vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-16 03:31:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
28,549 Commits 1,314 Branches 109 Tags
4329d94de3a71803db177ee50af68eb75d7ea06b
Commit Graph

456 Commits

Author SHA1 Message Date
Peter Steinberger
9d8d1dd4c5 refactor: dedupe shared string aliases 2026-04-07 09:44:53 +01:00
Vincent Koc
d5ed6d26e9 chore(plugins): bulk add package boundary tsconfig rollout 2026-04-07 08:48:23 +01:00
Peter Steinberger
90a45a4907 refactor: dedupe provider channel readers 2026-04-07 08:40:34 +01:00
Peter Steinberger
625fd5b3e3 refactor: centralize inbound mention policy 2026-04-07 07:51:00 +01:00
Peter Steinberger
d9fbfa268f refactor: dedupe extension string helpers 2026-04-07 05:06:54 +01:00
Peter Steinberger
ddd0fcdc83 fix(ci): refresh extension mocks and protocol models 2026-04-07 03:43:21 +01:00
Peter Steinberger
59ccea334d refactor: dedupe exported record guards 2026-04-07 02:03:33 +01:00
Vincent Koc
cd09f41fe0 fix(ci): repair extension test and msteams seams 2026-04-06 23:17:48 +01:00
Peter Steinberger
0b7f6fa9d0 refactor: dedupe msteams handler record helper 2026-04-06 22:54:48 +01:00
Peter Steinberger
a8ac0b7976 refactor: dedupe msteams record helper 2026-04-06 22:54:48 +01:00
Vincent Koc
c3f806c9e4 perf(secrets): lighten channel contract loading 2026-04-06 22:17:32 +01:00
Vincent Koc
78639eff76 perf(secrets): narrow channel secret sdk seam 2026-04-06 20:40:11 +01:00
Peter Steinberger
8ff570ee42 refactor: resolve channel env vars from plugin manifests 2026-04-06 19:53:27 +01:00
Vincent Koc
8e2ecd053f fix(secrets): restore source-mode contract loading 2026-04-06 17:59:53 +01:00
Peter Steinberger
8b79cbcd06 build(plugins): align package versions to 2026.4.6 2026-04-06 17:05:30 +01:00
Peter Steinberger
860721f28d build(plugins): sync bundled versions to 2026.4.6 2026-04-06 17:05:30 +01:00
Vincent Koc
c3b19d204a perf(test): lazy-load bundled channel secrets 2026-04-06 16:40:41 +01:00
Peter Steinberger
378b2c2f5c fix(check): absorb latest main lint drift 2026-04-06 15:56:02 +01:00
Lewis
1234c873bc fix(msteams): add SSRF validation to file consent upload URL (#23596) 
* fix(msteams): add SSRF validation to file consent upload URL

The uploadToConsentUrl() function previously accepted any URL from the
fileConsent/invoke response without validation. A malicious Teams tenant
user could craft an invoke activity with an attacker-controlled uploadUrl,
causing the bot to PUT file data to arbitrary destinations (SSRF).

This commit adds validateConsentUploadUrl() which enforces:

1. HTTPS-only protocol
2. Hostname must match a strict allowlist of Microsoft/SharePoint
   domains (sharepoint.com, graph.microsoft.com, onedrive.com, etc.)
3. DNS resolution check rejects private/reserved IPs (RFC 1918,
   loopback, link-local) to prevent DNS rebinding attacks

The CONSENT_UPLOAD_HOST_ALLOWLIST is intentionally narrower than the
existing DEFAULT_MEDIA_HOST_ALLOWLIST, excluding overly broad domains
like blob.core.windows.net and trafficmanager.net that any Azure
customer can create endpoints under.

Includes 47 tests covering IPv4/IPv6 private IP detection, protocol
enforcement, hostname allowlist matching, DNS failure handling, and
end-to-end upload validation.

* fix(msteams): validate all DNS answers for consent uploads

* fix(msteams): restore changelog header

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-06 09:52:56 -05:00
Vincent Koc
620537914b fix(plugins): clean bundled extension lint tail 2026-04-06 15:21:46 +01:00
Peter Steinberger
8d095147b4 fix: restore check gate 2026-04-06 15:20:03 +01:00
Peter Steinberger
af62a2c2e4 style: fix extension lint violations 2026-04-06 14:53:55 +01:00
Peter Steinberger
ce8492f9a0 chore: bump version to 2026.4.5 2026-04-05 21:33:04 +01:00
Peter Steinberger
3126809cb0 refactor: clean bundled channel bootstrap boundaries 2026-04-05 18:18:59 +01:00
Peter Steinberger
89e8c8672c fix: break bundled channel bootstrap cycles 2026-04-05 14:20:31 +01:00
Peter Steinberger
41e39eb46f refactor: register channel bootstrap capabilities 2026-04-05 09:13:48 +01:00
coolramukaka-sys
70015be8b5 fix(msteams): replace deprecated HttpPlugin with httpServerAdapter (#60939) 
Merged via squash.

Prepared head SHA: 7fe7f3c6bb
Co-authored-by: coolramukaka-sys <271658891+coolramukaka-sys@users.noreply.github.com>
Co-authored-by: BradGroux <3053586+BradGroux@users.noreply.github.com>
Reviewed-by: @BradGroux
 2026-04-04 17:21:45 -05:00
Peter Steinberger
67d6fc8847 chore(plugins): sync versions to 2026.4.4 2026-04-04 20:03:01 +01:00
Peter Steinberger
c5c5c77ebb fix(ci): restore contract-safe core imports 2026-04-04 15:09:48 +01:00
Peter Steinberger
5c32dddb1c fix(ci): restore heartbeat task batching checks 2026-04-04 15:09:48 +01:00
Peter Steinberger
1037af01ad style(agents): normalize runtime prompt formatting 2026-04-04 12:19:08 +01:00
Peter Steinberger
87d840e9ee fix: tighten Teams and device typing 2026-04-04 19:39:22 +09:00
Brad Groux
fce81fccd8 msteams: add typingIndicator config and prevent duplicate DM typing indicator (#60771) 
* msteams: add typingIndicator config and avoid duplicate DM typing

* fix(msteams): validate typingIndicator config

* fix(msteams): stop streaming before Teams timeout

* fix(msteams): classify expired streams correctly

* fix(msteams): handle link text from html attachments

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 04:34:24 -05:00
Peter Steinberger
edfaa01d1d refactor(plugin-sdk): split runtime helper seams 2026-04-04 08:53:19 +01:00
sudie-codes
928a5128f4 msteams: add channel-list and channel-info actions (#57529) 
* msteams: add channel-list and channel-info actions via Graph API

* msteams: use action helpers, add channel-list pagination

* msteams: address PR #57529 review feedback
 2026-04-04 02:43:08 -05:00
Brad Groux
c88d6d67c8 feat(msteams): add OpenClaw User-Agent header to Microsoft HTTP calls (#51568) (#60433) 
Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 02:38:57 -05:00
Brad Groux
dd2faa3764 fix(msteams): persist conversation reference during DM pairing (#60432) 
* fix(msteams): persist conversation reference during DM pairing (#43323)

* ci: retrigger checks

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 02:38:54 -05:00
Brad Groux
06c6ff6670 fix(msteams): handle Adaptive Card Action.Submit invoke activities (#60431) 
* fix(msteams): handle Adaptive Card Action.Submit invoke activities (#55384)

* ci: retrigger checks

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-04 02:38:51 -05:00
Brad Groux
1b2fb6b98b feat: add bundled StepFun provider plugin (#60032) (#60430) 
Co-authored-by: hengm3467 <100685635+hengm3467@users.noreply.github.com>
Co-authored-by: George Zhang <georgezhangtj97@gmail.com>
 2026-04-04 02:38:49 -05:00
Peter Steinberger
b0e1551eb8 refactor(extensions): add channel-owned config schema seams 2026-04-04 05:31:11 +01:00
Peter Steinberger
1246e2b03a refactor(extensions): move channel-specific config surfaces out of core 2026-04-04 05:06:32 +01:00
Vincent Koc
c4bae0f7bf refactor(msteams): narrow channel runtime imports 2026-04-04 12:08:38 +09:00
Peter Steinberger
e4b5027c5e refactor(plugins): move extension seams into extensions 2026-04-04 00:10:16 +01:00
Peter Steinberger
ab96520bba refactor(plugins): move channel behavior into plugins 2026-04-03 19:09:20 +01:00
Vincent Koc
6366010884 fix(ci): route extension test helpers through public sdk seams 2026-04-04 00:03:48 +09:00
Peter Steinberger
0dad4072b4 fix: keep extension helper imports behind local runtime barrels (#60153) 2026-04-03 23:01:43 +09:00
Vincent Koc
f6e99bd514 refactor(msteams): narrow messenger sdk imports 2026-04-03 22:50:54 +09:00
Vincent Koc
8b5e80fcaa refactor(msteams): narrow store sdk imports 2026-04-03 22:49:27 +09:00
Vincent Koc
6f9b4b52f8 refactor(msteams): narrow send sdk imports 2026-04-03 22:47:07 +09:00
Vincent Koc
875c3813aa refactor(msteams): narrow outbound sdk imports 2026-04-03 22:45:09 +09:00