fix: include image param in sandbox media normalization [AI-assisted] (#64377)

* fix: address issue * chore(changelog): add Discord event image sandbox entry --------- Co-authored-by: Devin Robison <drobison@nvidia.com>
2026-04-20 21:51:28 +00:00 · 2026-04-10 13:01:04 -04:00
parent 56d3f97e23
commit 979c6f09d6
3 changed files with 32 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -122,6 +122,7 @@ Docs: https://docs.openclaw.ai
 - Cron/isolated agent: run scheduled agent turns as non-owner senders so owner-only tools stay unavailable during cron execution. (#63878)
 - Voice Call/realtime: reject oversized realtime WebSocket frames before bridge setup so large pre-start payloads cannot crash the gateway. (#63890) Thanks @mmaps.

+- Discord/sandbox: include `image` in sandbox media param normalization so Discord event cover images cannot bypass sandbox path rewriting. (#64377) Thanks @mmaps.
 ## 2026.4.9

 ### Changes
--- a/src/infra/outbound/message-action-params.test.ts
+++ b/src/infra/outbound/message-action-params.test.ts
@@ -81,6 +81,29 @@ describe("message action media helpers", () => {
    }
  });

+  maybeIt("normalizes Discord event image sandbox media params", async () => {
+    const sandboxRoot = await fs.mkdtemp(path.join(os.tmpdir(), "msg-params-image-"));
+    try {
+      const args: Record<string, unknown> = {
+        image: " file:///workspace/assets/event-cover.png ",
+      };
+
+      await normalizeSandboxMediaParams({
+        args,
+        mediaPolicy: {
+          mode: "sandbox",
+          sandboxRoot: ` ${sandboxRoot} `,
+        },
+      });
+
+      expect(args).toMatchObject({
+        image: path.join(sandboxRoot, "assets", "event-cover.png"),
+      });
+    } finally {
+      await fs.rm(sandboxRoot, { recursive: true, force: true });
+    }
+  });
+
  maybeIt(
    "keeps remote HTTP mediaUrl and fileUrl aliases unchanged under sandbox normalization",
    async () => {
--- a/src/infra/outbound/message-action-params.ts
+++ b/src/infra/outbound/message-action-params.ts
@@ -16,7 +16,14 @@ import { readBooleanParam as readBooleanParamShared } from "../../plugin-sdk/boo

 export const readBooleanParam = readBooleanParamShared;

-const SANDBOX_MEDIA_PARAM_KEYS = ["media", "path", "filePath", "mediaUrl", "fileUrl"] as const;
+const SANDBOX_MEDIA_PARAM_KEYS = [
+  "media",
+  "path",
+  "filePath",
+  "mediaUrl",
+  "fileUrl",
+  "image",
+] as const;

 function readMediaParam(
  args: Record<string, unknown>,