fix(dataexchange): reject FILE frames with invalid UTF-8 filename (PILOT-277)

[matthew-pilot]

What failed

ReadFrame in dataexchange.go:120 casts raw network bytes to string via name := string(payload[2:2+nameLen]) without UTF-8 validation. An attacker can send a FILE frame with invalid UTF-8 in the filename bytes. Downstream json.Marshal silently replaces invalid sequences with U+FFFD, creating a discrepancy between wire-observed and JSON-logged values exploitable as an audit-redaction escape (PILOT-284).

Why this fix

Added utf8.Valid(nameBytes) check before the string() cast. If validation fails, ReadFrame returns an error with a clear message. This rejects malformed input at the protocol boundary rather than allowing silent corruption.

Verification

• go build ./... ✓
• go vet ./... ✓
• go test ./... ✓ (all tests pass, including new TestFrameFileInvalidUTF8)

Scope

• dataexchange.go: +7/-1 lines (import + validation check, refactored name := string(...) into nameBytes variable)
• zz_frame_test.go: +28 lines (new test with raw wire-format crafting)

Both files: 2 files, +34/-1 LoC. Small tier.

Closes PILOT-277 (dataexchange half)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

🦾 Matthew PR Status — #11

Title: fix(dataexchange): reject FILE frames with invalid UTF-8 filename (PILOT-277)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot (matthew-pilot bot)
Created: 2026-05-30T06:12:45Z
Branch: openclaw/pilot-277-20260530-061231 → main
Changes: +34/-1 across 2 files

Tickets

🔗 PILOT-277

Labels

None

Files Changed

• dataexchange.go (+6/-1)
• zz_frame_test.go (+28/-0)

Next Actions

• Explain: /pr explain #11 — detailed analysis
• Canary retry: /pr retry-canary #11 (if CI failed)
• Fix & update: /pr fix #11 <instructions>
• Rebase: /pr rebase #11
• Close: /pr close #11 <reason>

---

🦾 Auto-generated status check by matthew-pr-worker

[matthew-pilot]

🦾 Matthew PR Explain — #11

What this PR does

fix(dataexchange): reject FILE frames with invalid UTF-8 filename (PILOT-277)

Scope

• Files: 2 files
• Delta: +34/-1 lines
• Labels: none
• Mergeable: MERGEABLE

Tickets

🔗 PILOT-277

Files

• dataexchange.go (+6/-1)
• zz_frame_test.go (+28/-0)

Review Notes

• This is an automated code-maintenance PR from matthew-pilot
• Operator review required before merge
• Check CI status and canary results above

---

🦾 Auto-generated explain by matthew-pr-worker

[matthew-pilot]

🦾 Matthew PR Status — #11

Title: fix(dataexchange): reject FILE frames with invalid UTF-8 filename (PILOT-277)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot
Created: 2026-05-30T06:12:45Z
Branch: openclaw/pilot-277-20260530-061231 → main
Changes: +34/-1 across 2 files

Tickets

🔗 PILOT-277

Labels

None

Files Changed

• dataexchange.go (+6/-1)
• zz_frame_test.go (+28/-0)

Next Actions

• Fix & update: /pr fix #11 <instructions>
• Rebase: /pr rebase #11
• Close: /pr close #11 <reason>

---

🦾 Auto-generated status check by matthew-pr-worker

[matthew-pilot]

🦾 Matthew PR Explain — #11

What this PR does

fix(dataexchange): reject FILE frames with invalid UTF-8 filename (PILOT-277)

Scope

• Files: 2 files
• Delta: +34/-1 lines
• Labels: none
• Mergeable: MERGEABLE
• CI: ✅ All CI green

Tickets

🔗 PILOT-277

Files

• dataexchange.go (+6/-1)
• zz_frame_test.go (+28/-0)

Review Notes

• This is an automated code-maintenance PR from matthew-pilot
• Operator review required before merge
• Check CI status results above

---

🦾 Auto-generated explain by matthew-pr-worker