vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 20:09:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 17
openclaw/test
History
Davanum Srinivas 08ae021d1f
fix(qqbot): guard image-size probe against SSRF (#63495) 
* fix(qqbot): replace raw fetch in image-size probe with SSRF-guarded fetchRemoteMedia

Replace the bare fetch() in getImageSizeFromUrl() with fetchRemoteMedia()
from the plugin SDK, closing the blind SSRF via markdown image dimension
probing (GHSA-2767-2q9v-9326).

fetchRemoteMedia options: maxBytes 65536, maxRedirects 0, generic
public-network-only SSRF policy (no hostname allowlist, blocks
private/reserved/loopback/link-local/metadata IPs after DNS resolution).

Also fixes the repo-root resolution in scripts/lib/ts-guard-utils.mjs
which caused lint:tmp:no-raw-channel-fetch to miss extension files
entirely. The guard now walks up to .git instead of hardcoding two parent
traversals, and the allowlist is refreshed with all pre-existing raw
fetch callsites that became visible.

* fix(qqbot): guard image-size probe against SSRF (#63495) (thanks @dims)

---------

Co-authored-by: sliverp <870080352@qq.com>
2026-04-09 16:48:04 +08:00
..
fixtures test: drop planner fixtures and coverage 2026-04-03 12:45:13 +01:00
helpers test(boundary): route security audit helper through public plugin surfaces 2026-04-09 08:10:27 +01:00
mocks
scripts fix(qqbot): guard image-size probe against SSRF (#63495) 2026-04-09 16:48:04 +08:00
appcast.test.ts
architecture-smells.test.ts
cli-json-stdout.e2e.test.ts
extension-package-tsc-boundary.test.ts test: skip duplicate package boundary wrapper in ci 2026-04-08 12:32:28 +01:00
extension-plugin-sdk-boundary.test.ts
extension-test-boundary.test.ts fix: repair ci lockfile and boundary drift 2026-04-07 09:02:26 +01:00
gateway.multi.e2e.test.ts
git-hooks-pre-commit.test.ts refactor: dedupe repeated test helpers 2026-04-08 09:58:22 +01:00
global-setup.ts
non-isolated-runner.ts Tests: preserve isolated home across non-isolated files 2026-04-07 07:54:39 +01:00
npm-publish-plan.test.ts fix(ci): allow plugin npm preview without publish token (#58929) 2026-04-01 19:16:46 +09:00
official-channel-catalog.test.ts
openclaw-launcher.e2e.test.ts test(root): reuse temp dir helper in launcher e2e 2026-04-06 05:44:49 +01:00
openclaw-npm-postpublish-verify.test.ts chore: bump version to 2026.4.10 2026-04-09 03:56:22 +01:00
openclaw-npm-release-check.test.ts Config: separate core/plugin baseline entries (#60162) 2026-04-03 18:26:23 +09:00
openclaw-prepack.test.ts
plugin-clawhub-release.test.ts test(root): reuse temp repo helper in clawhub release tests 2026-04-06 05:39:32 +01:00
plugin-extension-import-boundary.test.ts
plugin-npm-release.test.ts chore: bump version to 2026.4.10 2026-04-09 03:56:22 +01:00
release-check.test.ts fix: harden bundled plugin dependency release checks 2026-04-08 15:15:44 +01:00
sdk-package-extension-import-boundary.test.ts test(boundary): guard sdk and package imports from bundled plugin paths 2026-04-09 09:10:05 +01:00
setup-home-isolation.test.ts fix(test): isolate shared vitest home setup 2026-04-07 06:32:36 +01:00
setup-openclaw-runtime.ts Tests: preserve isolated home across non-isolated files 2026-04-07 07:54:39 +01:00
setup.extensions.ts test: add lighter extensions vitest setup 2026-04-03 11:37:41 +01:00
setup.shared.ts Tests: preserve isolated home across non-isolated files 2026-04-07 07:54:39 +01:00
setup.ts Tests: preserve isolated home across non-isolated files 2026-04-07 07:54:39 +01:00
src-extension-import-boundary.test.ts test(boundary): guard src imports from bundled plugin paths 2026-04-09 09:30:45 +01:00
test-env.test.ts fix: repair latest main gates 2026-04-06 20:31:34 +01:00
test-env.ts style: apply formatter output 2026-04-08 09:58:22 +01:00
ui.presenter-next-run.test.ts
vitest-boundary-config.test.ts test: restore thread-first vitest defaults 2026-04-05 12:54:08 +01:00
vitest-extensions-config.test.ts
vitest-light-paths.test.ts perf(test): trim runtime lookups and add changed bench 2026-04-06 16:49:28 +01:00
vitest-performance-config.test.ts
vitest-projects-config.test.ts Tests: add unit-fast Vitest lane 2026-04-07 10:03:42 +01:00
vitest-scoped-config.test.ts test: route gateway HTTP history and startup wiring to e2e 2026-04-08 06:17:52 +01:00
vitest-ui-package-config.test.ts test: restore thread-first vitest defaults 2026-04-05 12:54:08 +01:00
vitest-unit-config.test.ts fix(ci): restore bundled vitest lane 2026-04-06 22:22:41 +01:00
vitest-unit-fast-config.test.ts Tests: add unit-fast Vitest lane 2026-04-07 10:03:42 +01:00
vitest-unit-paths.test.ts fix(ci): repair node test regressions 2026-04-04 15:09:49 +01:00
web-fetch-provider-boundary.test.ts refactor(plugins): tighten web fetch provider boundary (#59646) 2026-04-02 20:53:57 +09:00
web-search-provider-boundary.test.ts