2026-02-26 16:43:44 +01:00
|
|
|
import {
|
|
|
|
|
buildHostnameAllowlistPolicyFromSuffixAllowlist,
|
|
|
|
|
isHttpsUrlAllowedByHostnameSuffixAllowlist,
|
|
|
|
|
normalizeHostnameSuffixAllowlist,
|
|
|
|
|
} from "openclaw/plugin-sdk";
|
|
|
|
|
import type { SsrFPolicy } from "openclaw/plugin-sdk";
|
2026-01-14 01:08:15 +00:00
|
|
|
import type { MSTeamsAttachmentLike } from "./types.js";
|
|
|
|
|
|
|
|
|
|
type InlineImageCandidate =
|
|
|
|
|
| {
|
|
|
|
|
kind: "data";
|
|
|
|
|
data: Buffer;
|
|
|
|
|
contentType?: string;
|
|
|
|
|
placeholder: string;
|
|
|
|
|
}
|
|
|
|
|
| {
|
|
|
|
|
kind: "url";
|
|
|
|
|
url: string;
|
|
|
|
|
contentType?: string;
|
|
|
|
|
fileHint?: string;
|
|
|
|
|
placeholder: string;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export const IMAGE_EXT_RE = /\.(avif|bmp|gif|heic|heif|jpe?g|png|tiff?|webp)$/i;
|
|
|
|
|
|
|
|
|
|
export const IMG_SRC_RE = /<img[^>]+src=["']([^"']+)["'][^>]*>/gi;
|
|
|
|
|
export const ATTACHMENT_TAG_RE = /<attachment[^>]+id=["']([^"']+)["'][^>]*>/gi;
|
|
|
|
|
|
|
|
|
|
export const DEFAULT_MEDIA_HOST_ALLOWLIST = [
|
|
|
|
|
"graph.microsoft.com",
|
|
|
|
|
"graph.microsoft.us",
|
|
|
|
|
"graph.microsoft.de",
|
|
|
|
|
"graph.microsoft.cn",
|
|
|
|
|
"sharepoint.com",
|
|
|
|
|
"sharepoint.us",
|
|
|
|
|
"sharepoint.de",
|
|
|
|
|
"sharepoint.cn",
|
|
|
|
|
"sharepoint-df.com",
|
|
|
|
|
"1drv.ms",
|
|
|
|
|
"onedrive.com",
|
|
|
|
|
"teams.microsoft.com",
|
|
|
|
|
"teams.cdn.office.net",
|
|
|
|
|
"statics.teams.cdn.office.net",
|
|
|
|
|
"office.com",
|
|
|
|
|
"office.net",
|
2026-01-22 03:27:26 +00:00
|
|
|
// Azure Media Services / Skype CDN for clipboard-pasted images
|
|
|
|
|
"asm.skype.com",
|
|
|
|
|
"ams.skype.com",
|
|
|
|
|
"media.ams.skype.com",
|
|
|
|
|
// Bot Framework attachment URLs
|
|
|
|
|
"trafficmanager.net",
|
|
|
|
|
"blob.core.windows.net",
|
|
|
|
|
"azureedge.net",
|
|
|
|
|
"microsoft.com",
|
2026-01-14 01:08:15 +00:00
|
|
|
] as const;
|
|
|
|
|
|
2026-02-02 02:07:01 -08:00
|
|
|
export const DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST = [
|
|
|
|
|
"api.botframework.com",
|
|
|
|
|
"botframework.com",
|
|
|
|
|
"graph.microsoft.com",
|
|
|
|
|
"graph.microsoft.us",
|
|
|
|
|
"graph.microsoft.de",
|
|
|
|
|
"graph.microsoft.cn",
|
|
|
|
|
] as const;
|
|
|
|
|
|
2026-01-14 01:08:15 +00:00
|
|
|
export const GRAPH_ROOT = "https://graph.microsoft.com/v1.0";
|
|
|
|
|
|
|
|
|
|
export function isRecord(value: unknown): value is Record<string, unknown> {
|
|
|
|
|
return Boolean(value) && typeof value === "object" && !Array.isArray(value);
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-21 23:08:07 +01:00
|
|
|
export function resolveRequestUrl(input: RequestInfo | URL): string {
|
|
|
|
|
if (typeof input === "string") {
|
|
|
|
|
return input;
|
|
|
|
|
}
|
|
|
|
|
if (input instanceof URL) {
|
|
|
|
|
return input.toString();
|
|
|
|
|
}
|
|
|
|
|
if (typeof input === "object" && input && "url" in input && typeof input.url === "string") {
|
|
|
|
|
return input.url;
|
|
|
|
|
}
|
|
|
|
|
return String(input);
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 01:08:15 +00:00
|
|
|
export function normalizeContentType(value: unknown): string | undefined {
|
2026-01-31 22:13:48 +09:00
|
|
|
if (typeof value !== "string") {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
const trimmed = value.trim();
|
|
|
|
|
return trimmed ? trimmed : undefined;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function inferPlaceholder(params: {
|
|
|
|
|
contentType?: string;
|
|
|
|
|
fileName?: string;
|
|
|
|
|
fileType?: string;
|
|
|
|
|
}): string {
|
|
|
|
|
const mime = params.contentType?.toLowerCase() ?? "";
|
|
|
|
|
const name = params.fileName?.toLowerCase() ?? "";
|
|
|
|
|
const fileType = params.fileType?.toLowerCase() ?? "";
|
|
|
|
|
|
|
|
|
|
const looksLikeImage =
|
2026-01-14 14:31:43 +00:00
|
|
|
mime.startsWith("image/") || IMAGE_EXT_RE.test(name) || IMAGE_EXT_RE.test(`x.${fileType}`);
|
2026-01-14 01:08:15 +00:00
|
|
|
|
|
|
|
|
return looksLikeImage ? "<media:image>" : "<media:document>";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function isLikelyImageAttachment(att: MSTeamsAttachmentLike): boolean {
|
|
|
|
|
const contentType = normalizeContentType(att.contentType) ?? "";
|
|
|
|
|
const name = typeof att.name === "string" ? att.name : "";
|
2026-01-31 22:13:48 +09:00
|
|
|
if (contentType.startsWith("image/")) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
if (IMAGE_EXT_RE.test(name)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
|
|
|
|
|
if (
|
|
|
|
|
contentType === "application/vnd.microsoft.teams.file.download.info" &&
|
|
|
|
|
isRecord(att.content)
|
|
|
|
|
) {
|
2026-01-14 14:31:43 +00:00
|
|
|
const fileType = typeof att.content.fileType === "string" ? att.content.fileType : "";
|
2026-01-31 22:13:48 +09:00
|
|
|
if (fileType && IMAGE_EXT_RE.test(`x.${fileType}`)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2026-01-14 14:31:43 +00:00
|
|
|
const fileName = typeof att.content.fileName === "string" ? att.content.fileName : "";
|
2026-01-31 22:13:48 +09:00
|
|
|
if (fileName && IMAGE_EXT_RE.test(fileName)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-22 03:27:26 +00:00
|
|
|
/**
|
|
|
|
|
* Returns true if the attachment can be downloaded (any file type).
|
|
|
|
|
* Used when downloading all files, not just images.
|
|
|
|
|
*/
|
|
|
|
|
export function isDownloadableAttachment(att: MSTeamsAttachmentLike): boolean {
|
|
|
|
|
const contentType = normalizeContentType(att.contentType) ?? "";
|
|
|
|
|
|
|
|
|
|
// Teams file download info always has a downloadUrl
|
|
|
|
|
if (
|
|
|
|
|
contentType === "application/vnd.microsoft.teams.file.download.info" &&
|
|
|
|
|
isRecord(att.content) &&
|
|
|
|
|
typeof att.content.downloadUrl === "string"
|
|
|
|
|
) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Any attachment with a contentUrl can be downloaded
|
|
|
|
|
if (typeof att.contentUrl === "string" && att.contentUrl.trim()) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 01:08:15 +00:00
|
|
|
function isHtmlAttachment(att: MSTeamsAttachmentLike): boolean {
|
|
|
|
|
const contentType = normalizeContentType(att.contentType) ?? "";
|
|
|
|
|
return contentType.startsWith("text/html");
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-14 14:31:43 +00:00
|
|
|
export function extractHtmlFromAttachment(att: MSTeamsAttachmentLike): string | undefined {
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!isHtmlAttachment(att)) {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
if (typeof att.content === "string") {
|
|
|
|
|
return att.content;
|
|
|
|
|
}
|
|
|
|
|
if (!isRecord(att.content)) {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
const text =
|
|
|
|
|
typeof att.content.text === "string"
|
|
|
|
|
? att.content.text
|
|
|
|
|
: typeof att.content.body === "string"
|
|
|
|
|
? att.content.body
|
|
|
|
|
: typeof att.content.content === "string"
|
|
|
|
|
? att.content.content
|
|
|
|
|
: undefined;
|
|
|
|
|
return text;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function decodeDataImage(src: string): InlineImageCandidate | null {
|
|
|
|
|
const match = /^data:(image\/[a-z0-9.+-]+)?(;base64)?,(.*)$/i.exec(src);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!match) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
const contentType = match[1]?.toLowerCase();
|
|
|
|
|
const isBase64 = Boolean(match[2]);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!isBase64) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
const payload = match[3] ?? "";
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!payload) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
try {
|
|
|
|
|
const data = Buffer.from(payload, "base64");
|
|
|
|
|
return { kind: "data", data, contentType, placeholder: "<media:image>" };
|
|
|
|
|
} catch {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function fileHintFromUrl(src: string): string | undefined {
|
|
|
|
|
try {
|
|
|
|
|
const url = new URL(src);
|
|
|
|
|
const name = url.pathname.split("/").pop();
|
|
|
|
|
return name || undefined;
|
|
|
|
|
} catch {
|
|
|
|
|
return undefined;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function extractInlineImageCandidates(
|
|
|
|
|
attachments: MSTeamsAttachmentLike[],
|
|
|
|
|
): InlineImageCandidate[] {
|
|
|
|
|
const out: InlineImageCandidate[] = [];
|
|
|
|
|
for (const att of attachments) {
|
|
|
|
|
const html = extractHtmlFromAttachment(att);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!html) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
IMG_SRC_RE.lastIndex = 0;
|
|
|
|
|
let match: RegExpExecArray | null = IMG_SRC_RE.exec(html);
|
|
|
|
|
while (match) {
|
|
|
|
|
const src = match[1]?.trim();
|
|
|
|
|
if (src && !src.startsWith("cid:")) {
|
|
|
|
|
if (src.startsWith("data:")) {
|
|
|
|
|
const decoded = decodeDataImage(src);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (decoded) {
|
|
|
|
|
out.push(decoded);
|
|
|
|
|
}
|
2026-01-14 01:08:15 +00:00
|
|
|
} else {
|
|
|
|
|
out.push({
|
|
|
|
|
kind: "url",
|
|
|
|
|
url: src,
|
|
|
|
|
fileHint: fileHintFromUrl(src),
|
|
|
|
|
placeholder: "<media:image>",
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
match = IMG_SRC_RE.exec(html);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function safeHostForUrl(url: string): string {
|
|
|
|
|
try {
|
|
|
|
|
return new URL(url).hostname.toLowerCase();
|
|
|
|
|
} catch {
|
|
|
|
|
return "invalid-url";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function resolveAllowedHosts(input?: string[]): string[] {
|
2026-02-26 16:43:44 +01:00
|
|
|
return normalizeHostnameSuffixAllowlist(input, DEFAULT_MEDIA_HOST_ALLOWLIST);
|
2026-01-14 01:08:15 +00:00
|
|
|
}
|
|
|
|
|
|
2026-02-02 02:07:01 -08:00
|
|
|
export function resolveAuthAllowedHosts(input?: string[]): string[] {
|
2026-02-26 16:43:44 +01:00
|
|
|
return normalizeHostnameSuffixAllowlist(input, DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST);
|
2026-01-14 01:08:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function isUrlAllowed(url: string, allowlist: string[]): boolean {
|
2026-02-26 16:43:44 +01:00
|
|
|
return isHttpsUrlAllowedByHostnameSuffixAllowlist(url, allowlist);
|
2026-01-14 01:08:15 +00:00
|
|
|
}
|
fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation (#23598)
* fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation
The attachment download flow in fetchWithAuthFallback() followed
redirects automatically on the initial fetch without any allowlist
or IP validation. This allowed DNS rebinding attacks where an
allowlisted domain (e.g. evil.trafficmanager.net) could redirect
or resolve to a private IP like 169.254.169.254, bypassing the
hostname allowlist entirely (issue #11811).
This commit adds three layers of SSRF protection:
1. safeFetch() in shared.ts: a redirect-safe fetch wrapper that uses
redirect: "manual" and validates every redirect hop against the
hostname allowlist AND DNS-resolved IP before following it.
2. isPrivateOrReservedIP() + resolveAndValidateIP() in shared.ts:
rejects RFC 1918, loopback, link-local, and IPv6 private ranges
for both initial URLs and redirect targets.
3. graph.ts SharePoint redirect handling now also uses redirect:
"manual" and validates resolved IPs, not just hostnames.
The initial fetch in fetchWithAuthFallback now goes through safeFetch
instead of a bare fetch(), ensuring redirects are never followed
without validation.
Includes 38 new tests covering IP validation, DNS resolution checks,
redirect following, DNS rebinding attacks, redirect loops, and
protocol downgrade blocking.
* fix: address review feedback on SSRF protection
- Replace hand-rolled isPrivateOrReservedIP with SDK's isPrivateIpAddress
which handles IPv4-mapped IPv6, expanded notation, NAT64, 6to4, Teredo,
octal IPv4, and fails closed on parse errors
- Add redirect: "manual" to auth retry redirect fetch in download.ts to
prevent chained redirect attacks bypassing SSRF checks
- Add redirect: "manual" to SharePoint redirect fetch in graph.ts to
prevent the same chained redirect bypass
- Update test expectations for SDK's fail-closed behavior on malformed IPs
- Add expanded IPv6 loopback (0:0:0:0:0:0:0:1) test case
* fix: type fetchMock as typeof fetch to fix TS tuple index error
* msteams: harden attachment auth and graph redirect fetch flow
* changelog(msteams): credit redirect-safeFetch hardening contributors
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-22 23:00:54 +00:00
|
|
|
|
2026-02-26 16:43:44 +01:00
|
|
|
export function resolveMediaSsrfPolicy(allowHosts: string[]): SsrFPolicy | undefined {
|
|
|
|
|
return buildHostnameAllowlistPolicyFromSuffixAllowlist(allowHosts);
|
fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation (#23598)
* fix(msteams): add SSRF protection to attachment downloads via redirect and DNS validation
The attachment download flow in fetchWithAuthFallback() followed
redirects automatically on the initial fetch without any allowlist
or IP validation. This allowed DNS rebinding attacks where an
allowlisted domain (e.g. evil.trafficmanager.net) could redirect
or resolve to a private IP like 169.254.169.254, bypassing the
hostname allowlist entirely (issue #11811).
This commit adds three layers of SSRF protection:
1. safeFetch() in shared.ts: a redirect-safe fetch wrapper that uses
redirect: "manual" and validates every redirect hop against the
hostname allowlist AND DNS-resolved IP before following it.
2. isPrivateOrReservedIP() + resolveAndValidateIP() in shared.ts:
rejects RFC 1918, loopback, link-local, and IPv6 private ranges
for both initial URLs and redirect targets.
3. graph.ts SharePoint redirect handling now also uses redirect:
"manual" and validates resolved IPs, not just hostnames.
The initial fetch in fetchWithAuthFallback now goes through safeFetch
instead of a bare fetch(), ensuring redirects are never followed
without validation.
Includes 38 new tests covering IP validation, DNS resolution checks,
redirect following, DNS rebinding attacks, redirect loops, and
protocol downgrade blocking.
* fix: address review feedback on SSRF protection
- Replace hand-rolled isPrivateOrReservedIP with SDK's isPrivateIpAddress
which handles IPv4-mapped IPv6, expanded notation, NAT64, 6to4, Teredo,
octal IPv4, and fails closed on parse errors
- Add redirect: "manual" to auth retry redirect fetch in download.ts to
prevent chained redirect attacks bypassing SSRF checks
- Add redirect: "manual" to SharePoint redirect fetch in graph.ts to
prevent the same chained redirect bypass
- Update test expectations for SDK's fail-closed behavior on malformed IPs
- Add expanded IPv6 loopback (0:0:0:0:0:0:0:1) test case
* fix: type fetchMock as typeof fetch to fix TS tuple index error
* msteams: harden attachment auth and graph redirect fetch flow
* changelog(msteams): credit redirect-safeFetch hardening contributors
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-22 23:00:54 +00:00
|
|
|
}
|