: stubCfg,
+      accountId: "foo/bar\\baz",
+    });
+    expect(authDir).not.toContain("foo/bar");
+    expect(authDir).not.toContain("\\");
+  });
+
+  it("returns default directory for empty accountId", () => {
+    const { authDir } = resolveWhatsAppAuthDir({
+      cfg: stubCfg,
+      accountId: "",
+    });
+    expect(authDir).toMatch(/whatsapp[/\\]default$/);
+  });
+
+  it("preserves valid accountId unchanged", () => {
+    const { authDir } = resolveWhatsAppAuthDir({
+      cfg: stubCfg,
+      accountId: "my-account-1",
+    });
+    expect(authDir).toMatch(/whatsapp[/\\]my-account-1$/);
+  });
+});
--- a/src/web/accounts.ts
+++ b/src/web/accounts.ts
@ -4,7 +4,7 @@ import path from "node:path";
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveOAuthDir } from "../config/paths.js";
 import type { DmPolicy, GroupPolicy, WhatsAppAccountConfig } from "../config/types.js";
-import { DEFAULT_ACCOUNT_ID } from "../routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
 import { resolveUserPath } from "../utils.js";
 import { hasWebCredsSync } from "./auth-store.js";

@ -86,7 +86,7 @@ function resolveAccountConfig(
 }

 function resolveDefaultAuthDir(accountId: string): string {
-  return path.join(resolveOAuthDir(), "whatsapp", accountId);
+  return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
 }

 function resolveLegacyAuthDir(): string {