vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-21 15:01:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
897cda7d994cae153ab58c76df85653c8f8c8f82
openclaw/extensions
History
sudie-codes 897cda7d99 msteams: fix sender allowlist bypass when route allowlist is configured (GHSA-g7cr-9h7q-4qxq) (#49582) 
When a route-level (teams/channel) allowlist was configured but the sender
allowlist (allowFrom/groupAllowFrom) was empty, resolveSenderScopedGroupPolicy
would downgrade the effective group policy from "allowlist" to "open", allowing
any Teams user to interact with the bot.

The fix: when channelGate.allowlistConfigured is true and effectiveGroupAllowFrom
is empty, preserve the configured groupPolicy ("allowlist") rather than letting
it be downgraded to "open". This ensures an empty sender allowlist with an active
route allowlist means deny-all rather than allow-all.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 10:08:19 -05:00
..
acpx
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
amazon-bedrock
fix(plugin-sdk): isolate provider entry surfaces
2026-03-18 13:20:46 -07:00
anthropic
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
bluebubbles
fix: persist outbound sends and skip stale cron deliveries (#50092)
2026-03-19 11:40:34 +09:00
brave
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
byteplus
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
chutes
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
cloudflare-ai-gateway
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
copilot-proxy
refactor: prune bundled sdk facades
2026-03-19 07:17:04 +00:00
device-pair
Hardening: refresh stale device pairing requests and pending metadata (#50695)
2026-03-19 18:26:06 -05:00
diagnostics-otel
fix(release): isolate config doc surfaces and sdk exports
2026-03-18 17:14:15 -07:00
diffs
Diffs: route plugin context through artifacts
2026-03-19 00:24:00 -04:00
discord
fix(discord): drop stale carbon deploy option
2026-03-19 23:30:48 -07:00
elevenlabs
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
fal
Image generation: add fal provider (#49454)
2026-03-17 21:35:13 -07:00
feishu
fix(feishu): stabilize lifecycle replay tests
2026-03-20 06:13:27 +00:00
firecrawl
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
github-copilot
Plugin SDK: split provider auth login seam
2026-03-18 02:04:10 -07:00
google
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
googlechat
CLI: fix check failures
2026-03-19 08:29:57 -04:00
huggingface
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
imessage
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
irc
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
kilocode
refactor: converge plugin sdk channel helpers
2026-03-19 00:25:19 +00:00
kimi-coding
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
line
fix(plugin-sdk): restore public runtime subpaths
2026-03-18 17:38:49 -07:00
llm-task
fix: restore full gate stability
2026-03-19 03:36:03 +00:00
lobster
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
matrix
fix(matrix): mock configured bot ids in monitor tests
2026-03-20 03:50:06 +00:00
mattermost
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
memory-core
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
memory-lancedb
refactor: install heavy plugins on demand
2026-03-19 03:37:30 +00:00
microsoft
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
minimax
fix(release): isolate config doc surfaces and sdk exports
2026-03-18 17:14:15 -07:00
mistral
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
modelstudio
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
moonshot
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
msteams
msteams: fix sender allowlist bypass when route allowlist is configured (GHSA-g7cr-9h7q-4qxq) (#49582)
2026-03-20 10:08:19 -05:00
nextcloud-talk
CLI: fix check failures
2026-03-19 08:29:57 -04:00
nostr
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
nvidia
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
ollama
fix: preserve interactive Ollama model selection (#49249) (thanks @BruceMacD)
2026-03-18 18:02:44 -07:00
open-prose
refactor: prune bundled sdk facades
2026-03-19 07:17:04 +00:00
openai
fix(auth): lazy-load provider oauth helpers
2026-03-18 13:40:28 -07:00
opencode
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
opencode-go
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
openrouter
fix(plugin-sdk): isolate provider entry surfaces
2026-03-18 13:20:46 -07:00
openshell
Plugin SDK: split setup and sandbox subpaths
2026-03-16 12:06:32 +00:00
perplexity
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
phone-control
refactor: prune bundled sdk facades
2026-03-19 07:17:04 +00:00
qianfan
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
qwen-portal-auth
fix(plugin-sdk): restore public runtime subpaths
2026-03-18 17:38:49 -07:00
sglang
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
shared
refactor: finalize plugin sdk legacy boundary cleanup
2026-03-16 22:51:46 -07:00
signal
test(signal): harden tool-result infra-runtime mock
2026-03-20 01:33:16 -07:00
slack
Channels: stabilize lane harness and monitor tests (#50167)
2026-03-19 01:47:48 -05:00
synology-chat
fix(release): isolate config doc surfaces and sdk exports
2026-03-18 17:14:15 -07:00
synthetic
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
talk-voice
refactor: prune bundled sdk facades
2026-03-19 07:17:04 +00:00
tavily
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
telegram
fix(telegram): serialize thread binding persists
2026-03-20 00:30:11 -07:00
thread-ownership
fix(release): isolate config doc surfaces and sdk exports
2026-03-18 17:14:15 -07:00
tlon
Matrix: guard private-network homeserver access
2026-03-19 23:24:50 -04:00
together
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
twitch
Plugins: remove shared extension boundary debt
2026-03-18 22:58:40 -05:00
venice
refactor: unify plugin sdk primitives
2026-03-18 23:58:56 +00:00
vercel-ai-gateway
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
vllm
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
voice-call
test: add voice-call hangup-once lifecycle regression
2026-03-19 16:50:36 -05:00
volcengine
refactor: dedupe bundled plugin entrypoints
2026-03-17 00:14:12 -07:00
whatsapp
test(whatsapp): override config-runtime mock exports safely
2026-03-19 09:42:13 -07:00
xai
refactor(web-search): share scoped provider config plumbing
2026-03-19 23:52:53 -07:00
xiaomi
feat(xiaomi): add MiMo V2 Pro and MiMo V2 Omni models, switch to OpenAI completions API (#49214)
2026-03-19 19:26:47 -07:00
zai
fix(plugin-sdk): restore public runtime subpaths
2026-03-18 17:38:49 -07:00
zalo
test: add Zalo pairing lifecycle regression
2026-03-19 17:13:38 -05:00
zalouser
fix(zalouser): decouple tests from zca-js runtime
2026-03-20 06:13:27 +00:00
.npmignore
fix: harden windows npm runtime path
2026-03-12 23:03:19 +00:00