vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-13 04:48:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 20
openclaw/test/scripts
History
Davanum Srinivas 08ae021d1f
fix(qqbot): guard image-size probe against SSRF (#63495) 
* fix(qqbot): replace raw fetch in image-size probe with SSRF-guarded fetchRemoteMedia

Replace the bare fetch() in getImageSizeFromUrl() with fetchRemoteMedia()
from the plugin SDK, closing the blind SSRF via markdown image dimension
probing (GHSA-2767-2q9v-9326).

fetchRemoteMedia options: maxBytes 65536, maxRedirects 0, generic
public-network-only SSRF policy (no hostname allowlist, blocks
private/reserved/loopback/link-local/metadata IPs after DNS resolution).

Also fixes the repo-root resolution in scripts/lib/ts-guard-utils.mjs
which caused lint:tmp:no-raw-channel-fetch to miss extension files
entirely. The guard now walks up to .git instead of hardcoding two parent
traversals, and the allowlist is refreshed with all pre-existing raw
fetch callsites that became visible.

* fix(qqbot): guard image-size probe against SSRF (#63495) (thanks @dims)

---------

Co-authored-by: sliverp <870080352@qq.com>
2026-04-09 16:48:04 +08:00
..
audit-seams.test.ts test: audit subagent seam coverage inventory 2026-03-24 00:09:36 -05:00
build-all.test.ts fix: unblock windows update build 2026-04-08 07:18:31 +01:00
bundled-plugin-build-entries.test.ts test: guard bundled channel sidecar specifiers 2026-04-08 05:07:01 +01:00
check-channel-agnostic-boundaries.test.ts feat: ACP thread-bound agents (#23580) 2026-02-26 11:00:09 +01:00
check-extension-package-tsc-boundary.test.ts perf(plugins): report slow boundary compiles 2026-04-08 08:52:51 +01:00
check-file-utils.test.ts test(scripts): share temp dir helpers 2026-04-06 05:35:00 +01:00
check-no-conflict-markers.test.ts test(scripts): share temp dir helpers 2026-04-06 05:35:00 +01:00
check-no-random-messaging-tmp.test.ts Media: secure image temp dirs (#58270) 2026-03-31 11:12:47 +01:00
check-no-raw-window-open.test.ts refactor: tighten external-link policy and window.open guard 2026-02-24 15:05:31 +00:00
committer.test.ts test(scripts): reuse temp dir helpers in repo fixtures 2026-04-06 05:36:33 +01:00
extension-source-classifier.test.ts refactor: centralize update targets and extension guardrails 2026-04-03 23:26:31 +09:00
gh-read.test.ts feat: add gh-read GitHub app helper 2026-04-08 00:09:07 +01:00
ios-pin-version.test.ts feat(ios): pin calver release versioning (#63001) 2026-04-08 11:25:35 +03:00
ios-team-id.test.ts test(root): share temp dir helper across root tests 2026-04-06 05:43:48 +01:00
ios-version.test.ts feat(ios): pin calver release versioning (#63001) 2026-04-08 11:25:35 +03:00
lint-suppressions.test.ts test: make shared-token reload deterministic 2026-04-09 01:38:16 +01:00
local-heavy-check-runtime.test.ts fix(test): restore bundled loader coverage 2026-04-06 18:18:30 +01:00
npm-runner.test.ts fix: restore bundled runtime dependency provisioning (#58782) (thanks @obviyus) 2026-04-01 13:03:36 +05:30
oxlint-config.test.ts build: lint bundled extensions 2026-04-06 14:53:55 +01:00
pnpm-runner.test.ts fix(test): clean up vitest child process groups 2026-04-06 18:10:44 +01:00
postinstall-bundled-plugins.test.ts fix(build): honor postinstall disable flag 2026-04-08 21:01:53 +05:30
prepare-extension-package-boundary-artifacts.test.ts fix(plugins): track package boundary dts freshness 2026-04-07 13:11:30 +01:00
run-vitest-profile.test.ts test(scripts): share temp dir helpers 2026-04-06 05:35:00 +01:00
run-vitest.test.ts fix(test): suppress vitest plugin timing noise 2026-04-07 10:54:20 +01:00
runtime-postbuild.test.ts test(scripts): reuse temp dir helpers in runtime tests 2026-04-06 05:35:38 +01:00
stage-bundled-plugin-runtime-deps.test.ts Tests: fix flaky shard expectations 2026-04-07 12:22:51 +01:00
stage-bundled-plugin-runtime.test.ts fix: unblock windows update build 2026-04-08 07:18:31 +01:00
test-extension.test.ts perf: split more targeted test lanes 2026-04-04 06:05:24 +01:00
test-helpers.ts test(scripts): add async temp dir helper 2026-04-06 05:37:38 +01:00
test-projects.test.ts test: run local full suite project shards in parallel 2026-04-09 02:26:22 +01:00
test-report-utils.test.ts test: trim test partial mocks 2026-04-03 19:10:56 +01:00
ts-guard-utils.test.ts fix(qqbot): guard image-size probe against SSRF (#63495) 2026-04-09 16:48:04 +08:00
ts-topology.test.ts test: exclude topology fixtures from vitest collection 2026-03-28 13:49:16 +00:00
tsdown-build.test.ts fix(build): keep tsdown prune best-effort 2026-04-08 21:16:49 +05:30
ui.test.ts
vitest-process-group.test.ts fix(test): clean up vitest child process groups 2026-04-06 18:10:44 +01:00
write-cli-startup-metadata.test.ts test(scripts): reuse temp dir helpers in runtime tests 2026-04-06 05:35:38 +01:00