mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-07 20:52:54 +00:00
77d9ac30bb
* refactor: share talk event metric extraction * refactor: reuse shared coercion helpers * refactor: reuse shared primitive guards * refactor: reuse shared record guard * refactor: reuse shared primitive helpers * refactor: reuse shared string guards * refactor: reuse shared non-empty string guard * refactor: share plugin primitive coercion helpers * refactor: reuse plugin coercion helpers * refactor: reuse plugin coercion helpers in more plugins * refactor: reuse channel coercion helpers * refactor: reuse monitor coercion helpers * refactor: reuse provider coercion helpers * refactor: reuse core coercion helpers * refactor: reuse runtime coercion helpers * refactor: reuse helper coercion in codex paths * refactor: reuse helper coercion in runtime paths * refactor: reuse codex app-server coercion helpers * refactor: reuse codex record helpers * refactor: reuse migration and qa record helpers * refactor: reuse feishu and core helper guards * refactor: reuse browser and policy coercion helpers * refactor: reuse memory wiki record helper * refactor: share boolean coercion helpers * refactor: reuse finite number coercion * refactor: reuse trimmed string list helpers * refactor: reuse string list normalization * refactor: reuse remaining string list helpers * refactor: reuse string entry normalizer * refactor: share sorted string helpers * refactor: share string list normalization * test: preserve command registry browser imports * refactor: reuse trimmed list helpers * refactor: reuse string dedupe helpers * refactor: reuse local dedupe helpers * refactor: reuse more string dedupe helpers * refactor: reuse command string dedupe helpers * refactor: dedupe memory path lists with helper * refactor: expose string dedupe helpers to plugins * refactor: reuse core string dedupe helpers * refactor: reuse shared unique value helpers * refactor: reuse unique helpers in agent utilities * refactor: reuse unique helpers in config plumbing * refactor: reuse unique helpers in extensions * refactor: reuse unique helpers in core utilities * refactor: reuse unique helpers in qa plugins * refactor: reuse unique helpers in memory plugins * refactor: reuse unique helpers in channel plugins * refactor: reuse unique helpers in core tails * refactor: reuse unique helper in comfy workflow * refactor: reuse unique helpers in test utilities * refactor: expose unique value helper to plugins * refactor: reuse unique helpers for numeric lists * refactor: replace index dedupe filters * refactor: reuse string entry normalization * refactor: reuse string normalization in plugin helpers * refactor: reuse string normalization in extension helpers * refactor: reuse string normalization in channel parsers * refactor: reuse string normalization in memory search * refactor: reuse string normalization in provider parsers * refactor: reuse string normalization in qa helpers * refactor: reuse string normalization in infra parsers * refactor: reuse string normalization in messaging parsers * refactor: reuse string normalization in core parsers * refactor: reuse string normalization in extension parsers * refactor: reuse string normalization in remaining parsers * refactor: reuse string normalization in final parser spots * refactor: reuse string normalization in qa media helpers * refactor: reuse normalization in provider and media lists * refactor: reuse normalization for remaining set filters * refactor: reuse normalization in policy allowlists * refactor: reuse normalization in session and owner lists * refactor: centralize primitive string lists * refactor: reuse lowercase entry helpers * refactor: reuse sorted string helpers * refactor: reuse unique trimmed helpers * refactor: reuse string normalization helpers * refactor: reuse catalog string helpers * refactor: reuse remaining string helpers * refactor: simplify remaining list normalization * refactor: reuse codex auth order normalization * chore: refresh plugin sdk api baseline * fix: make shared string sorting deterministic * chore: refresh plugin sdk api baseline * fix: align host env security ordering
187 lines
6.8 KiB
TypeScript
187 lines
6.8 KiB
TypeScript
import { readChannelAllowFromStore } from "openclaw/plugin-sdk/conversation-runtime";
|
|
import { resolveNativeSkillsEnabled } from "openclaw/plugin-sdk/native-command-config-runtime";
|
|
import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
|
|
import type { OpenClawConfig } from "../runtime-api.js";
|
|
import type { ResolvedTelegramAccount } from "./accounts.js";
|
|
import { isNumericTelegramSenderUserId, normalizeTelegramAllowFromEntry } from "./allow-from.js";
|
|
|
|
function collectInvalidTelegramAllowFromEntries(params: { entries: unknown; target: Set<string> }) {
|
|
if (!Array.isArray(params.entries)) {
|
|
return;
|
|
}
|
|
for (const entry of params.entries) {
|
|
const normalized = normalizeTelegramAllowFromEntry(entry);
|
|
if (!normalized || normalized === "*") {
|
|
continue;
|
|
}
|
|
if (!isNumericTelegramSenderUserId(normalized)) {
|
|
params.target.add(normalized);
|
|
}
|
|
}
|
|
}
|
|
|
|
function appendInvalidTelegramAllowFromFinding(
|
|
findings: Array<{
|
|
checkId: string;
|
|
severity: "info" | "warn" | "critical";
|
|
title: string;
|
|
detail: string;
|
|
remediation?: string;
|
|
}>,
|
|
invalidTelegramAllowFromEntries: Set<string>,
|
|
) {
|
|
if (invalidTelegramAllowFromEntries.size === 0) {
|
|
return;
|
|
}
|
|
const examples = Array.from(invalidTelegramAllowFromEntries).slice(0, 5);
|
|
const more =
|
|
invalidTelegramAllowFromEntries.size > examples.length
|
|
? ` (+${invalidTelegramAllowFromEntries.size - examples.length} more)`
|
|
: "";
|
|
findings.push({
|
|
checkId: "channels.telegram.allowFrom.invalid_entries",
|
|
severity: "warn",
|
|
title: "Telegram allowlist contains non-numeric entries",
|
|
detail:
|
|
"Telegram sender authorization requires numeric Telegram user IDs. " +
|
|
`Found non-numeric allowFrom entries: ${examples.join(", ")}${more}.`,
|
|
remediation:
|
|
"Replace @username entries with numeric Telegram user IDs (use setup to resolve), then re-run the audit.",
|
|
});
|
|
}
|
|
|
|
export async function collectTelegramSecurityAuditFindings(params: {
|
|
cfg: OpenClawConfig;
|
|
accountId?: string | null;
|
|
account: ResolvedTelegramAccount;
|
|
}) {
|
|
const findings: Array<{
|
|
checkId: string;
|
|
severity: "info" | "warn" | "critical";
|
|
title: string;
|
|
detail: string;
|
|
remediation?: string;
|
|
}> = [];
|
|
|
|
const telegramCfg = params.account.config ?? {};
|
|
const accountId =
|
|
normalizeOptionalString(params.accountId) ?? params.account.accountId ?? "default";
|
|
const invalidTelegramAllowFromEntries = new Set<string>();
|
|
collectInvalidTelegramAllowFromEntries({
|
|
entries: Array.isArray(telegramCfg.allowFrom) ? telegramCfg.allowFrom : [],
|
|
target: invalidTelegramAllowFromEntries,
|
|
});
|
|
if (params.cfg.commands?.text === false) {
|
|
appendInvalidTelegramAllowFromFinding(findings, invalidTelegramAllowFromEntries);
|
|
return findings;
|
|
}
|
|
|
|
const defaultGroupPolicy = params.cfg.channels?.defaults?.groupPolicy;
|
|
const groupPolicy =
|
|
(telegramCfg.groupPolicy as string | undefined) ?? defaultGroupPolicy ?? "allowlist";
|
|
const groups = telegramCfg.groups as Record<string, unknown> | undefined;
|
|
const groupsConfigured = Boolean(groups) && Object.keys(groups ?? {}).length > 0;
|
|
const groupAccessPossible =
|
|
groupPolicy === "open" || (groupPolicy === "allowlist" && groupsConfigured);
|
|
if (!groupAccessPossible) {
|
|
appendInvalidTelegramAllowFromFinding(findings, invalidTelegramAllowFromEntries);
|
|
return findings;
|
|
}
|
|
|
|
const storeAllowFrom = await readChannelAllowFromStore("telegram", process.env, accountId).catch(
|
|
() => [],
|
|
);
|
|
const storeHasWildcard = storeAllowFrom.some(
|
|
(value) => (normalizeOptionalString(value) ?? "") === "*",
|
|
);
|
|
collectInvalidTelegramAllowFromEntries({
|
|
entries: storeAllowFrom,
|
|
target: invalidTelegramAllowFromEntries,
|
|
});
|
|
const groupAllowFrom = Array.isArray(telegramCfg.groupAllowFrom)
|
|
? telegramCfg.groupAllowFrom
|
|
: [];
|
|
const groupAllowFromHasWildcard = groupAllowFrom.some(
|
|
(value) => (normalizeOptionalString(String(value)) ?? "") === "*",
|
|
);
|
|
collectInvalidTelegramAllowFromEntries({
|
|
entries: groupAllowFrom,
|
|
target: invalidTelegramAllowFromEntries,
|
|
});
|
|
|
|
let anyGroupOverride = false;
|
|
if (groups) {
|
|
for (const value of Object.values(groups)) {
|
|
if (!value || typeof value !== "object") {
|
|
continue;
|
|
}
|
|
const group = value as Record<string, unknown>;
|
|
const allowFrom = Array.isArray(group.allowFrom) ? group.allowFrom : [];
|
|
if (allowFrom.length > 0) {
|
|
anyGroupOverride = true;
|
|
collectInvalidTelegramAllowFromEntries({
|
|
entries: allowFrom,
|
|
target: invalidTelegramAllowFromEntries,
|
|
});
|
|
}
|
|
const topics = group.topics;
|
|
if (!topics || typeof topics !== "object") {
|
|
continue;
|
|
}
|
|
for (const topicValue of Object.values(topics as Record<string, unknown>)) {
|
|
if (!topicValue || typeof topicValue !== "object") {
|
|
continue;
|
|
}
|
|
const topic = topicValue as Record<string, unknown>;
|
|
const topicAllow = Array.isArray(topic.allowFrom) ? topic.allowFrom : [];
|
|
if (topicAllow.length > 0) {
|
|
anyGroupOverride = true;
|
|
}
|
|
collectInvalidTelegramAllowFromEntries({
|
|
entries: topicAllow,
|
|
target: invalidTelegramAllowFromEntries,
|
|
});
|
|
}
|
|
}
|
|
}
|
|
|
|
const hasAnySenderAllowlist =
|
|
storeAllowFrom.length > 0 || groupAllowFrom.length > 0 || anyGroupOverride;
|
|
|
|
appendInvalidTelegramAllowFromFinding(findings, invalidTelegramAllowFromEntries);
|
|
|
|
if (storeHasWildcard || groupAllowFromHasWildcard) {
|
|
findings.push({
|
|
checkId: "channels.telegram.groups.allowFrom.wildcard",
|
|
severity: "critical",
|
|
title: "Telegram group allowlist contains wildcard",
|
|
detail:
|
|
'Telegram group sender allowlist contains "*", which allows any group member to run /… commands and control directives.',
|
|
remediation:
|
|
'Remove "*" from channels.telegram.groupAllowFrom and pairing store; prefer explicit numeric Telegram user IDs.',
|
|
});
|
|
return findings;
|
|
}
|
|
|
|
if (!hasAnySenderAllowlist) {
|
|
const skillsEnabled = resolveNativeSkillsEnabled({
|
|
providerId: "telegram",
|
|
providerSetting: (telegramCfg.commands as { nativeSkills?: unknown } | undefined)
|
|
?.nativeSkills as boolean | "auto" | undefined,
|
|
globalSetting: params.cfg.commands?.nativeSkills,
|
|
});
|
|
findings.push({
|
|
checkId: "channels.telegram.groups.allowFrom.missing",
|
|
severity: "critical",
|
|
title: "Telegram group commands have no sender allowlist",
|
|
detail:
|
|
`Telegram group access is enabled but no sender allowlist is configured; this allows any group member to invoke /… commands` +
|
|
(skillsEnabled ? " (including skill commands)." : "."),
|
|
remediation:
|
|
"Approve yourself via pairing (recommended), or set channels.telegram.groupAllowFrom (or per-group groups.<id>.allowFrom).",
|
|
});
|
|
}
|
|
|
|
return findings;
|
|
}
|