github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 17:24:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(aa-08): apply security fix

Browse Source 
Generated by staged fix workflow.
This commit is contained in:
Coy Geek
2026-02-09 20:20:35 -08:00
committed by Peter Steinberger
parent f8c404a485
commit 633fe8b9c1
2 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/telegram/webhook.test.ts
View File

@@ -31,6 +31,7 @@ describe("startTelegramWebhook", () => {
const cfg = { bindings: [] }; const cfg = { bindings: [] };
const { server } = await startTelegramWebhook({ const { server } = await startTelegramWebhook({
token: "tok", token: "tok",
secret: "secret",
accountId: "opie", accountId: "opie",
config: cfg, config: cfg,
port: 0, // random free port port: 0, // random free port
@@ -62,6 +63,7 @@ describe("startTelegramWebhook", () => {
const cfg = { bindings: [] }; const cfg = { bindings: [] };
const { server } = await startTelegramWebhook({ const { server } = await startTelegramWebhook({
token: "tok", token: "tok",
secret: "secret",
accountId: "opie", accountId: "opie",
config: cfg, config: cfg,
port: 0, port: 0,
@@ -82,4 +84,12 @@ describe("startTelegramWebhook", () => {
expect(handlerSpy).toHaveBeenCalled(); expect(handlerSpy).toHaveBeenCalled();
abort.abort(); abort.abort();
}); });
it("rejects startup when webhook secret is missing", async () => {
await expect(
startTelegramWebhook({
token: "tok",
}),
).rejects.toThrow(/requires a non-empty secret token/i);
});
}); });

11
src/telegram/webhook.ts
View File

@@ -38,6 +38,13 @@ export async function startTelegramWebhook(opts: {
const healthPath = opts.healthPath ?? "/healthz"; const healthPath = opts.healthPath ?? "/healthz";
const port = opts.port ?? 8787; const port = opts.port ?? 8787;
const host = opts.host ?? "127.0.0.1"; const host = opts.host ?? "127.0.0.1";
const secret = typeof opts.secret === "string" ? opts.secret.trim() : "";
if (!secret) {
throw new Error(
"Telegram webhook mode requires a non-empty secret token. " +
"Set channels.telegram.webhookSecret in your config.",
);
}
const runtime = opts.runtime ?? defaultRuntime; const runtime = opts.runtime ?? defaultRuntime;
const diagnosticsEnabled = isDiagnosticsEnabled(opts.config); const diagnosticsEnabled = isDiagnosticsEnabled(opts.config);
const bot = createTelegramBot({ const bot = createTelegramBot({
@@ -48,7 +55,7 @@ export async function startTelegramWebhook(opts: {
accountId: opts.accountId, accountId: opts.accountId,
}); });
const handler = webhookCallback(bot, "http", { const handler = webhookCallback(bot, "http", {
secretToken: opts.secret, secretToken: secret,
}); });
if (diagnosticsEnabled) { if (diagnosticsEnabled) {
@@ -124,7 +131,7 @@ export async function startTelegramWebhook(opts: {
runtime, runtime,
fn: () => fn: () =>
bot.api.setWebhook(publicUrl, { bot.api.setWebhook(publicUrl, {
secret_token: opts.secret, secret_token: secret,
allowed_updates: resolveTelegramAllowedUpdates(), allowed_updates: resolveTelegramAllowedUpdates(),
}), }),
}); });