@openclaw/feishu 2026.3.13 → 2026.5.1-beta.1

package/src/docx.test.ts

@@ -1,40 +1,67 @@
-import { promises as fs } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import path from "node:path";
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createToolFactoryHarness, type ToolLike } from "./tool-factory-test-harness.js";
 
 const createFeishuClientMock = vi.hoisted(() => vi.fn());
+const resolveFeishuToolAccountMock = vi.hoisted(() => vi.fn());
 const fetchRemoteMediaMock = vi.hoisted(() => vi.fn());
-
-vi.mock("./client.js", () => ({
-  createFeishuClient: createFeishuClientMock,
-}));
-
-vi.mock("./runtime.js", () => ({
-  getFeishuRuntime: () => ({
-    channel: {
+const loadWebMediaMock = vi.hoisted(() => vi.fn());
+const convertMock = vi.hoisted(() => vi.fn());
+const documentCreateMock = vi.hoisted(() => vi.fn());
+const blockListMock = vi.hoisted(() => vi.fn());
+const blockChildrenCreateMock = vi.hoisted(() => vi.fn());
+const blockChildrenGetMock = vi.hoisted(() => vi.fn());
+const blockChildrenBatchDeleteMock = vi.hoisted(() => vi.fn());
+const blockDescendantCreateMock = vi.hoisted(() => vi.fn());
+const driveUploadAllMock = vi.hoisted(() => vi.fn());
+const permissionMemberCreateMock = vi.hoisted(() => vi.fn());
+const blockPatchMock = vi.hoisted(() => vi.fn());
+const scopeListMock = vi.hoisted(() => vi.fn());
+const toolAccountModule = await import("./tool-account.js");
+const runtimeModule = await import("./runtime.js");
+
+vi.spyOn(toolAccountModule, "createFeishuToolClient").mockImplementation(() =>
+  createFeishuClientMock(),
+);
+vi.spyOn(toolAccountModule, "resolveAnyEnabledFeishuToolsConfig").mockReturnValue({
+  doc: true,
+  chat: false,
+  wiki: false,
+  drive: false,
+  perm: false,
+  scopes: false,
+});
+vi.spyOn(toolAccountModule, "resolveFeishuToolAccount").mockImplementation((...args) =>
+  resolveFeishuToolAccountMock(...args),
+);
+vi.spyOn(runtimeModule, "getFeishuRuntime").mockImplementation(
+  () =>
+    ({
+      channel: {
+        media: {
+          fetchRemoteMedia: fetchRemoteMediaMock,
+          saveMediaBuffer: vi.fn(),
+        },
+      },
       media: {
-        fetchRemoteMedia: fetchRemoteMediaMock,
+        loadWebMedia: loadWebMediaMock,
+        detectMime: vi.fn(async () => "application/octet-stream"),
+        mediaKindFromMime: vi.fn(() => "image"),
+        isVoiceCompatibleAudio: vi.fn(() => false),
+        getImageMetadata: vi.fn(async () => null),
+        resizeToJpeg: vi.fn(async () => Buffer.alloc(0)),
       },
-    },
-  }),
-}));
+    }) as unknown as ReturnType<typeof runtimeModule.getFeishuRuntime>,
+);
 
-import { registerFeishuDocTools } from "./docx.js";
+const { registerFeishuDocTools } = await import("./docx.js");
 
-describe("feishu_doc image fetch hardening", () => {
-  const convertMock = vi.hoisted(() => vi.fn());
-  const documentCreateMock = vi.hoisted(() => vi.fn());
-  const blockListMock = vi.hoisted(() => vi.fn());
-  const blockChildrenCreateMock = vi.hoisted(() => vi.fn());
-  const blockChildrenGetMock = vi.hoisted(() => vi.fn());
-  const blockChildrenBatchDeleteMock = vi.hoisted(() => vi.fn());
-  const blockDescendantCreateMock = vi.hoisted(() => vi.fn());
-  const driveUploadAllMock = vi.hoisted(() => vi.fn());
-  const permissionMemberCreateMock = vi.hoisted(() => vi.fn());
-  const blockPatchMock = vi.hoisted(() => vi.fn());
-  const scopeListMock = vi.hoisted(() => vi.fn());
+type ToolResultWithDetails = {
+  details: Record<string, unknown>;
+};
 
+describe("feishu_doc image fetch hardening", () => {
   beforeEach(() => {
     vi.clearAllMocks();
 
@@ -71,6 +98,9 @@ describe("feishu_doc image fetch hardening", () => {
         },
       },
     });
+    resolveFeishuToolAccountMock.mockReturnValue({
+      config: { mediaMaxMb: 30 },
+    });
 
     convertMock.mockResolvedValue({
       code: 0,
@@ -115,26 +145,26 @@ describe("feishu_doc image fetch hardening", () => {
   });
 
   function resolveFeishuDocTool(context: Record<string, unknown> = {}) {
-    const registerTool = vi.fn();
-    registerFeishuDocTools({
-      config: {
-        channels: {
-          feishu: {
-            appId: "app_id",
-            appSecret: "app_secret",
-          },
+    const harness = createToolFactoryHarness({
+      channels: {
+        feishu: {
+          enabled: true,
+          appId: "app_id",
+          appSecret: "app_secret",
         },
-      } as any,
-      logger: { debug: vi.fn(), info: vi.fn() } as any,
-      registerTool,
-    } as any);
-
-    const tool = registerTool.mock.calls
-      .map((call) => call[0])
-      .map((candidate) => (typeof candidate === "function" ? candidate(context) : candidate))
-      .find((candidate) => candidate.name === "feishu_doc");
+      },
+    });
+    registerFeishuDocTools(harness.api);
+    const tool = harness.resolveTool("feishu_doc", context);
     expect(tool).toBeDefined();
-    return tool as { execute: (callId: string, params: Record<string, unknown>) => Promise<any> };
+    return tool;
+  }
+
+  async function executeFeishuDocTool(
+    tool: ToolLike,
+    params: Record<string, unknown>,
+  ): Promise<ToolResultWithDetails> {
+    return (await tool.execute("tool-call", params)) as ToolResultWithDetails;
   }
 
   it("inserts blocks sequentially to preserve document order", async () => {
@@ -160,7 +190,7 @@ describe("feishu_doc image fetch hardening", () => {
 
     const feishuDocTool = resolveFeishuDocTool();
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "append",
       doc_token: "doc_1",
       content: "plain text body",
@@ -175,6 +205,50 @@ describe("feishu_doc image fetch hardening", () => {
     expect(result.details.blocks_added).toBe(3);
   });
 
+  it("reorders convert output by document tree instead of raw block array order", async () => {
+    const blocks = [
+      { block_type: 13, block_id: "li2", parent_id: "list1" },
+      { block_type: 4, block_id: "h2" },
+      { block_type: 13, block_id: "li1", parent_id: "list1" },
+      { block_type: 3, block_id: "h1" },
+      { block_type: 12, block_id: "list1", children: ["li1", "li2"] },
+      { block_type: 2, block_id: "p1" },
+    ];
+    convertMock.mockResolvedValue({
+      code: 0,
+      data: {
+        blocks,
+        first_level_block_ids: ["h1", "p1", "h2", "list1"],
+      },
+    });
+
+    blockDescendantCreateMock.mockImplementationOnce(async ({ data }) => ({
+      code: 0,
+      data: {
+        children: (data.children_id as string[]).map((id) => ({ block_id: id })),
+      },
+    }));
+
+    const feishuDocTool = resolveFeishuDocTool();
+
+    await feishuDocTool.execute("tool-call", {
+      action: "append",
+      doc_token: "doc_1",
+      content: "tree reorder",
+    });
+
+    const call = blockDescendantCreateMock.mock.calls[0]?.[0];
+    expect(call?.data.children_id).toEqual(["h1", "p1", "h2", "list1"]);
+    expect((call?.data.descendants as Array<{ block_id: string }>).map((b) => b.block_id)).toEqual([
+      "h1",
+      "p1",
+      "h2",
+      "list1",
+      "li1",
+      "li2",
+    ]);
+  });
+
   it("falls back to size-based convert chunking for long no-heading markdown", async () => {
     let successChunkCount = 0;
     convertMock.mockImplementation(async ({ data }) => {
@@ -209,7 +283,7 @@ describe("feishu_doc image fetch hardening", () => {
       (_, i) => `line ${i} with enough content to trigger fallback chunking`,
     ).join("\n");
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "append",
       doc_token: "doc_1",
       content: longMarkdown,
@@ -263,7 +337,7 @@ describe("feishu_doc image fetch hardening", () => {
       "Tail paragraph three with enough text to exceed API limits when combined. ".repeat(8),
     ].join("\n");
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "append",
       doc_token: "doc_1",
       content: fencedMarkdown,
@@ -286,7 +360,7 @@ describe("feishu_doc image fetch hardening", () => {
 
     const feishuDocTool = resolveFeishuDocTool();
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "write",
       doc_token: "doc_1",
       content: "![x](https://x.test/image.png)",
@@ -306,7 +380,7 @@ describe("feishu_doc image fetch hardening", () => {
       requesterSenderId: "ou_123",
     });
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "create",
       title: "Demo",
     });
@@ -331,7 +405,7 @@ describe("feishu_doc image fetch hardening", () => {
       messageChannel: "feishu",
     });
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "create",
       title: "Demo",
     });
@@ -347,7 +421,7 @@ describe("feishu_doc image fetch hardening", () => {
       requesterSenderId: "ou_123",
     });
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "create",
       title: "Demo",
       grant_to_requester: false,
@@ -365,7 +439,7 @@ describe("feishu_doc image fetch hardening", () => {
 
     const feishuDocTool = resolveFeishuDocTool();
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "create",
       title: "Demo",
     });
@@ -381,15 +455,17 @@ describe("feishu_doc image fetch hardening", () => {
       },
     });
 
-    const localPath = join(tmpdir(), `feishu-docx-upload-${Date.now()}.txt`);
-    await fs.writeFile(localPath, "hello from local file", "utf8");
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("hello from local file", "utf8"),
+      fileName: "test-local.txt",
+    });
 
     const feishuDocTool = resolveFeishuDocTool();
 
-    const result = await feishuDocTool.execute("tool-call", {
+    const result = await executeFeishuDocTool(feishuDocTool, {
       action: "upload_file",
       doc_token: "doc_1",
-      file_path: localPath,
+      file_path: "/tmp/allowed/test-local.txt",
       filename: "test-local.txt",
     });
 
@@ -397,6 +473,13 @@ describe("feishu_doc image fetch hardening", () => {
     expect(result.details.file_token).toBe("token_1");
     expect(result.details.file_name).toBe("test-local.txt");
 
+    // Without workspace-only policy, localRoots stays undefined so loadWebMedia
+    // applies its default managed-root access behavior.
+    expect(loadWebMediaMock).toHaveBeenCalledWith(
+      expect.stringContaining("test-local.txt"),
+      expect.objectContaining({ optimizeImages: false, localRoots: undefined }),
+    );
+
     expect(driveUploadAllMock).toHaveBeenCalledWith(
       expect.objectContaining({
         data: expect.objectContaining({
@@ -406,8 +489,124 @@ describe("feishu_doc image fetch hardening", () => {
         }),
       }),
     );
+  });
+
+  it("passes workspace localRoots for upload_file when workspace-only policy is active", async () => {
+    blockChildrenCreateMock.mockResolvedValueOnce({
+      code: 0,
+      data: {
+        children: [{ block_type: 23, block_id: "file_block_1" }],
+      },
+    });
+
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("hello from local file", "utf8"),
+      fileName: "test-local.txt",
+    });
+
+    const feishuDocTool = resolveFeishuDocTool({
+      workspaceDir: "/workspace",
+      fsPolicy: { workspaceOnly: true },
+    });
+
+    await executeFeishuDocTool(feishuDocTool, {
+      action: "upload_file",
+      doc_token: "doc_1",
+      file_path: "/tmp/openclaw-1000/test-local.txt",
+      filename: "test-local.txt",
+    });
+
+    expect(loadWebMediaMock).toHaveBeenCalledWith(
+      expect.stringContaining("test-local.txt"),
+      expect.objectContaining({ optimizeImages: false, localRoots: ["/workspace"] }),
+    );
+  });
+
+  it("passes empty localRoots when workspace-only policy is active without workspaceDir", async () => {
+    blockChildrenCreateMock.mockResolvedValueOnce({
+      code: 0,
+      data: {
+        children: [{ block_type: 23, block_id: "file_block_1" }],
+      },
+    });
+
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("hello from local file", "utf8"),
+      fileName: "test-local.txt",
+    });
+
+    const feishuDocTool = resolveFeishuDocTool({
+      fsPolicy: { workspaceOnly: true },
+    });
+
+    await executeFeishuDocTool(feishuDocTool, {
+      action: "upload_file",
+      doc_token: "doc_1",
+      file_path: "/tmp/openclaw-1000/test-local.txt",
+      filename: "test-local.txt",
+    });
+
+    expect(loadWebMediaMock).toHaveBeenCalledWith(
+      expect.stringContaining("test-local.txt"),
+      expect.objectContaining({ optimizeImages: false, localRoots: [] }),
+    );
+  });
+
+  it("passes workspace localRoots for upload_image local paths when workspace-only policy is active", async () => {
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("hello from local file", "utf8"),
+      fileName: "test-local.png",
+    });
+
+    const feishuDocTool = resolveFeishuDocTool({
+      workspaceDir: "/workspace",
+      fsPolicy: { workspaceOnly: true },
+    });
+
+    await executeFeishuDocTool(feishuDocTool, {
+      action: "upload_image",
+      doc_token: "doc_1",
+      image: "./test-local.png",
+      filename: "test-local.png",
+    });
+
+    expect(loadWebMediaMock).toHaveBeenCalledWith(
+      expect.stringContaining("test-local.png"),
+      expect.objectContaining({ optimizeImages: false, localRoots: ["/workspace"] }),
+    );
+  });
+
+  it("passes workspace localRoots for upload_image absolute local paths when workspace-only policy is active", async () => {
+    const fixtureDir = path.join(process.cwd(), ".tmp-docx-upload-image-absolute");
+    const absoluteImagePath = path.join(fixtureDir, "absolute-image.png");
+    mkdirSync(fixtureDir, { recursive: true });
+    writeFileSync(absoluteImagePath, "not-real-image");
+
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("hello from local file", "utf8"),
+      fileName: "absolute-image.png",
+    });
+
+    const feishuDocTool = resolveFeishuDocTool({
+      workspaceDir: "/workspace",
+      fsPolicy: { workspaceOnly: true },
+    });
+
+    try {
+      await executeFeishuDocTool(feishuDocTool, {
+        action: "upload_image",
+        doc_token: "doc_1",
+        image: absoluteImagePath,
+        filename: "absolute-image.png",
+      });
 
-    await fs.unlink(localPath);
+      expect(loadWebMediaMock).toHaveBeenCalledWith(
+        expect.stringContaining("absolute-image.png"),
+        expect.objectContaining({ optimizeImages: false, localRoots: ["/workspace"] }),
+      );
+    } finally {
+      rmSync(fixtureDir, { recursive: true, force: true });
+    }
   });
 
   it("returns an error when upload_file cannot list placeholder siblings", async () => {
@@ -423,23 +622,64 @@ describe("feishu_doc image fetch hardening", () => {
       data: { items: [] },
     });
 
-    const localPath = join(tmpdir(), `feishu-docx-upload-fail-${Date.now()}.txt`);
-    await fs.writeFile(localPath, "hello from local file", "utf8");
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("hello from local file", "utf8"),
+      fileName: "test-local.txt",
+    });
 
-    try {
-      const feishuDocTool = resolveFeishuDocTool();
+    const feishuDocTool = resolveFeishuDocTool();
 
-      const result = await feishuDocTool.execute("tool-call", {
-        action: "upload_file",
-        doc_token: "doc_1",
-        file_path: localPath,
-        filename: "test-local.txt",
-      });
+    const result = await executeFeishuDocTool(feishuDocTool, {
+      action: "upload_file",
+      doc_token: "doc_1",
+      file_path: "/tmp/allowed/test-local.txt",
+      filename: "test-local.txt",
+    });
 
-      expect(result.details.error).toBe("list failed");
-      expect(driveUploadAllMock).not.toHaveBeenCalled();
-    } finally {
-      await fs.unlink(localPath);
-    }
+    expect(result.details.error).toBe("list failed");
+    expect(driveUploadAllMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects traversal paths in upload_file via loadWebMedia sandbox", async () => {
+    loadWebMediaMock.mockRejectedValueOnce(
+      new Error("Local media path is not under an allowed directory: /etc/passwd"),
+    );
+
+    const feishuDocTool = resolveFeishuDocTool();
+
+    const result = await executeFeishuDocTool(feishuDocTool, {
+      action: "upload_file",
+      doc_token: "doc_1",
+      file_path: "/etc/passwd",
+    });
+
+    expect(result.details.error).toContain("not under an allowed directory");
+    expect(driveUploadAllMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects traversal paths in upload_image via loadWebMedia sandbox", async () => {
+    blockChildrenCreateMock.mockResolvedValueOnce({
+      code: 0,
+      data: {
+        children: [{ block_type: 27, block_id: "img_block_1" }],
+      },
+    });
+
+    loadWebMediaMock.mockRejectedValueOnce(
+      new Error(
+        "Local media path is not under an allowed directory: /home/admin/.openclaw/openclaw.json",
+      ),
+    );
+
+    const feishuDocTool = resolveFeishuDocTool();
+
+    const result = await executeFeishuDocTool(feishuDocTool, {
+      action: "upload_image",
+      doc_token: "doc_1",
+      file_path: "/home/admin/.openclaw/openclaw.json",
+    });
+
+    expect(result.details.error).toContain("not under an allowed directory");
+    expect(driveUploadAllMock).not.toHaveBeenCalled();
   });
 });