github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-28 09:30:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden secret-file readers

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-10 23:40:10 +00:00
parent 208fb1aa35
commit 201420a7ee
26 changed files with 433 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/telegram/token.ts
View File

@@ -1,8 +1,8 @@
import fs from "node:fs";
import type { BaseTokenResolution } from "../channels/plugins/types.js";
import type { OpenClawConfig } from "../config/config.js";
import { normalizeResolvedSecretInputString } from "../config/types.secrets.js";
import type { TelegramAccountConfig } from "../config/types.telegram.js";
import { tryReadSecretFileSync } from "../infra/secret-file.js";
import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
export type TelegramTokenSource = "env" | "tokenFile" | "config" | "none";
@@ -46,23 +46,17 @@ export function resolveTelegramToken(
);
const accountTokenFile = accountCfg?.tokenFile?.trim();
if (accountTokenFile) {
if (!fs.existsSync(accountTokenFile)) {
opts.logMissingFile?.(
`channels.telegram.accounts.${accountId}.tokenFile not found: ${accountTokenFile}`,
);
return { token: "", source: "none" };
}
try {
const token = fs.readFileSync(accountTokenFile, "utf-8").trim();
if (token) {
return { token, source: "tokenFile" };
}
} catch (err) {
opts.logMissingFile?.(
`channels.telegram.accounts.${accountId}.tokenFile read failed: ${String(err)}`,
);
return { token: "", source: "none" };
const token = tryReadSecretFileSync(
accountTokenFile,
`channels.telegram.accounts.${accountId}.tokenFile`,
{ rejectSymlink: true },
);
if (token) {
return { token, source: "tokenFile" };
}
opts.logMissingFile?.(
`channels.telegram.accounts.${accountId}.tokenFile not found or unreadable: ${accountTokenFile}`,
);
return { token: "", source: "none" };
}
@@ -77,19 +71,14 @@ export function resolveTelegramToken(
const allowEnv = accountId === DEFAULT_ACCOUNT_ID;
const tokenFile = telegramCfg?.tokenFile?.trim();
if (tokenFile) {
if (!fs.existsSync(tokenFile)) {
opts.logMissingFile?.(`channels.telegram.tokenFile not found: ${tokenFile}`);
return { token: "", source: "none" };
}
try {
const token = fs.readFileSync(tokenFile, "utf-8").trim();
if (token) {
return { token, source: "tokenFile" };
}
} catch (err) {
opts.logMissingFile?.(`channels.telegram.tokenFile read failed: ${String(err)}`);
return { token: "", source: "none" };
const token = tryReadSecretFileSync(tokenFile, "channels.telegram.tokenFile", {
rejectSymlink: true,
});
if (token) {
return { token, source: "tokenFile" };
}
opts.logMissingFile?.(`channels.telegram.tokenFile not found or unreadable: ${tokenFile}`);
return { token: "", source: "none" };
}
const configToken = normalizeResolvedSecretInputString({