security(feishu): bound unauthenticated webhook rate-limit state (openclaw#26050) thanks @bmendonca3

Verified: - pnpm install --frozen-lockfile - pnpm build - pnpm check - pnpm test:macmini Co-authored-by: bmendonca3 <208517100+bmendonca3@users.noreply.github.com> Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
2026-05-30 02:35:03 +00:00 · 2026-02-27 12:22:24 -07:00
parent 3882b8a5be
commit f943c76cde
3 changed files with 72 additions and 2 deletions
--- a/extensions/feishu/src/monitor.ts
+++ b/extensions/feishu/src/monitor.ts
@@ -27,9 +27,11 @@ const FEISHU_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;
 const FEISHU_WEBHOOK_BODY_TIMEOUT_MS = 30_000;
 const FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS = 60_000;
 const FEISHU_WEBHOOK_RATE_LIMIT_MAX_REQUESTS = 120;
+const FEISHU_WEBHOOK_RATE_LIMIT_MAX_TRACKED_KEYS = 4_096;
 const FEISHU_WEBHOOK_COUNTER_LOG_EVERY = 25;
 const feishuWebhookRateLimits = new Map<string, { count: number; windowStartMs: number }>();
 const feishuWebhookStatusCounters = new Map<string, number>();
+let lastWebhookRateLimitCleanupMs = 0;

 function isJsonContentType(value: string | string[] | undefined): boolean {
  const first = Array.isArray(value) ? value[0] : value;
@@ -40,10 +42,47 @@ function isJsonContentType(value: string | string[] | undefined): boolean {
  return mediaType === "application/json" || Boolean(mediaType?.endsWith("+json"));
 }

-function isWebhookRateLimited(key: string, nowMs: number): boolean {
+function trimWebhookRateLimitState(): void {
+  while (feishuWebhookRateLimits.size > FEISHU_WEBHOOK_RATE_LIMIT_MAX_TRACKED_KEYS) {
+    const oldestKey = feishuWebhookRateLimits.keys().next().value;
+    if (typeof oldestKey !== "string") {
+      break;
+    }
+    feishuWebhookRateLimits.delete(oldestKey);
+  }
+}
+
+function maybePruneWebhookRateLimitState(nowMs: number): void {
+  if (
+    feishuWebhookRateLimits.size === 0 ||
+    nowMs - lastWebhookRateLimitCleanupMs < FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS
+  ) {
+    return;
+  }
+  lastWebhookRateLimitCleanupMs = nowMs;
+  for (const [key, state] of feishuWebhookRateLimits) {
+    if (nowMs - state.windowStartMs >= FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS) {
+      feishuWebhookRateLimits.delete(key);
+    }
+  }
+}
+
+export function clearFeishuWebhookRateLimitStateForTest(): void {
+  feishuWebhookRateLimits.clear();
+  lastWebhookRateLimitCleanupMs = 0;
+}
+
+export function getFeishuWebhookRateLimitStateSizeForTest(): number {
+  return feishuWebhookRateLimits.size;
+}
+
+export function isWebhookRateLimitedForTest(key: string, nowMs: number): boolean {
+  maybePruneWebhookRateLimitState(nowMs);
+
  const state = feishuWebhookRateLimits.get(key);
  if (!state || nowMs - state.windowStartMs >= FEISHU_WEBHOOK_RATE_LIMIT_WINDOW_MS) {
    feishuWebhookRateLimits.set(key, { count: 1, windowStartMs: nowMs });
+    trimWebhookRateLimitState();
    return false;
  }

@@ -54,6 +93,10 @@ function isWebhookRateLimited(key: string, nowMs: number): boolean {
  return false;
 }

+function isWebhookRateLimited(key: string, nowMs: number): boolean {
+  return isWebhookRateLimitedForTest(key, nowMs);
+}
+
 function recordWebhookStatus(
  runtime: RuntimeEnv | undefined,
  accountId: string,