From bfdb61b33a0f4050b4becf2515333cf51c5a65aa Mon Sep 17 00:00:00 2001 From: masonxhuang Date: Fri, 3 Apr 2026 23:17:41 +0800 Subject: [PATCH] fix: trim wrapped file input text --- CHANGELOG.md | 1 + src/gateway/openresponses-http.ts | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e930493348..d821680ec5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -122,6 +122,7 @@ Docs: https://docs.openclaw.ai - Cron: suppress exact `NO_REPLY` sentinel direct-delivery payloads, keep silent direct replies from falling back into duplicate main-summary sends, and treat structured `deleteAfterRun` silent replies the same as text silent replies. (#45737) Thanks @openperf. - Cron: keep exact silent-token detection case-insensitive again so mixed-case `NO_REPLY` outputs still stay silent in text and direct delivery paths. Thanks @obviyus. - Core/approvals: share approval-not-found fallback classification through the narrow `plugin-sdk/error-runtime` seam so core `/approve` and Telegram stay aligned without widening `plugin-sdk/infra-runtime`. (#60932) Thanks @gumadeiras. +- Gateway/file handling: wrap extracted uploaded text and text-like attachment content as untrusted external content before forwarding it to models, reducing prompt-injection risk from user-supplied files. (#60277) Thanks @hxy91819. ## 2026.4.2 diff --git a/src/gateway/openresponses-http.ts b/src/gateway/openresponses-http.ts index 7875f0f92e1..fd58b92c481 100644 --- a/src/gateway/openresponses-http.ts +++ b/src/gateway/openresponses-http.ts @@ -602,11 +602,12 @@ export async function handleOpenResponsesHttpRequest( }, limits: limits.files, }); - if (file.text?.trim()) { + const text = file.text?.trim(); + if (text) { fileContexts.push( renderFileContextBlock({ filename: file.filename, - content: wrapUntrustedFileContent(file.text), + content: wrapUntrustedFileContent(text), }), ); } else if (file.images && file.images.length > 0) {