vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-13 10:11:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
29,472 Commits 1,252 Branches 105 Tags
b8af4d6739d1ef9ec6900a0fbcfc1630ce072f41
Commit Graph

843 Commits

Author SHA1 Message Date
Davanum Srinivas
08ae021d1f fix(qqbot): guard image-size probe against SSRF (#63495) 
* fix(qqbot): replace raw fetch in image-size probe with SSRF-guarded fetchRemoteMedia

Replace the bare fetch() in getImageSizeFromUrl() with fetchRemoteMedia()
from the plugin SDK, closing the blind SSRF via markdown image dimension
probing (GHSA-2767-2q9v-9326).

fetchRemoteMedia options: maxBytes 65536, maxRedirects 0, generic
public-network-only SSRF policy (no hostname allowlist, blocks
private/reserved/loopback/link-local/metadata IPs after DNS resolution).

Also fixes the repo-root resolution in scripts/lib/ts-guard-utils.mjs
which caused lint:tmp:no-raw-channel-fetch to miss extension files
entirely. The guard now walks up to .git instead of hardcoding two parent
traversals, and the allowlist is refreshed with all pre-existing raw
fetch callsites that became visible.

* fix(qqbot): guard image-size probe against SSRF (#63495) (thanks @dims)

---------

Co-authored-by: sliverp <870080352@qq.com>
 2026-04-09 16:48:04 +08:00
Vincent Koc
89acb92011 test(boundary): guard src imports from bundled plugin paths 2026-04-09 09:30:45 +01:00
Vincent Koc
62eca3770f test(boundary): guard sdk and package imports from bundled plugin paths 2026-04-09 09:10:05 +01:00
Vincent Koc
2729c91ad5 test(boundary): route security audit helper through public plugin surfaces 2026-04-09 08:10:27 +01:00
Peter Steinberger
719f06510c chore: bump version to 2026.4.10 2026-04-09 03:56:22 +01:00
Peter Steinberger
5b28ab83ef test: run local full suite project shards in parallel 2026-04-09 02:26:22 +01:00
Peter Steinberger
a9f831e065 test: make shared-token reload deterministic 2026-04-09 01:38:16 +01:00
Peter Steinberger
0766f0b422 test: update modelstudio catalog contract sentinel 2026-04-09 01:20:34 +01:00
Altay
554bc0a9fd fix(plugins): keep test helpers out of contract barrels (#63311) 
Merged via squash.

Prepared head SHA: 769e90c6af
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Co-authored-by: altaywtf <9790196+altaywtf@users.noreply.github.com>
Reviewed-by: @altaywtf
 2026-04-08 22:59:05 +01:00
Peter Steinberger
a3d21539ef test: stabilize full-suite execution 2026-04-08 19:40:57 +01:00
Ayaan Zaidi
17e6ef4076 fix(build): keep tsdown prune best-effort 2026-04-08 21:16:49 +05:30
Peter Steinberger
654ad0a1fb test: keep bundled web-search owner checks on public artifacts 2026-04-08 16:46:29 +01:00
Ayaan Zaidi
f4ec59c431 fix(build): honor postinstall disable flag 2026-04-08 21:01:53 +05:30
Ayaan Zaidi
66ec8909bd fix(build): address bundled plugin prune review 2026-04-08 21:01:53 +05:30
Ayaan Zaidi
b28fe1b92f fix(build): prune stale bundled plugin node_modules 2026-04-08 21:01:53 +05:30
Peter Steinberger
76ccbbf12f refactor: dedupe media runtime test mocks 2026-04-08 15:58:45 +01:00
Peter Steinberger
edf6b490a6 fix: harden bundled plugin dependency release checks 2026-04-08 15:15:44 +01:00
Peter Steinberger
e65d6ebb63 test: fix full suite CI test isolation 2026-04-08 14:29:19 +01:00
Peter Steinberger
e673efe537 ci: split parallel full suite into leaf shards 2026-04-08 13:20:05 +01:00
Peter Steinberger
4d2ea434d2 ci: skip duplicate full extension shard 2026-04-08 13:03:51 +01:00
Peter Steinberger
d35c46d6c7 test: fix postpublish verifier sidecar handling 2026-04-08 12:51:15 +01:00
Peter Steinberger
013ee39f8d test: skip duplicate package boundary wrapper in ci 2026-04-08 12:32:28 +01:00
scoootscooob
d52d5ad6ff release: mirror bundled channel deps at root (#63065) 
Merged via squash.

Prepared head SHA: ac26799a54
Co-authored-by: scoootscooob <167050519+scoootscooob@users.noreply.github.com>
Co-authored-by: scoootscooob <167050519+scoootscooob@users.noreply.github.com>
Reviewed-by: @scoootscooob
 2026-04-08 04:00:17 -07:00
Peter Steinberger
8d79b87dc7 style: apply formatter output 2026-04-08 09:58:22 +01:00
Peter Steinberger
95e397a266 refactor: dedupe repeated test helpers 2026-04-08 09:58:22 +01:00
Nimrod Gutman
6681878339 feat(ios): pin calver release versioning (#63001) 
* feat(ios): decouple app versioning from gateway

* feat(ios): pin calver release versioning

* refactor(ios): drop prerelease version helper fields

* docs(changelog): note pinned ios release versioning (#63001) (thanks @ngutman)
 2026-04-08 11:25:35 +03:00
Vincent Koc
2e7a0fc7fb perf(plugins): report slow boundary compiles 2026-04-08 08:52:51 +01:00
Peter Steinberger
8cbd60d203 chore: prepare 2026.4.9 release 2026-04-08 08:02:53 +01:00
Peter Steinberger
4f5c137f88 fix: unblock windows update build 2026-04-08 07:18:31 +01:00
Peter Steinberger
3b1c6d3266 test: keep Discord payload contracts off broad test api 2026-04-08 07:09:03 +01:00
Peter Steinberger
9a65a5166f test: load narrow Discord inbound context harness 2026-04-08 07:03:21 +01:00
Peter Steinberger
f4c64168e7 test: route gateway HTTP history and startup wiring to e2e 2026-04-08 06:17:52 +01:00
Peter Steinberger
993abc1fb9 test: move gateway e2e fixture out of unit lane 2026-04-08 05:57:51 +01:00
Peter Steinberger
5eab61b45d test: add opt-in leaf project scheduler 2026-04-08 05:28:55 +01:00
Peter Steinberger
357fcaea12 test: avoid duplicating plugin contract lane 2026-04-08 05:28:33 +01:00
Peter Steinberger
2c5b534f65 test: guard bundled channel sidecar specifiers 2026-04-08 05:07:01 +01:00
Peter Steinberger
d03fa0899f fix: repair bundled channel secret sidecars 2026-04-08 04:56:58 +01:00
Peter Steinberger
5982f2e5e4 fix: repair Telegram setup package entry 2026-04-08 04:48:32 +01:00
Peter Steinberger
4f8471617a chore: prepare 2026.4.8 2026-04-08 04:21:51 +01:00
Josh Lehman
b8f12d99b2 fix: expose runtime-ready provider auth to plugins (#62753) 2026-04-07 19:28:36 -07:00
Peter Steinberger
da858c326b build: exclude plugin sdk build info from npm pack 2026-04-08 02:47:43 +01:00
Peter Steinberger
0e91c25c0b chore: prepare 2026.4.7 2026-04-08 02:14:59 +01:00
Peter Steinberger
d51f527cca feat: add gh-read GitHub app helper 2026-04-08 00:09:07 +01:00
Peter Steinberger
cfbe7ac227 fix(test): refresh schema snapshot and stabilize channel registry 2026-04-07 20:04:29 +01:00
Gustavo Madeira Santana
d78512b09d Refactor: centralize native approval lifecycle assembly (#62135) 
Merged via squash.

Prepared head SHA: b7c20a7398
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-07 14:40:26 -04:00
DhruvBhatia0
12331f0463 feat: add pluggable compaction provider registry (#56224) 
Merged via squash.

Prepared head SHA: 0cc9cf3f30
Co-authored-by: DhruvBhatia0 <69252327+DhruvBhatia0@users.noreply.github.com>
Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Reviewed-by: @jalehman
 2026-04-07 10:55:34 -07:00
pgondhi987
f0c9978030 fix(feishu): enforce workspace-only localRoots in docx upload actions [AI-assisted] (#62369) 
* fix: address issue

* docs(changelog): add feishu workspace-only docx entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-07 10:35:03 -06:00
Peter Steinberger
96724e5a4b Messaging: align adapter compile surfaces 2026-04-07 16:46:21 +01:00
Peter Steinberger
a3d5630232 test: stabilize scoped runners and qa ports 2026-04-07 15:28:46 +01:00
Peter Steinberger
cd92c6289c Tests: stabilize provider reload boundaries 2026-04-07 22:16:53 +08:00