Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tests: pin Telegram fallback host (#49364)

Browse Source 
* Tests: pin Telegram fallback host

* Changelog: note Telegram fallback guardrail
This commit is contained in:
Vincent Koc 2026-03-17 20:32:38 -07:00 committed by GitHub
parent f8f9e06b58
commit a34944c918
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -133,6 +133,7 @@ Docs: https://docs.openclaw.ai
- Agents/prompt composition: append bootstrap truncation warnings to the current-turn prompt and add regression coverage for stable system-prompt cache invariants. (#49237) Thanks @scoootscooob.
- Gateway/auth: add regression coverage that keeps device-less trusted-proxy Control UI sessions off privileged pairing approval RPCs. Thanks @vincentkoc.
- Plugins/runtime-api: pin extension runtime-api export seams with explicit guardrail coverage so future surface creep becomes a deliberate diff. Thanks @vincentkoc.
- Telegram/security: add regression coverage proving pinned fallback host overrides stay bound to Telegram and delegate non-matching hostnames back to the original lookup path. Thanks @vincentkoc.
### Breaking

31
src/infra/net/ssrf.dispatcher.test.ts
View File

@ -109,6 +109,37 @@ describe("createPinnedDispatcher", () => {
expect(originalLookup).not.toHaveBeenCalled();
});
it("keeps the override bound to the matching hostname only", () => {
const originalLookup = vi.fn(
(_hostname: string, callback: (err: null, address: string, family: number) => void) => {
callback(null, "93.184.216.34", 4);
},
) as unknown as PinnedHostname["lookup"];
const pinned: PinnedHostname = {
hostname: "api.telegram.org",
addresses: ["149.154.167.221"],
lookup: originalLookup,
};
createPinnedDispatcher(pinned, {
mode: "direct",
pinnedHostname: {
hostname: "api.telegram.org",
addresses: ["149.154.167.220"],
},
});
const firstCallArg = agentCtor.mock.calls.at(-1)?.[0] as
| { connect?: { lookup?: PinnedHostname["lookup"] } }
| undefined;
const lookup = firstCallArg?.connect?.lookup;
const callback = vi.fn();
lookup?.("example.com", callback);
expect(originalLookup).toHaveBeenCalledWith("example.com", expect.any(Function));
expect(callback).toHaveBeenCalledWith(null, "93.184.216.34", 4);
});
it("rejects pinned override addresses that violate SSRF policy", () => {
const originalLookup = vi.fn() as unknown as PinnedHostname["lookup"];
const pinned: PinnedHostname = {