github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 03:03:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(aa-08): apply security fix

Browse Source 
Generated by staged fix workflow.
This commit is contained in:
Coy Geek
2026-02-09 20:20:35 -08:00
committed by Peter Steinberger
parent f8c404a485
commit 633fe8b9c1
2 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/telegram/webhook.test.ts
View File

@@ -31,6 +31,7 @@ describe("startTelegramWebhook", () => {
const cfg = { bindings: [] };
const { server } = await startTelegramWebhook({
token: "tok",
secret: "secret",
accountId: "opie",
config: cfg,
port: 0, // random free port
@@ -62,6 +63,7 @@ describe("startTelegramWebhook", () => {
const cfg = { bindings: [] };
const { server } = await startTelegramWebhook({
token: "tok",
secret: "secret",
accountId: "opie",
config: cfg,
port: 0,
@@ -82,4 +84,12 @@ describe("startTelegramWebhook", () => {
expect(handlerSpy).toHaveBeenCalled();
abort.abort();
});
it("rejects startup when webhook secret is missing", async () => {
await expect(
startTelegramWebhook({
token: "tok",
}),
).rejects.toThrow(/requires a non-empty secret token/i);
});
});

11
src/telegram/webhook.ts
View File

@@ -38,6 +38,13 @@ export async function startTelegramWebhook(opts: {
const healthPath = opts.healthPath ?? "/healthz";
const port = opts.port ?? 8787;
const host = opts.host ?? "127.0.0.1";
const secret = typeof opts.secret === "string" ? opts.secret.trim() : "";
if (!secret) {
throw new Error(
"Telegram webhook mode requires a non-empty secret token. " +
"Set channels.telegram.webhookSecret in your config.",
);
}
const runtime = opts.runtime ?? defaultRuntime;
const diagnosticsEnabled = isDiagnosticsEnabled(opts.config);
const bot = createTelegramBot({
@@ -48,7 +55,7 @@ export async function startTelegramWebhook(opts: {
accountId: opts.accountId,
});
const handler = webhookCallback(bot, "http", {
secretToken: opts.secret,
secretToken: secret,
});
if (diagnosticsEnabled) {
@@ -124,7 +131,7 @@ export async function startTelegramWebhook(opts: {
runtime,
fn: () =>
bot.api.setWebhook(publicUrl, {
secret_token: opts.secret,
secret_token: secret,
allowed_updates: resolveTelegramAllowedUpdates(),
}),
});