renato97/picoclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve multiple bugs from code review #116

Browse Source 
Fixes four issues identified in the community code review:

- Session persistence broken on Windows: session keys like
  "telegram:123456" contain ':', which is illegal in Windows
  filenames. filepath.Base() strips drive-letter prefixes on Windows,
  causing Save() to silently fail. Added sanitizeFilename() to
  replace invalid chars in the filename while keeping the original
  key in the JSON payload.

- HTTP client with no timeout: HTTPProvider used Timeout: 0 (infinite
  wait), which can hang the entire agent if an API endpoint becomes
  unresponsive. Set a 120s safety timeout.

- Slack AllowFrom type mismatch: SlackConfig used plain []string
  while every other channel uses FlexibleStringSlice, so numeric
  user IDs in Slack config would fail to parse.

- Token estimation wrong for CJK: estimateTokens() divided byte
  length by 4, but CJK characters are 3 bytes each, causing ~3x
  overestimation and premature summarization. Switched to
  utf8.RuneCountInString() / 3 for better cross-language accuracy.

Also added unit tests for the session filename sanitization.

Ref #116
This commit is contained in:
xiaoen
2026-02-15 00:28:36 +08:00
parent 1cff7d4e37
commit 0a88ff0817
5 changed files with 103 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/session/manager.go
View File

@@ -145,13 +145,27 @@ func (sm *SessionManager) TruncateHistory(key string, keepLast int) {
session.Updated = time.Now()
}
// sanitizeFilename converts a session key into a cross-platform safe filename.
// Session keys use "channel:chatID" (e.g. "telegram:123456") but ':' is the
// volume separator on Windows, so filepath.Base would misinterpret the key.
// We replace it with '_'. The original key is preserved inside the JSON file,
// so loadSessions still maps back to the right in-memory key.
func sanitizeFilename(key string) string {
return strings.ReplaceAll(key, ":", "_")
}
func (sm *SessionManager) Save(key string) error {
if sm.storage == "" {
return nil
}
// Validate key to avoid invalid filenames and path traversal.
if key == "" || key == "." || key == ".." || key != filepath.Base(key) || strings.Contains(key, "/") || strings.Contains(key, "\\") {
filename := sanitizeFilename(key)
// filepath.IsLocal rejects empty names, "..", absolute paths, and
// OS-reserved device names (NUL, COM1 … on Windows).
// The extra checks reject "." and any directory separators so that
// the session file is always written directly inside sm.storage.
if filename == "." || !filepath.IsLocal(filename) || strings.ContainsAny(filename, `/\`) {
return os.ErrInvalid
}
@@ -182,7 +196,7 @@ func (sm *SessionManager) Save(key string) error {
return err
}
sessionPath := filepath.Join(sm.storage, key+".json")
sessionPath := filepath.Join(sm.storage, filename+".json")
tmpFile, err := os.CreateTemp(sm.storage, "session-*.tmp")
if err != nil {
return err