vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-16 03:31:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,493 Commits 1,314 Branches 109 Tags
9412bdfdbeca3e010fe33f95d02eaeb65e07bb10
Commit Graph

484 Commits

Author SHA1 Message Date
Peter Steinberger
719f06510c chore: bump version to 2026.4.10 2026-04-09 03:56:22 +01:00
sudie-codes
1fed7bc379 fix(msteams): pin reply target at inbound time to prevent DM/channel leak (#54520) (#62716) 2026-04-08 21:22:12 -05:00
sudie-codes
9edfefedf7 fix(msteams): route thread replies to correct thread via replyToId (#58030) (#62715) 2026-04-08 21:22:09 -05:00
sudie-codes
38aa1edf76 fix(msteams): isolate channel thread sessions by replyToId (#58615) (#62713) 
* fix(msteams): isolate thread sessions by replyToId (#58615)

* fix(msteams): align thread ID extraction + fix test types
 2026-04-08 21:22:05 -05:00
Vignesh Natarajan
2484064c48 chore(lint): clear extension lint regressions and add #63416 changelog 2026-04-08 17:17:29 -07:00
Peter Steinberger
46480f531a test: dedupe msteams authz fixtures 2026-04-08 10:43:48 +01:00
Peter Steinberger
95e397a266 refactor: dedupe repeated test helpers 2026-04-08 09:58:22 +01:00
Vincent Koc
4260ac4cf6 perf(plugins): narrow boundary compile sdk imports 2026-04-08 08:52:51 +01:00
Peter Steinberger
8cbd60d203 chore: prepare 2026.4.9 release 2026-04-08 08:02:53 +01:00
Peter Steinberger
a53c13fc06 chore: prepare 2026.4.8 npm release 2026-04-08 06:03:20 +01:00
Peter Steinberger
d03fa0899f fix: repair bundled channel secret sidecars 2026-04-08 04:56:58 +01:00
Peter Steinberger
4f8471617a chore: prepare 2026.4.8 2026-04-08 04:21:51 +01:00
Peter Steinberger
0e91c25c0b chore: prepare 2026.4.7 2026-04-08 02:14:59 +01:00
Peter Steinberger
6affd09dbe Tests: repair latest main type drift 2026-04-07 23:52:55 +01:00
Peter Steinberger
67035a6af8 refactor: dedupe trimmed string readers 2026-04-07 22:57:52 +01:00
Peter Steinberger
e0ad3e79e6 refactor: dedupe normalization lowercase helpers 2026-04-07 22:57:52 +01:00
Agustin Rivera
a31cb15561 Guard missed base64 decode paths (#62007) 
* fix(media): guard missed base64 decode paths

Co-authored-by: zsxsoft <git@zsxsoft.com>

* fix(media): wire maxBytes into image-generate-tool and consolidate base64 guard helpers

* docs(changelog): add base64 decode guard entry

* fix(image-generate): validate configured media cap

---------

Co-authored-by: zsxsoft <git@zsxsoft.com>
Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-07 15:25:19 -06:00
Gustavo Madeira Santana
d78512b09d Refactor: centralize native approval lifecycle assembly (#62135) 
Merged via squash.

Prepared head SHA: b7c20a7398
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-07 14:40:26 -04:00
Peter Steinberger
1d7e87580d refactor: dedupe media lowercase helpers 2026-04-07 15:53:50 +01:00
Peter Steinberger
898579d8ba fix: restore msteams channel string normalization import 2026-04-07 15:10:51 +01:00
Peter Steinberger
2cd8b2adf4 test: speed up msteams actions tests 2026-04-07 15:03:13 +01:00
Peter Steinberger
c8e290fe22 test: speed up msteams directory tests 2026-04-07 14:38:59 +01:00
Peter Steinberger
cb28d8d6b8 refactor: dedupe browser and memory lowercase helpers 2026-04-07 13:44:41 +01:00
Peter Steinberger
a15a5a1edc refactor: dedupe lowercase helper readers 2026-04-07 13:44:41 +01:00
Peter Steinberger
b747e0c34d test: speed up msteams setup surface 2026-04-07 13:37:01 +01:00
Vincent Koc
dfb6c9c920 perf(plugin-sdk): split channel secret runtime helpers 2026-04-07 13:09:12 +01:00
Peter Steinberger
18acfe7352 refactor: dedupe msteams lowercase helpers 2026-04-07 13:01:23 +01:00
Peter Steinberger
cb29ecc100 refactor: dedupe channel helper readers 2026-04-07 10:37:39 +01:00
Peter Steinberger
9d8d1dd4c5 refactor: dedupe shared string aliases 2026-04-07 09:44:53 +01:00
Vincent Koc
d5ed6d26e9 chore(plugins): bulk add package boundary tsconfig rollout 2026-04-07 08:48:23 +01:00
Peter Steinberger
90a45a4907 refactor: dedupe provider channel readers 2026-04-07 08:40:34 +01:00
Peter Steinberger
625fd5b3e3 refactor: centralize inbound mention policy 2026-04-07 07:51:00 +01:00
Peter Steinberger
d9fbfa268f refactor: dedupe extension string helpers 2026-04-07 05:06:54 +01:00
Peter Steinberger
ddd0fcdc83 fix(ci): refresh extension mocks and protocol models 2026-04-07 03:43:21 +01:00
Peter Steinberger
59ccea334d refactor: dedupe exported record guards 2026-04-07 02:03:33 +01:00
Vincent Koc
cd09f41fe0 fix(ci): repair extension test and msteams seams 2026-04-06 23:17:48 +01:00
Peter Steinberger
0b7f6fa9d0 refactor: dedupe msteams handler record helper 2026-04-06 22:54:48 +01:00
Peter Steinberger
a8ac0b7976 refactor: dedupe msteams record helper 2026-04-06 22:54:48 +01:00
Vincent Koc
c3f806c9e4 perf(secrets): lighten channel contract loading 2026-04-06 22:17:32 +01:00
Vincent Koc
78639eff76 perf(secrets): narrow channel secret sdk seam 2026-04-06 20:40:11 +01:00
Peter Steinberger
8ff570ee42 refactor: resolve channel env vars from plugin manifests 2026-04-06 19:53:27 +01:00
Vincent Koc
8e2ecd053f fix(secrets): restore source-mode contract loading 2026-04-06 17:59:53 +01:00
Peter Steinberger
8b79cbcd06 build(plugins): align package versions to 2026.4.6 2026-04-06 17:05:30 +01:00
Peter Steinberger
860721f28d build(plugins): sync bundled versions to 2026.4.6 2026-04-06 17:05:30 +01:00
Vincent Koc
c3b19d204a perf(test): lazy-load bundled channel secrets 2026-04-06 16:40:41 +01:00
Peter Steinberger
378b2c2f5c fix(check): absorb latest main lint drift 2026-04-06 15:56:02 +01:00
Lewis
1234c873bc fix(msteams): add SSRF validation to file consent upload URL (#23596) 
* fix(msteams): add SSRF validation to file consent upload URL

The uploadToConsentUrl() function previously accepted any URL from the
fileConsent/invoke response without validation. A malicious Teams tenant
user could craft an invoke activity with an attacker-controlled uploadUrl,
causing the bot to PUT file data to arbitrary destinations (SSRF).

This commit adds validateConsentUploadUrl() which enforces:

1. HTTPS-only protocol
2. Hostname must match a strict allowlist of Microsoft/SharePoint
   domains (sharepoint.com, graph.microsoft.com, onedrive.com, etc.)
3. DNS resolution check rejects private/reserved IPs (RFC 1918,
   loopback, link-local) to prevent DNS rebinding attacks

The CONSENT_UPLOAD_HOST_ALLOWLIST is intentionally narrower than the
existing DEFAULT_MEDIA_HOST_ALLOWLIST, excluding overly broad domains
like blob.core.windows.net and trafficmanager.net that any Azure
customer can create endpoints under.

Includes 47 tests covering IPv4/IPv6 private IP detection, protocol
enforcement, hostname allowlist matching, DNS failure handling, and
end-to-end upload validation.

* fix(msteams): validate all DNS answers for consent uploads

* fix(msteams): restore changelog header

---------

Co-authored-by: Brad Groux <bradgroux@users.noreply.github.com>
 2026-04-06 09:52:56 -05:00
Vincent Koc
620537914b fix(plugins): clean bundled extension lint tail 2026-04-06 15:21:46 +01:00
Peter Steinberger
8d095147b4 fix: restore check gate 2026-04-06 15:20:03 +01:00
Peter Steinberger
af62a2c2e4 style: fix extension lint violations 2026-04-06 14:53:55 +01:00