npm - @alfe.ai/openclaw-chat - Versions diffs - 0.0.20 → 0.0.22 - Mend

@alfe.ai/openclaw-chat 0.0.20 → 0.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/plugin2.cjs CHANGED Viewed

@@ -402,6 +402,107 @@ function buildA2ATools(chatClient, log) {
 	];
 }
 //#endregion
+//#region src/attachment-url.ts
+/**
+* Attachment URL validation for the openclaw-chat plugin.
+*
+* This package runs inside user-installed OpenClaw agents and has no
+* dependency on the internal @alfe/api-core SSRF validator, so the
+* plumbing is inlined here. The rules are deliberately conservative:
+*
+* - `https:` only.
+* - Userinfo (`https://u:p@host/...`) is rejected.
+* - IP-literal hosts (v4 or bracketed v6) are rejected outright — only
+*   DNS names for known provider CDNs are acceptable.
+* - The host must match a curated allowlist of Alfe-issued / channel-
+*   provider CDNs. Anything else is dropped before we fetch it.
+*
+* Operators running an agent in a private network that needs to dereference
+* additional hosts can extend the list via the
+* `ALFE_ATTACHMENT_ALLOWED_HOSTS` env var (comma-separated, entries prefixed
+* with `.` match suffixes).
+*/
+const DEFAULT_EXACT_HOSTS = [
+	"s3.amazonaws.com",
+	"api.twilio.com",
+	"graph.microsoft.com",
+	"mmg.whatsapp.net"
+];
+const DEFAULT_SUFFIX_HOSTS = [
+	".s3.amazonaws.com",
+	".amazonaws.com",
+	".twiliocdn.com",
+	".cdn.discordapp.com",
+	".discordapp.net",
+	".telegram.org",
+	".alfe.ai"
+];
+function parseExtraHosts(raw) {
+	const exact = /* @__PURE__ */ new Set();
+	const suffix = [];
+	if (!raw) return {
+		exact,
+		suffix
+	};
+	for (const part of raw.split(",")) {
+		const trimmed = part.trim().toLowerCase();
+		if (!trimmed) continue;
+		if (trimmed.startsWith(".")) suffix.push(trimmed);
+		else exact.add(trimmed);
+	}
+	return {
+		exact,
+		suffix
+	};
+}
+function isIpLiteral(host) {
+	if (host.startsWith("[") && host.endsWith("]")) return true;
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+function validateAttachmentUrl(input, opts = {}) {
+	if (!input || input.trim() === "") return {
+		ok: false,
+		reason: "empty"
+	};
+	let url;
+	try {
+		url = new URL(input);
+	} catch {
+		return {
+			ok: false,
+			reason: "invalid_url"
+		};
+	}
+	if (url.protocol !== "https:") return {
+		ok: false,
+		reason: "not_https"
+	};
+	if (url.username !== "" || url.password !== "") return {
+		ok: false,
+		reason: "userinfo_not_allowed"
+	};
+	const host = url.hostname.toLowerCase();
+	if (!host) return {
+		ok: false,
+		reason: "empty_host"
+	};
+	if (isIpLiteral(host)) return {
+		ok: false,
+		reason: "ip_literal"
+	};
+	if (host === "localhost" || host === "metadata" || host === "metadata.google.internal") return {
+		ok: false,
+		reason: "blocked_host"
+	};
+	const extra = parseExtraHosts(opts.extraHosts ?? process.env.ALFE_ATTACHMENT_ALLOWED_HOSTS);
+	if (new Set([...DEFAULT_EXACT_HOSTS.map((h) => h.toLowerCase()), ...extra.exact]).has(host)) return { ok: true };
+	if ([...DEFAULT_SUFFIX_HOSTS.map((h) => h.toLowerCase()), ...extra.suffix].some((rule) => host === rule.slice(1) || host.endsWith(rule))) return { ok: true };
+	return {
+		ok: false,
+		reason: "host_not_in_allowlist"
+	};
+}
+//#endregion
 //#region src/plugin.ts
 /**
 * @alfe.ai/openclaw-chat — OpenClaw chat channel plugin.
@@ -418,17 +519,29 @@ function buildA2ATools(chatClient, log) {
 */
 let dispatchInbound = null;
 /**
-* Resolve OpenClaw SDK functions from the global install.
-* The openclaw package is installed globally (/usr/lib/node_modules/openclaw/)
-* but is NOT in the plugin's node_modules. Built-in extensions can import
-* directly; external plugins must use createRequire.
+* Resolve OpenClaw SDK functions from the running process.
+*
+* The openclaw package is NOT in the plugin's node_modules (it's a peer dep).
+* Since the plugin runs inside OpenClaw's process, we anchor resolution to
+* OpenClaw's own entry module via require.main, then fall back to deriving
+* the global modules path from process.execPath.
 */
 function resolveOpenClawSdk(log) {
-	for (const globalPath of ["/usr/lib/node_modules/openclaw/package.json", "/usr/local/lib/node_modules/openclaw/package.json"]) try {
-		const channelInbound = (0, node_module.createRequire)(globalPath)("openclaw/plugin-sdk/channel-inbound");
+	const anchors = [require.main?.filename, process.argv[1]].filter(Boolean);
+	for (const anchor of anchors) try {
+		const channelInbound = (0, node_module.createRequire)(anchor)("openclaw/plugin-sdk/channel-inbound");
+		if (channelInbound.dispatchInboundDirectDmWithRuntime) {
+			dispatchInbound = channelInbound.dispatchInboundDirectDmWithRuntime;
+			log.info(`Resolved OpenClaw SDK from ${anchor}`);
+			return;
+		}
+	} catch {}
+	try {
+		const derivedPath = (0, node_path.join)((0, node_path.resolve)((0, node_path.dirname)(process.execPath), ".."), "lib", "node_modules", "openclaw", "package.json");
+		const channelInbound = (0, node_module.createRequire)(derivedPath)("openclaw/plugin-sdk/channel-inbound");
 		if (channelInbound.dispatchInboundDirectDmWithRuntime) {
 			dispatchInbound = channelInbound.dispatchInboundDirectDmWithRuntime;
-			log.info(`Resolved OpenClaw SDK from ${globalPath}`);
+			log.info(`Resolved OpenClaw SDK from ${derivedPath}`);
 			return;
 		}
 	} catch {}
@@ -440,6 +553,37 @@ let connectingPromise = null;
 let metricsClient = null;
 const MAX_FILE_SIZE = 50 * 1024 * 1024;
 const DOWNLOAD_TIMEOUT_MS = 3e4;
+const MAX_REDIRECTS = 5;
+/**
+* Fetch `url` with `redirect: "manual"` and revalidate every hop against the
+* attachment allowlist. This defeats presigned-URL substitution attacks
+* where an attacker points us at a trusted host that 302s to metadata
+* or an internal service.
+*/
+async function fetchAttachmentWithValidation(url, signal) {
+	let currentUrl = url;
+	for (let hop = 0; hop <= MAX_REDIRECTS; hop += 1) {
+		const verdict = validateAttachmentUrl(currentUrl);
+		if (!verdict.ok) throw new Error(`attachment_url_rejected:${verdict.reason ?? "unknown"}`);
+		const res = await fetch(currentUrl, {
+			redirect: "manual",
+			signal
+		});
+		const status = res.status;
+		if (status >= 300 && status < 400) {
+			const location = res.headers.get("location");
+			if (!location) throw new Error("redirect_without_location");
+			try {
+				currentUrl = new URL(location, currentUrl).toString();
+			} catch {
+				throw new Error("invalid_redirect_target");
+			}
+			continue;
+		}
+		return res;
+	}
+	throw new Error("too_many_redirects");
+}
 async function downloadAttachments(attachments, log) {
 	const attachDir = (0, node_path.join)((0, node_os.homedir)(), ".alfe", "attachments");
 	await (0, node_fs_promises.mkdir)(attachDir, { recursive: true });
@@ -452,7 +596,7 @@ async function downloadAttachments(attachments, log) {
 			controller.abort();
 		}, DOWNLOAD_TIMEOUT_MS);
 		try {
-			const res = await fetch(att.url, { signal: controller.signal });
+			const res = await fetchAttachmentWithValidation(att.url, controller.signal);
 			if (!res.ok) {
 				log.warn(`Failed to download attachment ${att.id}: ${String(res.status)}`);
 				continue;

package/dist/plugin2.js CHANGED Viewed

@@ -1,11 +1,14 @@
 import { createRequire } from "node:module";
 import { mkdir, readFile, readdir, stat, unlink, writeFile } from "node:fs/promises";
-import { join } from "node:path";
+import { dirname, join, resolve } from "node:path";
 import { homedir } from "node:os";
 import { ChatServiceClient, resolveAlfeChat } from "@alfe.ai/chat";
 import { resolveConfig } from "@alfe.ai/config";
 import { AgentApiClient } from "@alfe.ai/agent-api-client";
 import { existsSync } from "node:fs";
+//#region \0rolldown/runtime.js
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+//#endregion
 //#region src/alfe-channel.ts
 const CHANNEL_ID = "alfe";
 const DEFAULT_ACCOUNT_ID = "default";
@@ -402,6 +405,107 @@ function buildA2ATools(chatClient, log) {
 	];
 }
 //#endregion
+//#region src/attachment-url.ts
+/**
+* Attachment URL validation for the openclaw-chat plugin.
+*
+* This package runs inside user-installed OpenClaw agents and has no
+* dependency on the internal @alfe/api-core SSRF validator, so the
+* plumbing is inlined here. The rules are deliberately conservative:
+*
+* - `https:` only.
+* - Userinfo (`https://u:p@host/...`) is rejected.
+* - IP-literal hosts (v4 or bracketed v6) are rejected outright — only
+*   DNS names for known provider CDNs are acceptable.
+* - The host must match a curated allowlist of Alfe-issued / channel-
+*   provider CDNs. Anything else is dropped before we fetch it.
+*
+* Operators running an agent in a private network that needs to dereference
+* additional hosts can extend the list via the
+* `ALFE_ATTACHMENT_ALLOWED_HOSTS` env var (comma-separated, entries prefixed
+* with `.` match suffixes).
+*/
+const DEFAULT_EXACT_HOSTS = [
+	"s3.amazonaws.com",
+	"api.twilio.com",
+	"graph.microsoft.com",
+	"mmg.whatsapp.net"
+];
+const DEFAULT_SUFFIX_HOSTS = [
+	".s3.amazonaws.com",
+	".amazonaws.com",
+	".twiliocdn.com",
+	".cdn.discordapp.com",
+	".discordapp.net",
+	".telegram.org",
+	".alfe.ai"
+];
+function parseExtraHosts(raw) {
+	const exact = /* @__PURE__ */ new Set();
+	const suffix = [];
+	if (!raw) return {
+		exact,
+		suffix
+	};
+	for (const part of raw.split(",")) {
+		const trimmed = part.trim().toLowerCase();
+		if (!trimmed) continue;
+		if (trimmed.startsWith(".")) suffix.push(trimmed);
+		else exact.add(trimmed);
+	}
+	return {
+		exact,
+		suffix
+	};
+}
+function isIpLiteral(host) {
+	if (host.startsWith("[") && host.endsWith("]")) return true;
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+function validateAttachmentUrl(input, opts = {}) {
+	if (!input || input.trim() === "") return {
+		ok: false,
+		reason: "empty"
+	};
+	let url;
+	try {
+		url = new URL(input);
+	} catch {
+		return {
+			ok: false,
+			reason: "invalid_url"
+		};
+	}
+	if (url.protocol !== "https:") return {
+		ok: false,
+		reason: "not_https"
+	};
+	if (url.username !== "" || url.password !== "") return {
+		ok: false,
+		reason: "userinfo_not_allowed"
+	};
+	const host = url.hostname.toLowerCase();
+	if (!host) return {
+		ok: false,
+		reason: "empty_host"
+	};
+	if (isIpLiteral(host)) return {
+		ok: false,
+		reason: "ip_literal"
+	};
+	if (host === "localhost" || host === "metadata" || host === "metadata.google.internal") return {
+		ok: false,
+		reason: "blocked_host"
+	};
+	const extra = parseExtraHosts(opts.extraHosts ?? process.env.ALFE_ATTACHMENT_ALLOWED_HOSTS);
+	if (new Set([...DEFAULT_EXACT_HOSTS.map((h) => h.toLowerCase()), ...extra.exact]).has(host)) return { ok: true };
+	if ([...DEFAULT_SUFFIX_HOSTS.map((h) => h.toLowerCase()), ...extra.suffix].some((rule) => host === rule.slice(1) || host.endsWith(rule))) return { ok: true };
+	return {
+		ok: false,
+		reason: "host_not_in_allowlist"
+	};
+}
+//#endregion
 //#region src/plugin.ts
 /**
 * @alfe.ai/openclaw-chat — OpenClaw chat channel plugin.
@@ -418,17 +522,29 @@ function buildA2ATools(chatClient, log) {
 */
 let dispatchInbound = null;
 /**
-* Resolve OpenClaw SDK functions from the global install.
-* The openclaw package is installed globally (/usr/lib/node_modules/openclaw/)
-* but is NOT in the plugin's node_modules. Built-in extensions can import
-* directly; external plugins must use createRequire.
+* Resolve OpenClaw SDK functions from the running process.
+*
+* The openclaw package is NOT in the plugin's node_modules (it's a peer dep).
+* Since the plugin runs inside OpenClaw's process, we anchor resolution to
+* OpenClaw's own entry module via require.main, then fall back to deriving
+* the global modules path from process.execPath.
 */
 function resolveOpenClawSdk(log) {
-	for (const globalPath of ["/usr/lib/node_modules/openclaw/package.json", "/usr/local/lib/node_modules/openclaw/package.json"]) try {
-		const channelInbound = createRequire(globalPath)("openclaw/plugin-sdk/channel-inbound");
+	const anchors = [__require.main?.filename, process.argv[1]].filter(Boolean);
+	for (const anchor of anchors) try {
+		const channelInbound = createRequire(anchor)("openclaw/plugin-sdk/channel-inbound");
+		if (channelInbound.dispatchInboundDirectDmWithRuntime) {
+			dispatchInbound = channelInbound.dispatchInboundDirectDmWithRuntime;
+			log.info(`Resolved OpenClaw SDK from ${anchor}`);
+			return;
+		}
+	} catch {}
+	try {
+		const derivedPath = join(resolve(dirname(process.execPath), ".."), "lib", "node_modules", "openclaw", "package.json");
+		const channelInbound = createRequire(derivedPath)("openclaw/plugin-sdk/channel-inbound");
 		if (channelInbound.dispatchInboundDirectDmWithRuntime) {
 			dispatchInbound = channelInbound.dispatchInboundDirectDmWithRuntime;
-			log.info(`Resolved OpenClaw SDK from ${globalPath}`);
+			log.info(`Resolved OpenClaw SDK from ${derivedPath}`);
 			return;
 		}
 	} catch {}
@@ -440,6 +556,37 @@ let connectingPromise = null;
 let metricsClient = null;
 const MAX_FILE_SIZE = 50 * 1024 * 1024;
 const DOWNLOAD_TIMEOUT_MS = 3e4;
+const MAX_REDIRECTS = 5;
+/**
+* Fetch `url` with `redirect: "manual"` and revalidate every hop against the
+* attachment allowlist. This defeats presigned-URL substitution attacks
+* where an attacker points us at a trusted host that 302s to metadata
+* or an internal service.
+*/
+async function fetchAttachmentWithValidation(url, signal) {
+	let currentUrl = url;
+	for (let hop = 0; hop <= MAX_REDIRECTS; hop += 1) {
+		const verdict = validateAttachmentUrl(currentUrl);
+		if (!verdict.ok) throw new Error(`attachment_url_rejected:${verdict.reason ?? "unknown"}`);
+		const res = await fetch(currentUrl, {
+			redirect: "manual",
+			signal
+		});
+		const status = res.status;
+		if (status >= 300 && status < 400) {
+			const location = res.headers.get("location");
+			if (!location) throw new Error("redirect_without_location");
+			try {
+				currentUrl = new URL(location, currentUrl).toString();
+			} catch {
+				throw new Error("invalid_redirect_target");
+			}
+			continue;
+		}
+		return res;
+	}
+	throw new Error("too_many_redirects");
+}
 async function downloadAttachments(attachments, log) {
 	const attachDir = join(homedir(), ".alfe", "attachments");
 	await mkdir(attachDir, { recursive: true });
@@ -452,7 +599,7 @@ async function downloadAttachments(attachments, log) {
 			controller.abort();
 		}, DOWNLOAD_TIMEOUT_MS);
 		try {
-			const res = await fetch(att.url, { signal: controller.signal });
+			const res = await fetchAttachmentWithValidation(att.url, controller.signal);
 			if (!res.ok) {
 				log.warn(`Failed to download attachment ${att.id}: ${String(res.status)}`);
 				continue;

package/openclaw.plugin.json CHANGED Viewed

@@ -1,5 +1,9 @@
 {
   "id": "@alfe.ai/openclaw-chat",
+  "name": "Chat Plugin",
+  "version": "0.0.21",
+  "description": "Chat conversation channel — web widget and mobile app share unified chat sessions",
+  "entry": "./dist/plugin.js",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@alfe.ai/openclaw-chat",
-  "version": "0.0.20",
+  "version": "0.0.22",
   "description": "OpenClaw chat plugin for Alfe — web widget and mobile app channels",
   "type": "module",
   "main": "./dist/plugin.js",