nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
19,105 Commits 712 Branches 79 Tags 2.1 GiB
Commit Graph

241 Commits

Author SHA1 Message Date
root e0b91067e3 fix(msteams): add proactive fallback for revoked turn context 
Fixes #27189

When an inbound message is debounced, the Bot Framework turn context is
revoked before the debouncer flushes and the reply is dispatched. Any
attempt to use the revoked context proxy throws a TypeError, causing the
reply to fail silently.

This commit fixes the issue by adding a fallback to proactive messaging
when the turn context is revoked:

- `isRevokedProxyError()`: New error utility to reliably detect when a
  proxy has been revoked.

- `reply-dispatcher.ts`: `sendTypingIndicator` now catches revoked proxy
  errors and falls back to sending the typing indicator via
  `adapter.continueConversation`.

- `messenger.ts`: `sendMSTeamsMessages` now catches revoked proxy errors
  when `replyStyle` is `thread` and falls back to proactive messaging.

This ensures that replies are delivered reliably even when the inbound
message was debounced, resolving the core issue where the bot appeared
to ignore messages.
 2026-03-02 20:49:03 +00:00
bmendonca3 4a414c5e53 fix(msteams): scope auth across media redirects 2026-03-02 20:45:09 +00:00
bmendonca3 da22a9113c test(msteams): cover auth stripping on graph redirect hops 2026-03-02 20:45:09 +00:00
bmendonca3 8937c10f1f fix(msteams): scope graph auth redirects 2026-03-02 20:45:09 +00:00
bmendonca3 c582a54554 fix(msteams): preserve guarded dispatcher redirects 2026-03-02 20:37:47 +00:00
bmendonca3 cceecc8bd4 msteams: enforce guarded redirect ownership in safeFetch 2026-03-02 20:37:47 +00:00
bmendonca3 6945ba189d msteams: harden webhook ingress timeouts 2026-03-02 20:34:05 +00:00
chilu18 15677133c1 test(msteams): remove tuple-unsafe spread in lifecycle mocks 2026-03-02 20:31:26 +00:00
chilu18 c9d0e345cb fix(msteams): keep monitor alive until shutdown 2026-03-02 20:31:26 +00:00
Peter Steinberger 6ba7238ac6 build: bump versions to 2026.3.2 2026-03-02 04:55:53 +00:00
Peter Steinberger c0bf42f2a8 refactor: centralize delivery/path/media/version lifecycle 2026-03-02 04:04:36 +00:00
Peter Steinberger 8e48520d74 fix(channels): align command-body parsing sources 2026-03-01 23:11:48 +00:00
Agent e7cafed424 chore(release): bump version to 2026.3.1 2026-03-01 21:14:17 +00:00
Peter Steinberger fe807e4bed chore(release): bump 2026.2.27 and split changelog 2026-02-27 16:09:28 +01:00
Peter Steinberger c53b11dccd test: fix pairing/daemon assertion drift 2026-02-26 21:24:50 +00:00
Peter Steinberger a0c5e28f3b refactor(extensions): use scoped pairing helper 2026-02-26 21:57:52 +01:00
Peter Steinberger 64de4b6d6a fix: enforce explicit group auth boundaries across channels 2026-02-26 18:49:16 +01:00
Peter Steinberger cd80c7e7ff refactor: unify dm policy store reads and reason codes 2026-02-26 17:47:57 +01:00
Peter Steinberger 273973d374 refactor: unify typing dispatch lifecycle and policy boundaries 2026-02-26 17:36:16 +01:00
Peter Steinberger 37a138c554 fix: harden typing lifecycle and cross-channel suppression 2026-02-26 17:01:09 +01:00
Peter Steinberger 57334cd7d8 refactor: unify channel/plugin ssrf fetch policy and auth fallback 2026-02-26 16:44:13 +01:00
Peter Steinberger 2e97d0dd95 fix: finalize teams file-consent timeout landing (#27641) (thanks @scz2011) 2026-02-26 15:42:08 +00:00
AI Assistant 773ab319ef fix(msteams): Fix code formatting 
Remove trailing whitespace to pass oxfmt format check.
 2026-02-26 15:42:08 +00:00
AI Assistant ecbb3bcc1a fix(msteams): Fix test timing for async file upload handling 
Update tests to properly wait for async file upload operations:
- Use vi.waitFor() to wait for async upload completion in success case
- Use vi.waitFor() to wait for error message in cross-conversation case
- Add setTimeout delay for decline case to ensure async handler completes
- Adjust assertion order to match new execution flow (invokeResponse first)

The tests were failing because the file upload now happens asynchronously
after sending the invokeResponse, so we need to explicitly wait for the
async operations to complete before making assertions.
 2026-02-26 15:42:08 +00:00
AI Assistant 09f4abdd61 fix(msteams): Send invokeResponse immediately to prevent Teams timeout (#27632) 
Fix file upload 'Something went wrong' error by sending the invoke
acknowledgement before performing the file upload, rather than after.

Changes:
- Move invokeResponse to fire immediately upon receiving fileConsent/invoke
- Handle file upload asynchronously without blocking the response
- Update test to wait for async upload completion using vi.waitFor

This prevents Teams from timing out while waiting for the HTTP 200
acknowledgement during slow file uploads to OneDrive.

Fixes #27632
 2026-02-26 15:42:08 +00:00
Peter Steinberger 051fdcc428 fix(security): centralize dm/group allowlist auth composition 2026-02-26 16:35:33 +01:00
Peter Steinberger 892a9c24b0 refactor(security): centralize channel allowlist auth policy 2026-02-26 13:06:33 +01:00
Peter Steinberger fec3fdf7ef test(msteams): align silent-prefix expectation with exact NO_REPLY semantics 2026-02-26 11:42:38 +00:00
Peter Steinberger caace61ba1 chore: bump versions to 2026.2.26 2026-02-26 12:11:02 +01:00
Peter Steinberger 347f7b9550 fix(msteams): bind file consent invokes to conversation 2026-02-26 02:49:50 +01:00
Brian Mendonca 107bda27c9 security(msteams): isolate group allowlist from pairing-store entries 2026-02-25 04:49:52 +00:00
Shakker 2652bb1d7d
Release: sync plugin versions to 2026.2.25 2026-02-25 04:19:59 +00:00
Peter Steinberger d42ef2ac62 refactor: consolidate typing lifecycle and queue policy 2026-02-25 02:16:03 +00:00
Peter Steinberger e0201c2774 fix: keep channel typing active during long inference (#25886, thanks @stakeswky) 
Co-authored-by: stakeswky <stakeswky@users.noreply.github.com>
 2026-02-25 02:03:27 +00:00
Shakker 955cc9029f
chore: sync plugin versions to 2026.2.24 2026-02-24 22:45:46 +00:00
Peter Steinberger 161d9841dc refactor(security): unify dangerous name matching handling 2026-02-24 01:33:08 +00:00
Peter Steinberger 6a7c303dcc test(msteams): fix allowlist name-match expectations 2026-02-24 01:26:53 +00:00
Peter Steinberger cfa44ea6b4
fix(security): make allowFrom id-only by default with dangerous name opt-in (#24907) 
* fix(channels): default allowFrom to id-only; add dangerous name opt-in

* docs(security): align channel allowFrom docs with id-only default
 2026-02-24 01:01:51 +00:00
Peter Steinberger 0183610db3 refactor: de-duplicate channel runtime and payload helpers 2026-02-23 21:25:28 +00:00
Peter Steinberger 47723b646d refactor(test): de-duplicate msteams and bash test helpers 2026-02-23 19:12:27 +00:00
Peter Steinberger cc7a498ace refactor(tests): deduplicate repeated fixtures in msteams and bash tests 2026-02-23 17:59:56 +00:00
Peter Steinberger a8a4fa5b88 test: de-duplicate attachment and bash tool tests 2026-02-23 17:19:34 +00:00
Peter Steinberger 3f03cdea56 test: optimize redundant suites for faster runtime 2026-02-23 13:57:34 +00:00
Vignesh Natarajan 8d9d01447e chore: align plugin versions and harden outbound cross-provider test 2026-02-22 23:04:17 -08:00
Peter Steinberger 1c753ea786 test: dedupe fixtures and test harness setup 2026-02-23 05:45:54 +00:00
Peter Steinberger 48f327c206 test: consolidate redundant suites and speed attachment tests 2026-02-23 04:55:43 +00:00
Peter Steinberger 0371646a61 test: fix msteams shared attachment fetch mock typing 2026-02-23 00:19:40 +00:00
Lewis 26644c4b89
fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation (#23598) 
* fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation

The attachment download flow in fetchWithAuthFallback() followed
redirects automatically on the initial fetch without any allowlist
or IP validation. This allowed DNS rebinding attacks where an
allowlisted domain (e.g. evil.trafficmanager.net) could redirect
or resolve to a private IP like 169.254.169.254, bypassing the
hostname allowlist entirely (issue #11811).

This commit adds three layers of SSRF protection:

1. safeFetch() in shared.ts: a redirect-safe fetch wrapper that uses
   redirect: "manual" and validates every redirect hop against the
   hostname allowlist AND DNS-resolved IP before following it.

2. isPrivateOrReservedIP() + resolveAndValidateIP() in shared.ts:
   rejects RFC 1918, loopback, link-local, and IPv6 private ranges
   for both initial URLs and redirect targets.

3. graph.ts SharePoint redirect handling now also uses redirect:
   "manual" and validates resolved IPs, not just hostnames.

The initial fetch in fetchWithAuthFallback now goes through safeFetch
instead of a bare fetch(), ensuring redirects are never followed
without validation.

Includes 38 new tests covering IP validation, DNS resolution checks,
redirect following, DNS rebinding attacks, redirect loops, and
protocol downgrade blocking.

* fix: address review feedback on SSRF protection

- Replace hand-rolled isPrivateOrReservedIP with SDK's isPrivateIpAddress
  which handles IPv4-mapped IPv6, expanded notation, NAT64, 6to4, Teredo,
  octal IPv4, and fails closed on parse errors
- Add redirect: "manual" to auth retry redirect fetch in download.ts to
  prevent chained redirect attacks bypassing SSRF checks
- Add redirect: "manual" to SharePoint redirect fetch in graph.ts to
  prevent the same chained redirect bypass
- Update test expectations for SDK's fail-closed behavior on malformed IPs
- Add expanded IPv6 loopback (0:0:0:0:0:0:0:1) test case

* fix: type fetchMock as typeof fetch to fix TS tuple index error

* msteams: harden attachment auth and graph redirect fetch flow

* changelog(msteams): credit redirect-safeFetch hardening contributors

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
 2026-02-22 18:00:54 -05:00
Peter Steinberger 6dd36a6b77 refactor(channels): reuse runtime group policy helpers 2026-02-22 12:44:23 +01:00
Peter Steinberger 85e5ed3f78 refactor(channels): centralize runtime group policy handling 2026-02-22 12:35:41 +01:00
Peter Steinberger 8c1afc4b63 fix(msteams): improve graph user and token parsing 2026-02-22 11:29:31 +00:00
Peter Steinberger 777817392d fix: fail closed missing provider group policy across message channels (#23367) (thanks @bmendonca3) 2026-02-22 12:21:04 +01:00
Peter Steinberger 0bd9f0d4ac
fix: enforce strict allowlist across pairing stores (#23017) 2026-02-22 00:00:23 +01:00
Peter Steinberger b34097f62d fix(security): enforce msteams redirect allowlist checks 2026-02-21 23:18:48 +01:00
Peter Steinberger 61dc7ac679 refactor(msteams,bluebubbles): dedupe inbound media download helpers 2026-02-21 23:08:07 +01:00
Peter Steinberger 73d93dee64 fix: enforce inbound media max-bytes during remote fetch 2026-02-21 23:02:29 +01:00
Peter Steinberger 549549f6a0 fix(ci): sync plugin versions and harden install smoke 2026-02-21 20:18:37 +01:00
Peter Steinberger 95c14d9b5f docs: prune low-signal changelog entries 2026-02-21 15:02:10 +01:00
Peter Steinberger 892620ddab chore: update workspace dependencies 2026-02-21 14:35:13 +01:00
Peter Steinberger 14b3743228 fix(ci): stabilize Windows path handling in sandbox tests 2026-02-21 14:32:15 +01:00
Peter Steinberger 9231d7d30f chore: bump version to 2026.2.21 2026-02-21 11:02:30 +01:00
Vincent Koc 5eca08dab7
Chore: trim stale TODOs and issue-template language (#22534) 
* docs: refresh issue template contact copy

* chore: remove OneDrive resumable upload TODO note
 2026-02-21 03:31:17 -05:00
Takayuki Maeda 0bee3f337a
MSTeams: dedupe sent-message cache storage (#22514) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 88e14dcbe1
Co-authored-by: TaKO8Ki <41065217+TaKO8Ki@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 13:27:50 +05:30
Vincent Koc f4a59eb5d8
Chore: harden A2UI bundle dependency resolution (#22507) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: d84c5bde51
Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com>
Co-authored-by: obviyus <22031114+obviyus@users.noreply.github.com>
Reviewed-by: @obviyus
 2026-02-21 13:16:31 +05:30
Vincent Koc 569191fff1
extensions: fix MSTeams OneDrive fallback mention handling (#22472) 2026-02-21 01:30:33 -05:00
Vincent Koc d94d21f9b0
test: isolate local media regression fixtures to allowed roots (#22369) 
* fix(tui): strip inbound metadata blocks from user text

* chore: clean up metadata-strip format and changelog credit

* chore: format tui metadata-strip tests

* test(web): isolate local media fixture paths to allow-listed roots
 2026-02-20 21:50:50 -05:00
Shadow f555835b09
Channels: add thread-aware model overrides 2026-02-20 19:26:25 -06:00
Tyler Yust 2dba150c16
Fix path-root flaky tests and restore status emoji defaults (#22274) 2026-02-20 15:45:33 -08:00
Kirill Shchetynin ee519086f6
Feature/default messenger delivery target (openclaw#16985) thanks @KirillShchetinin 
Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: KirillShchetinin <13061871+KirillShchetinin@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
 2026-02-19 22:37:19 -06:00
Peter Steinberger f66b23de75 chore(release): bump versions to 2026.2.20 2026-02-20 00:02:53 +01:00
Peter Steinberger b0e55283d5 chore: bump release metadata to 2026.2.19 2026-02-19 16:17:34 +01:00
Peter Steinberger 4bf3338834 chore: bump version to 2026.2.18 unreleased 2026-02-18 04:40:06 +01:00
Peter Steinberger b8b43175c5 style: align formatting with oxfmt 0.33 2026-02-18 01:34:35 +00:00
Peter Steinberger 31f9be126c style: run oxfmt and fix gate failures 2026-02-18 01:29:02 +00:00
Peter Steinberger 9a2c39419e chore(release): bump version to 2026.2.17 2026-02-17 23:08:55 +01:00
cpojer d0cb8c19b2
chore: wtf. 2026-02-17 13:36:48 +09:00
Sebastian ed11e93cf2 chore(format) 2026-02-16 23:20:16 -05:00
cpojer a741985574
chore: Fix more extension test types, 2/N. 2026-02-17 10:14:01 +09:00
cpojer 90ef2d6bdf
chore: Update formatting. 2026-02-17 09:18:40 +09:00
Peter Steinberger 7632e60d70 refactor(onboarding): reuse allowFrom merge helper in extensions 2026-02-16 23:47:57 +00:00
Peter Steinberger 544ffbcf7b refactor(extensions): dedupe connector helper usage 2026-02-16 14:59:30 +00:00
Peter Steinberger 39fa81dc96 chore: bump version to 2026.2.16 2026-02-16 06:08:47 +01:00
Peter Steinberger 342e9cac03 refactor(status): reuse plugin-sdk status helpers 2026-02-15 19:37:40 +00:00
Peter Steinberger 699136f89a refactor(msteams): share credential prompt 2026-02-15 19:21:31 +00:00
Shadow c6b3736fe7 fix: dedupe probe/token base types (#16986) (thanks @iyoda) 2026-02-15 11:36:54 -06:00
Peter Steinberger 379b445582 chore: bump version to 2026.2.15 2026-02-15 04:50:31 +01:00
Peter Steinberger fef86e475b refactor: dedupe shared helpers across ui/gateway/extensions 2026-02-15 03:34:14 +00:00
Peter Steinberger 1ff15e60d3 chore(release): bump versions to 2026.2.14 2026-02-15 02:53:35 +01:00
Peter Steinberger c872a43146 refactor(msteams): share Graph helpers 2026-02-15 00:26:46 +00:00
Peter Steinberger 52bfe5060c refactor: share file lock via plugin-sdk 2026-02-15 00:26:46 +00:00
Peter Steinberger 3cbcba10cf fix(security): enforce bounded webhook body handling 2026-02-13 19:14:54 +01:00
Peter Steinberger 201ac2b72a perf: replace proper-lockfile with lightweight file locks 2026-02-13 17:57:30 +00:00
Peter Steinberger a5faea614b fix(msteams): detect windows local paths for uploads 2026-02-13 15:07:31 +00:00
Peter Steinberger 106d605519 fix: harden msteams mentions and fallback links (#15436) (thanks @hyojin) 2026-02-13 15:10:57 +01:00
Hyojin Kwak 604dc700a6 MSTeams: fix regex injection in mention name formatting 
Escape regex metacharacters in display names before constructing RegExp
to prevent runtime errors or unintended matches when names contain special
characters like (, ), ., +, ?, [, etc.

Add test coverage for names with regex metacharacters.
 2026-02-13 15:10:57 +01:00
Hyojin Kwak 7c6d6ce06f MS Teams: add user mention support 
- Add mention parsing and validation logic
- Handle mention entities with proper whitespace
- Validate mention IDs to prevent false positives from code snippets
- Use fake placeholders in tests for privacy
 2026-02-13 15:10:57 +01:00
Peter Steinberger 67251e97bd
fix(ci): sync extension versions to root release (#15199) 2026-02-13 05:54:03 +01:00
Peter Steinberger 7695b4842b chore: bump version to 2026.2.12 2026-02-12 18:20:46 +01:00
Peter Steinberger 1872d0c592 chore: bump version to 2026.2.10 2026-02-11 11:27:23 +01:00
Peter Steinberger 53273b490b fix(auto-reply): prevent sender spoofing in group prompts 2026-02-10 00:44:38 -06:00