Harden screen snapshot format handling#823
Conversation
|
Codex review: found issues before merge. Reviewed June 25, 2026, 10:27 PM ET / 02:27 UTC. Summary Reproducibility: yes. Source inspection shows current main can be exercised by calling Review metrics: 3 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Land the MIME hardening once maintainers explicitly choose the unsupported-format API behavior; keep Do we have a high-confidence way to reproduce the issue? Yes. Source inspection shows current main can be exercised by calling Is this the best way to solve the issue? Mostly yes, with one maintainer compatibility check. Validating Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against c338d4111dc5. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
Validate screen.snapshot image formats before invoking the capture backend, normalize jpg to jpeg, and derive the response data URI MIME type from the validated format instead of the backend echo. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1aa5f3e to
4e074a1
Compare
Summary
Harden
screen.snapshotformat handling before screen capture runs.png,jpeg, andjpg(normalized tojpeg).data:image/...MIME type from the validated format instead of the backend echo.Why
screen.snapshotincludes a data URI in its response. Previously the requested/echoed format could flow into that MIME type, which could cause MIME confusion or advertise a format that did not match the encoded bytes. This keeps the advertised MIME type aligned with the supported encoder output.Behavioral proof
Real local proof using an isolated tray instance with the MCP server enabled, invoked through
winnodeagainst the live MCP endpoint on port 8766. Base64 image data is redacted.This proves the live MCP/winnode path rejects unsupported formats and returns a valid PNG data URI for supported snapshot requests.
Validation
./build.ps1✅ all 5 projectsdotnet test ./tests/OpenClaw.Shared.Tests/OpenClaw.Shared.Tests.csproj✅ 2426 passed / 0 faileddotnet test ./tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj✅ 1163 passed / 0 failedReview