diff --git a/CHANGELOG.md b/CHANGELOG.md index 0067399debc..e64bef7bf91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ Docs: https://docs.openclaw.ai - Voice-call realtime: ignore malformed provider media-frame base64 before forwarding audio into bridge and transcription paths. - QQBot: reject malformed stored cron payload base64 before JSON decoding structured reminder data. - Telnyx voice-call: use the raw `client_state` fallback when webhook state is malformed base64 instead of using silently corrupted decoded text. +- Google Meet: report malformed node-host params JSON with plugin-owned errors instead of leaking raw JSON parser failures. - Models config/auth: stop inferring provider env-var markers from broad `^[A-Z_][A-Z0-9_]*$` strings, and resolve config-backed provider `apiKey` values only through structured env SecretRefs (`secrets.providers[id]` / `secrets.defaults`), so unrelated env vars cannot accidentally become provider credentials. Thanks @sallyom. - Media fetch: skip allocating and buffering the response body for bodyless media responses (HEAD probes and 204-style empty bodies), avoiding wasted heap on streams that carry no payload. Thanks @shakkernerd. - CLI/onboarding: forward provider-specific auth flags (e.g. `--openai-api-key`) through the onboarding wizard so they reach provider auth methods via `ctx.opts`, letting `--openai-api-key "$OPENAI_API_KEY"` skip the redundant "use existing env var?" prompt in non-interactive harnesses. (#81669) Thanks @sjf. diff --git a/extensions/google-meet/node-host.test.ts b/extensions/google-meet/node-host.test.ts index e5e70dbca2f..1b55236334b 100644 --- a/extensions/google-meet/node-host.test.ts +++ b/extensions/google-meet/node-host.test.ts @@ -51,6 +51,14 @@ describe("google-meet node host bridge sessions", () => { vi.resetModules(); }); + it("reports malformed params JSON with an owned error", async () => { + const { handleGoogleMeetNodeHostCommand } = await import("./src/node-host.js"); + + await expect(handleGoogleMeetNodeHostCommand("{not json")).rejects.toThrow( + "Google Meet node host received malformed params JSON.", + ); + }); + it("starts observe-only Chrome without BlackHole or bridge processes", async () => { const { handleGoogleMeetNodeHostCommand } = await import("./src/node-host.js"); const originalPlatform = process.platform; diff --git a/extensions/google-meet/src/node-host.ts b/extensions/google-meet/src/node-host.ts index 21103265e6d..2f06dfbea3c 100644 --- a/extensions/google-meet/src/node-host.ts +++ b/extensions/google-meet/src/node-host.ts @@ -473,7 +473,14 @@ function stopChrome(params: Record) { } export async function handleGoogleMeetNodeHostCommand(paramsJSON?: string | null): Promise { - const raw = paramsJSON ? JSON.parse(paramsJSON) : {}; + let raw: unknown = {}; + if (paramsJSON) { + try { + raw = JSON.parse(paramsJSON) as unknown; + } catch { + throw new Error("Google Meet node host received malformed params JSON."); + } + } const params = asRecord(raw); const action = readString(params.action); let result: unknown;