The respondToAtAll check in handleFeishuMessage was using a raw substring
match on event.message.content to detect @所有人 (@_all):
if (!ctx.mentionedBot && (event.message.content ?? "").includes("@_all"))
This allows spoofing: any user who types the literal text "@_all" in a
normal message (in a code block, quote, or plain text) will have their
message treated as a real @所有人 broadcast when respondToAtAll is enabled,
bypassing the requireMention gate (CWE-807 — decision via unverified data).
Fix:
- Extract a new exported helper hasAtAllMention() in bot-content.ts that
checks the structured event.message.mentions array for an entry with
key === "@_all" or id.user_id/open_id === "all". Feishu only inserts a
mention entry with key "@_all" when the sender actually used the
@所有人 mention button — unlike raw message content which is user-controlled.
- Update handleFeishuMessage to call hasAtAllMention(event) instead of the
raw content substring check.
- Add 4 focused unit tests for hasAtAllMention() covering: key match,
user_id match, empty mentions (raw text cannot spoof), and non-@all
regular user mentions.
Total tests: 21/21 (17 existing + 4 new)
Previously checkBotMentioned() returned true for any message containing
'@_all', causing ALL bots in a Feishu group to respond simultaneously
whenever a user broadcast to @所有人 (#49761).
Fix: remove the unconditional @_all -> true early-return from
checkBotMentioned(). Opt-in is now controlled by a new respondToAtAll
config flag (boolean, default false) that can be set at the account level
(channels.feishu.respondToAtAll or channels.feishu.accounts.<id>.respondToAtAll)
or per-group (channels.feishu.groups.<chatId>.respondToAtAll).
The check is applied in handleFeishuMessage after groupConfig is resolved
so that per-group and per-account settings are both honoured. Bots that
do not opt in remain silent when @所有人 is used, preserving the pre-existing
behaviour for single-bot deployments and groups that do not want broadcast
responses.
Changes:
- extensions/feishu/src/bot-content.ts: drop @_all -> true, add comment
- extensions/feishu/src/bot.ts: add respondToAtAll opt-in check after
groupConfig is resolved, before the requireMention gate
- extensions/feishu/src/config-schema.ts: add respondToAtAll?:boolean to
FeishuSharedConfigShape (account+global level) and FeishuGroupSchema
- extensions/feishu/src/bot.checkBotMentioned.test.ts: two new tests
confirming mentionedBot=false for @_all via parseFeishuMessageEvent
