vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 11:37:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 24
openclaw/scripts/lib
History
Davanum Srinivas 08ae021d1f
fix(qqbot): guard image-size probe against SSRF (#63495) 
* fix(qqbot): replace raw fetch in image-size probe with SSRF-guarded fetchRemoteMedia

Replace the bare fetch() in getImageSizeFromUrl() with fetchRemoteMedia()
from the plugin SDK, closing the blind SSRF via markdown image dimension
probing (GHSA-2767-2q9v-9326).

fetchRemoteMedia options: maxBytes 65536, maxRedirects 0, generic
public-network-only SSRF policy (no hostname allowlist, blocks
private/reserved/loopback/link-local/metadata IPs after DNS resolution).

Also fixes the repo-root resolution in scripts/lib/ts-guard-utils.mjs
which caused lint:tmp:no-raw-channel-fetch to miss extension files
entirely. The guard now walks up to .git instead of hardcoding two parent
traversals, and the allowlist is refreshed with all pre-existing raw
fetch callsites that became visible.

* fix(qqbot): guard image-size probe against SSRF (#63495) (thanks @dims)

---------

Co-authored-by: sliverp <870080352@qq.com>
2026-04-09 16:48:04 +08:00
..
ts-topology refactor(plugins): decouple bundled plugin runtime loading 2026-03-29 09:10:38 +01:00
arg-utils.mjs refactor: dedupe test and script helpers 2026-03-24 15:48:35 +00:00
bundled-extension-manifest.ts refactor: dedupe record guards 2026-04-07 05:06:54 +01:00
bundled-plugin-build-entries.d.mts build: externalize bundled plugin runtime deps 2026-03-31 15:22:08 +01:00
bundled-plugin-build-entries.d.ts build: externalize bundled plugin runtime deps 2026-03-31 15:22:08 +01:00
bundled-plugin-build-entries.mjs refactor(extensions): split channel runtime helper seams 2026-04-04 07:39:53 +01:00
bundled-plugin-paths.mjs refactor(plugins): decouple bundled plugin runtime loading 2026-03-29 09:10:38 +01:00
bundled-plugin-root-runtime-mirrors.mjs fix: harden bundled plugin dependency release checks 2026-04-08 15:15:44 +01:00
bundled-plugin-source-utils.mjs refactor: dedupe test and script helpers 2026-03-24 15:48:35 +00:00
bundled-runtime-sidecar-paths.json plugins: add bundled webhooks TaskFlow bridge (#61892) 2026-04-06 15:59:47 +02:00
callsite-guard.mjs
changed-extensions.mjs refactor: split extension test helpers 2026-04-03 13:06:11 +01:00
copy-assets.ts refactor: share build copy script helpers 2026-03-26 23:20:26 +00:00
docker-e2e-logs.sh test(docker): quiet success-path e2e logs 2026-04-09 00:29:24 +01:00
error-format.mjs refactor: dedupe script error formatting 2026-04-07 05:06:54 +01:00
extension-package-boundary.ts test(boundary): align package path invariants 2026-04-07 13:41:00 +01:00
extension-source-classifier.d.mts refactor: centralize update targets and extension guardrails 2026-04-03 23:26:31 +09:00
extension-source-classifier.mjs fix: repair ci lockfile and boundary drift 2026-04-07 09:02:26 +01:00
extension-test-plan.mjs fix: resolve merge conflicts and preserve runtime test fixes 2026-04-06 22:46:33 +01:00
format-generated-module.mjs test: stabilize low-profile parallel gate 2026-03-24 18:40:46 +00:00
generated-output-utils.mjs refactor: dedupe test and script helpers 2026-03-24 15:48:35 +00:00
guard-inventory-utils.mjs refactor: dedupe test and script helpers 2026-03-24 15:48:35 +00:00
ios-version.ts feat(ios): pin calver release versioning (#63001) 2026-04-08 11:25:35 +03:00
live-docker-auth.sh fix: align gemini cli live backend runs 2026-04-07 09:06:09 +01:00
live-docker-stage.sh test(docker): quiet success-path e2e logs 2026-04-09 00:29:24 +01:00
local-heavy-check-runtime.mjs refactor(lint): report unused disable directives in root oxlint 2026-04-06 16:02:38 +01:00
npm-publish-plan.mjs fix(ci): allow plugin npm preview without publish token (#58929) 2026-04-01 19:16:46 +09:00
optional-bundled-clusters.d.mts fix(release): ship bundled plugins in pack artifacts 2026-03-23 08:22:00 -07:00
optional-bundled-clusters.d.ts fix(release): ship bundled plugins in pack artifacts 2026-03-23 08:22:00 -07:00
optional-bundled-clusters.mjs fix(release): preserve shipped channel surfaces in npm tar (#52913) 2026-03-23 17:39:22 +02:00
pairing-guard-context.mjs
plugin-clawhub-release.ts refactor: dedupe plugin release package scanning 2026-04-06 17:56:41 +01:00
plugin-npm-release.ts fix(test): stabilize windows tooling assertions 2026-04-08 09:12:08 +01:00
plugin-sdk-doc-metadata.ts plugin-sdk: split command status surface 2026-04-09 01:35:15 +01:00
plugin-sdk-entries.d.mts
plugin-sdk-entries.mjs
plugin-sdk-entrypoints.json plugin-sdk: split command status surface 2026-04-09 01:35:15 +01:00
record-shared.mjs refactor: dedupe record guards 2026-04-07 05:06:54 +01:00
run-extension-oxlint.mjs ci: prepare extension lint artifacts 2026-04-08 03:54:03 +01:00
ts-guard-utils.mjs fix(qqbot): guard image-size probe against SSRF (#63495) 2026-04-09 16:48:04 +08:00
vitest-batch-runner.mjs fix(test): clean up vitest child process groups 2026-04-06 18:10:44 +01:00
vitest-report-cli-utils.mjs refactor: dedupe test and script helpers 2026-03-24 15:48:35 +00:00