Matrix: forward dangerouslyAllowPrivateNetwork config to client SSRF policy (#68332)

Merged via squash. Prepared head SHA: d8733928eb Co-authored-by: kagura-agent <268167063+kagura-agent@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
2026-05-06 18:50:42 +00:00 · 2026-04-18 12:50:50 +08:00
parent dc3b10285d
commit c2fb4007c2
3 changed files with 62 additions and 2 deletions
--- a/extensions/matrix/src/matrix/client/create-client.test.ts
+++ b/extensions/matrix/src/matrix/client/create-client.test.ts
@@ -86,6 +86,61 @@ describe("createMatrixClient", () => {
    });
  });

+  it("derives ssrfPolicy from allowPrivateNetwork when no explicit policy is provided", async () => {
+    await createMatrixClient({
+      homeserver: "https://matrix.example.org",
+      userId: "@bot:example.org",
+      accessToken: "tok",
+      persistStorage: false,
+      allowPrivateNetwork: true,
+    });
+
+    expect(MatrixClientMock).toHaveBeenCalledWith(
+      "https://matrix.example.org",
+      "tok",
+      expect.objectContaining({
+        ssrfPolicy: { allowPrivateNetwork: true },
+      }),
+    );
+  });
+
+  it("prefers explicit ssrfPolicy over allowPrivateNetwork", async () => {
+    const explicitPolicy = { allowPrivateNetwork: true, customField: "test" };
+    await createMatrixClient({
+      homeserver: "https://matrix.example.org",
+      userId: "@bot:example.org",
+      accessToken: "tok",
+      persistStorage: false,
+      allowPrivateNetwork: false,
+      ssrfPolicy: explicitPolicy as never,
+    });
+
+    expect(MatrixClientMock).toHaveBeenCalledWith(
+      "https://matrix.example.org",
+      "tok",
+      expect.objectContaining({
+        ssrfPolicy: explicitPolicy,
+      }),
+    );
+  });
+
+  it("leaves ssrfPolicy undefined when allowPrivateNetwork is falsy and no explicit policy", async () => {
+    await createMatrixClient({
+      homeserver: "https://matrix.example.org",
+      userId: "@bot:example.org",
+      accessToken: "tok",
+      persistStorage: false,
+    });
+
+    expect(MatrixClientMock).toHaveBeenCalledWith(
+      "https://matrix.example.org",
+      "tok",
+      expect.objectContaining({
+        ssrfPolicy: undefined,
+      }),
+    );
+  });
+
  it("skips persistent storage wiring when persistence is disabled", async () => {
    await createMatrixClient({
      homeserver: "https://matrix.example.org",
--- a/extensions/matrix/src/matrix/client/create-client.ts
+++ b/extensions/matrix/src/matrix/client/create-client.ts
@@ -1,7 +1,10 @@
 import fs from "node:fs";
 import type { PinnedDispatcherPolicy } from "openclaw/plugin-sdk/ssrf-dispatcher";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
-import type { SsrFPolicy } from "../../runtime-api.js";
+import {
+  ssrfPolicyFromDangerouslyAllowPrivateNetwork,
+  type SsrFPolicy,
+} from "../../runtime-api.js";
 import type { MatrixClient } from "../sdk.js";
 import { resolveValidatedMatrixHomeserverUrl } from "./config.js";
 import {
@@ -95,7 +98,8 @@ export async function createMatrixClient(params: {
    idbSnapshotPath: storagePaths?.idbSnapshotPath,
    cryptoDatabasePrefix,
    autoBootstrapCrypto: params.autoBootstrapCrypto,
-    ssrfPolicy: params.ssrfPolicy,
+    ssrfPolicy:
+      params.ssrfPolicy ?? ssrfPolicyFromDangerouslyAllowPrivateNetwork(params.allowPrivateNetwork),
    dispatcherPolicy: params.dispatcherPolicy,
  });
 }