nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/extensions
History
sudie-codes 897cda7d99
msteams: fix sender allowlist bypass when route allowlist is configured (GHSA-g7cr-9h7q-4qxq) (#49582) 
When a route-level (teams/channel) allowlist was configured but the sender
allowlist (allowFrom/groupAllowFrom) was empty, resolveSenderScopedGroupPolicy
would downgrade the effective group policy from "allowlist" to "open", allowing
any Teams user to interact with the bot.

The fix: when channelGate.allowlistConfigured is true and effectiveGroupAllowFrom
is empty, preserve the configured groupPolicy ("allowlist") rather than letting
it be downgraded to "open". This ensures an empty sender allowlist with an active
route allowlist means deny-all rather than allow-all.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 		2026-03-20 10:08:19 -05:00
..
acpx Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
amazon-bedrock fix(plugin-sdk): isolate provider entry surfaces 2026-03-18 13:20:46 -07:00
anthropic refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
bluebubbles fix: persist outbound sends and skip stale cron deliveries (#50092) 2026-03-19 11:40:34 +09:00
brave refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
byteplus refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
chutes refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
cloudflare-ai-gateway refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
copilot-proxy refactor: prune bundled sdk facades 2026-03-19 07:17:04 +00:00
device-pair Hardening: refresh stale device pairing requests and pending metadata (#50695) 2026-03-19 18:26:06 -05:00
diagnostics-otel fix(release): isolate config doc surfaces and sdk exports 2026-03-18 17:14:15 -07:00
diffs Diffs: route plugin context through artifacts 2026-03-19 00:24:00 -04:00
discord fix(discord): drop stale carbon deploy option 2026-03-19 23:30:48 -07:00
elevenlabs refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
fal Image generation: add fal provider (#49454) 2026-03-17 21:35:13 -07:00
feishu fix(feishu): stabilize lifecycle replay tests 2026-03-20 06:13:27 +00:00
firecrawl refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
github-copilot Plugin SDK: split provider auth login seam 2026-03-18 02:04:10 -07:00
google refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
googlechat CLI: fix check failures 2026-03-19 08:29:57 -04:00
huggingface refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
imessage Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
irc Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
kilocode refactor: converge plugin sdk channel helpers 2026-03-19 00:25:19 +00:00
kimi-coding refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
line fix(plugin-sdk): restore public runtime subpaths 2026-03-18 17:38:49 -07:00
llm-task fix: restore full gate stability 2026-03-19 03:36:03 +00:00
lobster Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
matrix fix(matrix): mock configured bot ids in monitor tests 2026-03-20 03:50:06 +00:00
mattermost Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
memory-core refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
memory-lancedb refactor: install heavy plugins on demand 2026-03-19 03:37:30 +00:00
microsoft refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
minimax fix(release): isolate config doc surfaces and sdk exports 2026-03-18 17:14:15 -07:00
mistral refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
modelstudio refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
moonshot refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
msteams msteams: fix sender allowlist bypass when route allowlist is configured (GHSA-g7cr-9h7q-4qxq) (#49582) 2026-03-20 10:08:19 -05:00
nextcloud-talk CLI: fix check failures 2026-03-19 08:29:57 -04:00
nostr Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
nvidia refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
ollama fix: preserve interactive Ollama model selection (#49249) (thanks @BruceMacD) 2026-03-18 18:02:44 -07:00
open-prose refactor: prune bundled sdk facades 2026-03-19 07:17:04 +00:00
openai fix(auth): lazy-load provider oauth helpers 2026-03-18 13:40:28 -07:00
opencode refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
opencode-go refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
openrouter fix(plugin-sdk): isolate provider entry surfaces 2026-03-18 13:20:46 -07:00
openshell Plugin SDK: split setup and sandbox subpaths 2026-03-16 12:06:32 +00:00
perplexity refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
phone-control refactor: prune bundled sdk facades 2026-03-19 07:17:04 +00:00
qianfan refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
qwen-portal-auth fix(plugin-sdk): restore public runtime subpaths 2026-03-18 17:38:49 -07:00
sglang refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
shared refactor: finalize plugin sdk legacy boundary cleanup 2026-03-16 22:51:46 -07:00
signal test(signal): harden tool-result infra-runtime mock 2026-03-20 01:33:16 -07:00
slack Channels: stabilize lane harness and monitor tests (#50167) 2026-03-19 01:47:48 -05:00
synology-chat fix(release): isolate config doc surfaces and sdk exports 2026-03-18 17:14:15 -07:00
synthetic refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
talk-voice refactor: prune bundled sdk facades 2026-03-19 07:17:04 +00:00
tavily refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
telegram fix(telegram): serialize thread binding persists 2026-03-20 00:30:11 -07:00
thread-ownership fix(release): isolate config doc surfaces and sdk exports 2026-03-18 17:14:15 -07:00
tlon Matrix: guard private-network homeserver access 2026-03-19 23:24:50 -04:00
together refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
twitch Plugins: remove shared extension boundary debt 2026-03-18 22:58:40 -05:00
venice refactor: unify plugin sdk primitives 2026-03-18 23:58:56 +00:00
vercel-ai-gateway refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
vllm refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
voice-call test: add voice-call hangup-once lifecycle regression 2026-03-19 16:50:36 -05:00
volcengine refactor: dedupe bundled plugin entrypoints 2026-03-17 00:14:12 -07:00
whatsapp test(whatsapp): override config-runtime mock exports safely 2026-03-19 09:42:13 -07:00
xai refactor(web-search): share scoped provider config plumbing 2026-03-19 23:52:53 -07:00
xiaomi feat(xiaomi): add MiMo V2 Pro and MiMo V2 Omni models, switch to OpenAI completions API (#49214) 2026-03-19 19:26:47 -07:00
zai fix(plugin-sdk): restore public runtime subpaths 2026-03-18 17:38:49 -07:00
zalo test: add Zalo pairing lifecycle regression 2026-03-19 17:13:38 -05:00
zalouser fix(zalouser): decouple tests from zca-js runtime 2026-03-20 06:13:27 +00:00
.npmignore fix: harden windows npm runtime path 2026-03-12 23:03:19 +00:00