github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-29 22:55:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(feishu): enforce id-only allowlist matching

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 18:54:24 +01:00
parent 3286791316
commit 4ed87a6672
4 changed files with 103 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
extensions/feishu/src/policy.ts
View File

@@ -3,17 +3,52 @@ import type {
ChannelGroupContext,
GroupToolPolicyConfig,
} from "openclaw/plugin-sdk";
import { resolveAllowlistMatchSimple } from "openclaw/plugin-sdk";
import { normalizeFeishuTarget } from "./targets.js";
import type { FeishuConfig, FeishuGroupConfig } from "./types.js";
export type FeishuAllowlistMatch = AllowlistMatch<"wildcard" | "id" | "name">;
export type FeishuAllowlistMatch = AllowlistMatch<"wildcard" | "id">;
function normalizeFeishuAllowEntry(raw: string): string {
const trimmed = raw.trim();
if (!trimmed) {
return "";
}
if (trimmed === "*") {
return "*";
}
const withoutProviderPrefix = trimmed.replace(/^feishu:/i, "");
const normalized = normalizeFeishuTarget(withoutProviderPrefix) ?? withoutProviderPrefix;
return normalized.trim().toLowerCase();
}
export function resolveFeishuAllowlistMatch(params: {
allowFrom: Array<string | number>;
senderId: string;
senderIds?: Array<string | null | undefined>;
senderName?: string | null;
}): FeishuAllowlistMatch {
return resolveAllowlistMatchSimple(params);
const allowFrom = params.allowFrom
.map((entry) => normalizeFeishuAllowEntry(String(entry)))
.filter(Boolean);
if (allowFrom.length === 0) {
return { allowed: false };
}
if (allowFrom.includes("*")) {
return { allowed: true, matchKey: "*", matchSource: "wildcard" };
}
// Feishu allowlists are ID-based; mutable display names must never grant access.
const senderCandidates = [params.senderId, ...(params.senderIds ?? [])]
.map((entry) => normalizeFeishuAllowEntry(String(entry ?? "")))
.filter(Boolean);
for (const senderId of senderCandidates) {
if (allowFrom.includes(senderId)) {
return { allowed: true, matchKey: senderId, matchSource: "id" };
}
}
return { allowed: false };
}
export function resolveFeishuGroupConfig(params: {
@@ -56,6 +91,7 @@ export function isFeishuGroupAllowed(params: {
groupPolicy: "open" | "allowlist" | "disabled";
allowFrom: Array<string | number>;
senderId: string;
senderIds?: Array<string | null | undefined>;
senderName?: string | null;
}): boolean {
const { groupPolicy } = params;