vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(zalouser): harden inbound sender id handling

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 15:44:02 +00:00
parent 208a9b1ad1
commit ee1b147631
2 changed files with 18 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
extensions/zalouser/src/monitor.account-scope.test.ts
View File

@@ -2,7 +2,7 @@ import type { OpenClawConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-
import { describe, expect, it, vi } from "vitest";
import { __testing } from "./monitor.js";
import { setZalouserRuntime } from "./runtime.js";
import type { ResolvedZalouserAccount, ZcaMessage } from "./types.js";
import type { ResolvedZalouserAccount, ZaloInboundMessage } from "./types.js";
const sendMessageZalouserMock = vi.hoisted(() => vi.fn(async () => {}));
@@ -72,17 +72,16 @@ describe("zalouser monitor pairing account scoping", () => {
},
};
const message: ZcaMessage = {
const message: ZaloInboundMessage = {
threadId: "chat-1",
isGroup: false,
senderId: "attacker",
senderName: "Attacker",
groupName: undefined,
timestampMs: Date.now(),
msgId: "msg-1",
type: 1,
content: "hello",
timestamp: Math.floor(Date.now() / 1000),
metadata: {
isGroup: false,
fromId: "attacker",
senderName: "Attacker",
},
raw: { source: "test" },
};
const runtime: RuntimeEnv = {

13
extensions/zalouser/src/monitor.ts
View File

@@ -61,11 +61,14 @@ function logVerbose(core: ZalouserCoreRuntime, runtime: RuntimeEnv, message: str
}
}
function isSenderAllowed(senderId: string, allowFrom: string[]): boolean {
function isSenderAllowed(senderId: string | undefined, allowFrom: string[]): boolean {
if (allowFrom.includes("*")) {
return true;
}
const normalizedSenderId = senderId.toLowerCase();
const normalizedSenderId = senderId?.trim().toLowerCase();
if (!normalizedSenderId) {
return false;
}
return allowFrom.some((entry) => {
const normalized = entry.toLowerCase().replace(/^(zalouser|zlu):/i, "");
return normalized === normalizedSenderId;
@@ -133,7 +136,11 @@ async function processMessage(
}
const isGroup = message.isGroup;
const senderId = message.senderId;
const senderId = message.senderId?.trim();
if (!senderId) {
logVerbose(core, runtime, `zalouser: drop message ${chatId} (missing senderId)`);
return;
}
const senderName = message.senderName ?? "";
const groupName = message.groupName ?? "";
const chatId = message.threadId;