@alfe.ai/openclaw-chat 0.0.21 → 0.0.23

package/dist/plugin2.cjs

@@ -402,6 +402,107 @@ function buildA2ATools(chatClient, log) {
 	];
 }
 //#endregion
+//#region src/attachment-url.ts
+/**
+* Attachment URL validation for the openclaw-chat plugin.
+*
+* This package runs inside user-installed OpenClaw agents and has no
+* dependency on the internal @alfe/api-core SSRF validator, so the
+* plumbing is inlined here. The rules are deliberately conservative:
+*
+* - `https:` only.
+* - Userinfo (`https://u:p@host/...`) is rejected.
+* - IP-literal hosts (v4 or bracketed v6) are rejected outright — only
+*   DNS names for known provider CDNs are acceptable.
+* - The host must match a curated allowlist of Alfe-issued / channel-
+*   provider CDNs. Anything else is dropped before we fetch it.
+*
+* Operators running an agent in a private network that needs to dereference
+* additional hosts can extend the list via the
+* `ALFE_ATTACHMENT_ALLOWED_HOSTS` env var (comma-separated, entries prefixed
+* with `.` match suffixes).
+*/
+const DEFAULT_EXACT_HOSTS = [
+	"s3.amazonaws.com",
+	"api.twilio.com",
+	"graph.microsoft.com",
+	"mmg.whatsapp.net"
+];
+const DEFAULT_SUFFIX_HOSTS = [
+	".s3.amazonaws.com",
+	".amazonaws.com",
+	".twiliocdn.com",
+	".cdn.discordapp.com",
+	".discordapp.net",
+	".telegram.org",
+	".alfe.ai"
+];
+function parseExtraHosts(raw) {
+	const exact = /* @__PURE__ */ new Set();
+	const suffix = [];
+	if (!raw) return {
+		exact,
+		suffix
+	};
+	for (const part of raw.split(",")) {
+		const trimmed = part.trim().toLowerCase();
+		if (!trimmed) continue;
+		if (trimmed.startsWith(".")) suffix.push(trimmed);
+		else exact.add(trimmed);
+	}
+	return {
+		exact,
+		suffix
+	};
+}
+function isIpLiteral(host) {
+	if (host.startsWith("[") && host.endsWith("]")) return true;
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+function validateAttachmentUrl(input, opts = {}) {
+	if (!input || input.trim() === "") return {
+		ok: false,
+		reason: "empty"
+	};
+	let url;
+	try {
+		url = new URL(input);
+	} catch {
+		return {
+			ok: false,
+			reason: "invalid_url"
+		};
+	}
+	if (url.protocol !== "https:") return {
+		ok: false,
+		reason: "not_https"
+	};
+	if (url.username !== "" || url.password !== "") return {
+		ok: false,
+		reason: "userinfo_not_allowed"
+	};
+	const host = url.hostname.toLowerCase();
+	if (!host) return {
+		ok: false,
+		reason: "empty_host"
+	};
+	if (isIpLiteral(host)) return {
+		ok: false,
+		reason: "ip_literal"
+	};
+	if (host === "localhost" || host === "metadata" || host === "metadata.google.internal") return {
+		ok: false,
+		reason: "blocked_host"
+	};
+	const extra = parseExtraHosts(opts.extraHosts ?? process.env.ALFE_ATTACHMENT_ALLOWED_HOSTS);
+	if (new Set([...DEFAULT_EXACT_HOSTS.map((h) => h.toLowerCase()), ...extra.exact]).has(host)) return { ok: true };
+	if ([...DEFAULT_SUFFIX_HOSTS.map((h) => h.toLowerCase()), ...extra.suffix].some((rule) => host === rule.slice(1) || host.endsWith(rule))) return { ok: true };
+	return {
+		ok: false,
+		reason: "host_not_in_allowlist"
+	};
+}
+//#endregion
 //#region src/plugin.ts
 /**
 * @alfe.ai/openclaw-chat — OpenClaw chat channel plugin.
@@ -452,6 +553,37 @@ let connectingPromise = null;
 let metricsClient = null;
 const MAX_FILE_SIZE = 50 * 1024 * 1024;
 const DOWNLOAD_TIMEOUT_MS = 3e4;
+const MAX_REDIRECTS = 5;
+/**
+* Fetch `url` with `redirect: "manual"` and revalidate every hop against the
+* attachment allowlist. This defeats presigned-URL substitution attacks
+* where an attacker points us at a trusted host that 302s to metadata
+* or an internal service.
+*/
+async function fetchAttachmentWithValidation(url, signal) {
+	let currentUrl = url;
+	for (let hop = 0; hop <= MAX_REDIRECTS; hop += 1) {
+		const verdict = validateAttachmentUrl(currentUrl);
+		if (!verdict.ok) throw new Error(`attachment_url_rejected:${verdict.reason ?? "unknown"}`);
+		const res = await fetch(currentUrl, {
+			redirect: "manual",
+			signal
+		});
+		const status = res.status;
+		if (status >= 300 && status < 400) {
+			const location = res.headers.get("location");
+			if (!location) throw new Error("redirect_without_location");
+			try {
+				currentUrl = new URL(location, currentUrl).toString();
+			} catch {
+				throw new Error("invalid_redirect_target");
+			}
+			continue;
+		}
+		return res;
+	}
+	throw new Error("too_many_redirects");
+}
 async function downloadAttachments(attachments, log) {
 	const attachDir = (0, node_path.join)((0, node_os.homedir)(), ".alfe", "attachments");
 	await (0, node_fs_promises.mkdir)(attachDir, { recursive: true });
@@ -464,7 +596,7 @@ async function downloadAttachments(attachments, log) {
 			controller.abort();
 		}, DOWNLOAD_TIMEOUT_MS);
 		try {
-			const res = await fetch(att.url, { signal: controller.signal });
+			const res = await fetchAttachmentWithValidation(att.url, controller.signal);
 			if (!res.ok) {
 				log.warn(`Failed to download attachment ${att.id}: ${String(res.status)}`);
 				continue;

package/dist/plugin2.js

@@ -405,6 +405,107 @@ function buildA2ATools(chatClient, log) {
 	];
 }
 //#endregion
+//#region src/attachment-url.ts
+/**
+* Attachment URL validation for the openclaw-chat plugin.
+*
+* This package runs inside user-installed OpenClaw agents and has no
+* dependency on the internal @alfe/api-core SSRF validator, so the
+* plumbing is inlined here. The rules are deliberately conservative:
+*
+* - `https:` only.
+* - Userinfo (`https://u:p@host/...`) is rejected.
+* - IP-literal hosts (v4 or bracketed v6) are rejected outright — only
+*   DNS names for known provider CDNs are acceptable.
+* - The host must match a curated allowlist of Alfe-issued / channel-
+*   provider CDNs. Anything else is dropped before we fetch it.
+*
+* Operators running an agent in a private network that needs to dereference
+* additional hosts can extend the list via the
+* `ALFE_ATTACHMENT_ALLOWED_HOSTS` env var (comma-separated, entries prefixed
+* with `.` match suffixes).
+*/
+const DEFAULT_EXACT_HOSTS = [
+	"s3.amazonaws.com",
+	"api.twilio.com",
+	"graph.microsoft.com",
+	"mmg.whatsapp.net"
+];
+const DEFAULT_SUFFIX_HOSTS = [
+	".s3.amazonaws.com",
+	".amazonaws.com",
+	".twiliocdn.com",
+	".cdn.discordapp.com",
+	".discordapp.net",
+	".telegram.org",
+	".alfe.ai"
+];
+function parseExtraHosts(raw) {
+	const exact = /* @__PURE__ */ new Set();
+	const suffix = [];
+	if (!raw) return {
+		exact,
+		suffix
+	};
+	for (const part of raw.split(",")) {
+		const trimmed = part.trim().toLowerCase();
+		if (!trimmed) continue;
+		if (trimmed.startsWith(".")) suffix.push(trimmed);
+		else exact.add(trimmed);
+	}
+	return {
+		exact,
+		suffix
+	};
+}
+function isIpLiteral(host) {
+	if (host.startsWith("[") && host.endsWith("]")) return true;
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+function validateAttachmentUrl(input, opts = {}) {
+	if (!input || input.trim() === "") return {
+		ok: false,
+		reason: "empty"
+	};
+	let url;
+	try {
+		url = new URL(input);
+	} catch {
+		return {
+			ok: false,
+			reason: "invalid_url"
+		};
+	}
+	if (url.protocol !== "https:") return {
+		ok: false,
+		reason: "not_https"
+	};
+	if (url.username !== "" || url.password !== "") return {
+		ok: false,
+		reason: "userinfo_not_allowed"
+	};
+	const host = url.hostname.toLowerCase();
+	if (!host) return {
+		ok: false,
+		reason: "empty_host"
+	};
+	if (isIpLiteral(host)) return {
+		ok: false,
+		reason: "ip_literal"
+	};
+	if (host === "localhost" || host === "metadata" || host === "metadata.google.internal") return {
+		ok: false,
+		reason: "blocked_host"
+	};
+	const extra = parseExtraHosts(opts.extraHosts ?? process.env.ALFE_ATTACHMENT_ALLOWED_HOSTS);
+	if (new Set([...DEFAULT_EXACT_HOSTS.map((h) => h.toLowerCase()), ...extra.exact]).has(host)) return { ok: true };
+	if ([...DEFAULT_SUFFIX_HOSTS.map((h) => h.toLowerCase()), ...extra.suffix].some((rule) => host === rule.slice(1) || host.endsWith(rule))) return { ok: true };
+	return {
+		ok: false,
+		reason: "host_not_in_allowlist"
+	};
+}
+//#endregion
 //#region src/plugin.ts
 /**
 * @alfe.ai/openclaw-chat — OpenClaw chat channel plugin.
@@ -455,6 +556,37 @@ let connectingPromise = null;
 let metricsClient = null;
 const MAX_FILE_SIZE = 50 * 1024 * 1024;
 const DOWNLOAD_TIMEOUT_MS = 3e4;
+const MAX_REDIRECTS = 5;
+/**
+* Fetch `url` with `redirect: "manual"` and revalidate every hop against the
+* attachment allowlist. This defeats presigned-URL substitution attacks
+* where an attacker points us at a trusted host that 302s to metadata
+* or an internal service.
+*/
+async function fetchAttachmentWithValidation(url, signal) {
+	let currentUrl = url;
+	for (let hop = 0; hop <= MAX_REDIRECTS; hop += 1) {
+		const verdict = validateAttachmentUrl(currentUrl);
+		if (!verdict.ok) throw new Error(`attachment_url_rejected:${verdict.reason ?? "unknown"}`);
+		const res = await fetch(currentUrl, {
+			redirect: "manual",
+			signal
+		});
+		const status = res.status;
+		if (status >= 300 && status < 400) {
+			const location = res.headers.get("location");
+			if (!location) throw new Error("redirect_without_location");
+			try {
+				currentUrl = new URL(location, currentUrl).toString();
+			} catch {
+				throw new Error("invalid_redirect_target");
+			}
+			continue;
+		}
+		return res;
+	}
+	throw new Error("too_many_redirects");
+}
 async function downloadAttachments(attachments, log) {
 	const attachDir = join(homedir(), ".alfe", "attachments");
 	await mkdir(attachDir, { recursive: true });
@@ -467,7 +599,7 @@ async function downloadAttachments(attachments, log) {
 			controller.abort();
 		}, DOWNLOAD_TIMEOUT_MS);
 		try {
-			const res = await fetch(att.url, { signal: controller.signal });
+			const res = await fetchAttachmentWithValidation(att.url, controller.signal);
 			if (!res.ok) {
 				log.warn(`Failed to download attachment ${att.id}: ${String(res.status)}`);
 				continue;

package/openclaw.plugin.json

@@ -1,5 +1,9 @@
 {
   "id": "@alfe.ai/openclaw-chat",
+  "name": "Chat Plugin",
+  "version": "0.0.21",
+  "description": "Chat conversation channel — web widget and mobile app share unified chat sessions",
+  "entry": "./dist/plugin.js",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alfe.ai/openclaw-chat",
-  "version": "0.0.21",
+  "version": "0.0.23",
   "description": "OpenClaw chat plugin for Alfe — web widget and mobile app channels",
   "type": "module",
   "main": "./dist/plugin.js",
@@ -28,8 +28,8 @@
   ],
   "dependencies": {
     "@alfe.ai/agent-api-client": "^0.0.7",
-    "@alfe.ai/chat": "^0.0.7",
-    "@alfe.ai/config": "^0.0.7"
+    "@alfe.ai/chat": "^0.0.8",
+    "@alfe.ai/config": "^0.0.8"
   },
   "peerDependencies": {
     "openclaw": ">=2026.3.0"