vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 22:10:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden webhook memory guards across channels

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 00:11:49 +00:00
parent 1c8ae978d2
commit 43cad8268d
14 changed files with 451 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
extensions/feishu/src/monitor.ts
View File

@@ -3,6 +3,8 @@ import * as http from "http";
import * as Lark from "@larksuiteoapi/node-sdk";
import {
type ClawdbotConfig,
createBoundedCounter,
createFixedWindowRateLimiter,
type RuntimeEnv,
type HistoryEntry,
installRequestBodyLimitGuard,
@@ -32,6 +34,8 @@ const FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS = 60_000;
const FEISHU_WEBHOOK_RATE_LIMIT_MAX_REQUESTS = 120;
const FEISHU_WEBHOOK_RATE_LIMIT_MAX_TRACKED_KEYS = 4_096;
const FEISHU_WEBHOOK_COUNTER_LOG_EVERY = 25;
const FEISHU_WEBHOOK_COUNTER_MAX_TRACKED_KEYS = 4_096;
const FEISHU_WEBHOOK_COUNTER_TTL_MS = 6 * 60 * 60_000;
const FEISHU_REACTION_VERIFY_TIMEOUT_MS = 1_500;
export type FeishuReactionCreatedEvent = {
@@ -55,9 +59,15 @@ type ResolveReactionSyntheticEventParams = {
uuid?: () => string;
};
const feishuWebhookRateLimits = new Map<string, { count: number; windowStartMs: number }>();
const feishuWebhookStatusCounters = new Map<string, number>();
let lastWebhookRateLimitCleanupMs = 0;
const feishuWebhookRateLimiter = createFixedWindowRateLimiter({
windowMs: FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS,
maxRequests: FEISHU_WEBHOOK_RATE_LIMIT_MAX_REQUESTS,
maxTrackedKeys: FEISHU_WEBHOOK_RATE_LIMIT_MAX_TRACKED_KEYS,
});
const feishuWebhookStatusCounters = createBoundedCounter({
maxTrackedKeys: FEISHU_WEBHOOK_COUNTER_MAX_TRACKED_KEYS,
ttlMs: FEISHU_WEBHOOK_COUNTER_TTL_MS,
});
function isJsonContentType(value: string | string[] | undefined): boolean {
const first = Array.isArray(value) ? value[0] : value;
@@ -68,55 +78,17 @@ function isJsonContentType(value: string | string[] | undefined): boolean {
return mediaType === "application/json" || Boolean(mediaType?.endsWith("+json"));
}
function trimWebhookRateLimitState(): void {
while (feishuWebhookRateLimits.size > FEISHU_WEBHOOK_RATE_LIMIT_MAX_TRACKED_KEYS) {
const oldestKey = feishuWebhookRateLimits.keys().next().value;
if (typeof oldestKey !== "string") {
break;
}
feishuWebhookRateLimits.delete(oldestKey);
}
}
function maybePruneWebhookRateLimitState(nowMs: number): void {
if (
feishuWebhookRateLimits.size === 0 ||
nowMs - lastWebhookRateLimitCleanupMs < FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS
) {
return;
}
lastWebhookRateLimitCleanupMs = nowMs;
for (const [key, state] of feishuWebhookRateLimits) {
if (nowMs - state.windowStartMs >= FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS) {
feishuWebhookRateLimits.delete(key);
}
}
}
export function clearFeishuWebhookRateLimitStateForTest(): void {
feishuWebhookRateLimits.clear();
lastWebhookRateLimitCleanupMs = 0;
feishuWebhookRateLimiter.clear();
feishuWebhookStatusCounters.clear();
}
export function getFeishuWebhookRateLimitStateSizeForTest(): number {
return feishuWebhookRateLimits.size;
return feishuWebhookRateLimiter.size();
}
export function isWebhookRateLimitedForTest(key: string, nowMs: number): boolean {
maybePruneWebhookRateLimitState(nowMs);
const state = feishuWebhookRateLimits.get(key);
if (!state || nowMs - state.windowStartMs >= FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS) {
feishuWebhookRateLimits.set(key, { count: 1, windowStartMs: nowMs });
trimWebhookRateLimitState();
return false;
}
state.count += 1;
if (state.count > FEISHU_WEBHOOK_RATE_LIMIT_MAX_REQUESTS) {
return true;
}
return false;
return feishuWebhookRateLimiter.isRateLimited(key, nowMs);
}
function isWebhookRateLimited(key: string, nowMs: number): boolean {
@@ -133,8 +105,7 @@ function recordWebhookStatus(
return;
}
const key = `${accountId}:${path}:${statusCode}`;
const next = (feishuWebhookStatusCounters.get(key) ?? 0) + 1;
feishuWebhookStatusCounters.set(key, next);
const next = feishuWebhookStatusCounters.increment(key);
if (next === 1 || next % FEISHU_WEBHOOK_COUNTER_LOG_EVERY === 0) {
const log = runtime?.log ?? console.log;
log(`feishu[${accountId}]: webhook anomaly path=${path} status=${statusCode} count=${next}`);