github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-13 09:40:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden voice-call webhook verification

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-03 23:46:54 -08:00
parent fa4b28d7af
commit a749db9820
11 changed files with 495 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
extensions/voice-call/src/providers/plivo.ts
View File

@@ -1,5 +1,5 @@
import crypto from "node:crypto";
import type { PlivoConfig } from "../config.js";
import type { PlivoConfig, WebhookSecurityConfig } from "../config.js";
import type {
HangupCallInput,
InitiateCallInput,
@@ -23,6 +23,8 @@ export interface PlivoProviderOptions {
skipVerification?: boolean;
/** Outbound ring timeout in seconds */
ringTimeoutSec?: number;
/** Webhook security options (forwarded headers/allowlist) */
webhookSecurity?: WebhookSecurityConfig;
}
type PendingSpeak = { text: string; locale?: string };
@@ -92,6 +94,10 @@ export class PlivoProvider implements VoiceCallProvider {
const result = verifyPlivoWebhook(ctx, this.authToken, {
publicUrl: this.options.publicUrl,
skipVerification: this.options.skipVerification,
allowedHosts: this.options.webhookSecurity?.allowedHosts,
trustForwardingHeaders: this.options.webhookSecurity?.trustForwardingHeaders,
trustedProxyIPs: this.options.webhookSecurity?.trustedProxyIPs,
remoteIP: ctx.remoteAddress,
});
if (!result.ok) {
@@ -112,7 +118,7 @@ export class PlivoProvider implements VoiceCallProvider {
// Keep providerCallId mapping for later call control.
const callUuid = parsed.get("CallUUID") || undefined;
if (callUuid) {
const webhookBase = PlivoProvider.baseWebhookUrlFromCtx(ctx);
const webhookBase = this.baseWebhookUrlFromCtx(ctx);
if (webhookBase) {
this.callUuidToWebhookUrl.set(callUuid, webhookBase);
}
@@ -444,7 +450,7 @@ export class PlivoProvider implements VoiceCallProvider {
ctx: WebhookContext,
opts: { flow: string; callId?: string },
): string | null {
const base = PlivoProvider.baseWebhookUrlFromCtx(ctx);
const base = this.baseWebhookUrlFromCtx(ctx);
if (!base) {
return null;
}
@@ -458,9 +464,16 @@ export class PlivoProvider implements VoiceCallProvider {
return u.toString();
}
private static baseWebhookUrlFromCtx(ctx: WebhookContext): string | null {
private baseWebhookUrlFromCtx(ctx: WebhookContext): string | null {
try {
const u = new URL(reconstructWebhookUrl(ctx));
const u = new URL(
reconstructWebhookUrl(ctx, {
allowedHosts: this.options.webhookSecurity?.allowedHosts,
trustForwardingHeaders: this.options.webhookSecurity?.trustForwardingHeaders,
trustedProxyIPs: this.options.webhookSecurity?.trustedProxyIPs,
remoteIP: ctx.remoteAddress,
}),
);
return `${u.origin}${u.pathname}`;
} catch {
return null;