github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 16:08:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: expand SSRF guard coverage

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-02 04:57:09 -08:00
parent c429ccb64f
commit 9bd64c8a1f
14 changed files with 214 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/telegram/bot.media.downloads-media-file-path-no-file-download.test.ts
View File

@@ -11,7 +11,9 @@ const sendChatActionSpy = vi.fn();
const cacheStickerSpy = vi.fn();
const getCachedStickerSpy = vi.fn();
const describeStickerImageSpy = vi.fn();
const ssrfResolveSpy = vi.spyOn(ssrf, "resolvePinnedHostname");
const resolvePinnedHostname = ssrf.resolvePinnedHostname;
const lookupMock = vi.fn();
let resolvePinnedHostnameSpy: ReturnType<typeof vi.spyOn> | null = null;
type ApiStub = {
config: { use: (arg: unknown) => void };
@@ -28,15 +30,16 @@ const apiStub: ApiStub = {
beforeEach(() => {
vi.useRealTimers();
resetInboundDedupe();
ssrfResolveSpy.mockImplementation(async (hostname) => {
const normalized = hostname.trim().toLowerCase().replace(/\.$/, "");
const addresses = ["93.184.216.34"];
return {
hostname: normalized,
addresses,
lookup: ssrf.createPinnedLookup({ hostname: normalized, addresses }),
};
});
lookupMock.mockResolvedValue([{ address: "93.184.216.34", family: 4 }]);
resolvePinnedHostnameSpy = vi
.spyOn(ssrf, "resolvePinnedHostname")
.mockImplementation((hostname) => resolvePinnedHostname(hostname, lookupMock));
});
afterEach(() => {
lookupMock.mockReset();
resolvePinnedHostnameSpy?.mockRestore();
resolvePinnedHostnameSpy = null;
});
vi.mock("grammy", () => ({
@@ -169,7 +172,7 @@ describe("telegram inbound media", () => {
expect(runtimeError).not.toHaveBeenCalled();
expect(fetchSpy).toHaveBeenCalledWith(
"https://api.telegram.org/file/bottok/photos/1.jpg",
expect.any(Object),
expect.objectContaining({ redirect: "manual" }),
);
expect(replySpy).toHaveBeenCalledTimes(1);
const payload = replySpy.mock.calls[0][0];
@@ -227,7 +230,7 @@ describe("telegram inbound media", () => {
expect(runtimeError).not.toHaveBeenCalled();
expect(proxyFetch).toHaveBeenCalledWith(
"https://api.telegram.org/file/bottok/photos/2.jpg",
expect.any(Object),
expect.objectContaining({ redirect: "manual" }),
);
globalFetchSpy.mockRestore();
@@ -501,7 +504,7 @@ describe("telegram stickers", () => {
expect(runtimeError).not.toHaveBeenCalled();
expect(fetchSpy).toHaveBeenCalledWith(
"https://api.telegram.org/file/bottok/stickers/sticker.webp",
expect.any(Object),
expect.objectContaining({ redirect: "manual" }),
);
expect(replySpy).toHaveBeenCalledTimes(1);
const payload = replySpy.mock.calls[0][0];