@kodelyth/msteams 2026.5.42 → 2026.6.2

package/src/file-consent.test.ts

@@ -1,378 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import {
-  CONSENT_UPLOAD_HOST_ALLOWLIST,
-  isPrivateOrReservedIP,
-  uploadToConsentUrl,
-  validateConsentUploadUrl,
-} from "./file-consent.js";
-import { buildUserAgent } from "./user-agent.js";
-
-// Helper: a resolveFn that returns a public IP by default
-const publicResolve = async () => ({ address: "13.107.136.10" });
-// Helper: a resolveFn that returns a private IP
-const privateResolve = (ip: string) => async () => ({ address: ip });
-// Helper: a resolveFn that returns multiple addresses
-const multiResolve = (ips: string[]) => async () => ips.map((address) => ({ address }));
-// Helper: a resolveFn that fails
-const failingResolve = async () => {
-  throw new Error("DNS failure");
-};
-
-const firstFetchCall = (fetchFn: ReturnType<typeof vi.fn<typeof fetch>>) => {
-  const [call] = fetchFn.mock.calls;
-  if (!call) {
-    throw new Error("expected fetch call");
-  }
-  return call;
-};
-
-// ─── isPrivateOrReservedIP ───────────────────────────────────────────────────
-
-describe("isPrivateOrReservedIP", () => {
-  it.each([
-    ["10.0.0.1", true],
-    ["10.255.255.255", true],
-    ["172.16.0.1", true],
-    ["172.31.255.255", true],
-    ["172.15.0.1", false],
-    ["172.32.0.1", false],
-    ["192.168.0.1", true],
-    ["192.168.255.255", true],
-    ["127.0.0.1", true],
-    ["127.255.255.255", true],
-    ["169.254.0.1", true],
-    ["169.254.169.254", true],
-    ["0.0.0.0", true],
-    ["8.8.8.8", false],
-    ["13.107.136.10", false],
-    ["52.96.0.1", false],
-  ] as const)("IPv4 %s → %s", (ip, expected) => {
-    expect(isPrivateOrReservedIP(ip)).toBe(expected);
-  });
-
-  it.each([
-    ["::1", true],
-    ["::", true],
-    ["fe80::1", true],
-    ["fe80::", true],
-    ["fc00::1", true],
-    ["fd12:3456::1", true],
-    ["2001:0db8::1", true],
-    ["2620:1ec:c11::200", false],
-    // IPv4-mapped IPv6 addresses
-    ["::ffff:127.0.0.1", true],
-    ["::ffff:10.0.0.1", true],
-    ["::ffff:192.168.1.1", true],
-    ["::ffff:169.254.169.254", true],
-    ["::ffff:8.8.8.8", false],
-    ["::ffff:13.107.136.10", false],
-  ] as const)("IPv6 %s → %s", (ip, expected) => {
-    expect(isPrivateOrReservedIP(ip)).toBe(expected);
-  });
-
-  it.each([
-    ["999.999.999.999", true],
-    ["256.0.0.1", true],
-    ["10.0.0.256", true],
-    ["-1.0.0.1", false],
-    ["1.2.3.4.5", false],
-  ] as const)("malformed IPv4 %s → %s", (ip, expected) => {
-    expect(isPrivateOrReservedIP(ip)).toBe(expected);
-  });
-});
-
-// ─── validateConsentUploadUrl ────────────────────────────────────────────────
-
-describe("validateConsentUploadUrl", () => {
-  it("accepts a valid SharePoint HTTPS URL", async () => {
-    await expect(
-      validateConsentUploadUrl("https://contoso.sharepoint.com/sites/uploads/file.pdf", {
-        resolveFn: publicResolve,
-      }),
-    ).resolves.toBeUndefined();
-  });
-
-  it("accepts subdomains of allowlisted domains", async () => {
-    await expect(
-      validateConsentUploadUrl(
-        "https://contoso-my.sharepoint.com/personal/user/Documents/file.docx",
-        { resolveFn: publicResolve },
-      ),
-    ).resolves.toBeUndefined();
-  });
-
-  it("accepts graph.microsoft.com", async () => {
-    await expect(
-      validateConsentUploadUrl("https://graph.microsoft.com/v1.0/me/drive/items/123/content", {
-        resolveFn: publicResolve,
-      }),
-    ).resolves.toBeUndefined();
-  });
-
-  it("rejects non-HTTPS URLs", async () => {
-    await expect(
-      validateConsentUploadUrl("http://contoso.sharepoint.com/file.pdf", {
-        resolveFn: publicResolve,
-      }),
-    ).rejects.toThrow("must use HTTPS");
-  });
-
-  it("rejects invalid URLs", async () => {
-    await expect(
-      validateConsentUploadUrl("not a url", { resolveFn: publicResolve }),
-    ).rejects.toThrow("not a valid URL");
-  });
-
-  it("rejects hosts not in the allowlist", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.example.com/exfil", { resolveFn: publicResolve }),
-    ).rejects.toThrow("not in the allowed domains");
-  });
-
-  it("rejects an SSRF attempt with internal metadata URL", async () => {
-    await expect(
-      validateConsentUploadUrl("https://169.254.169.254/latest/meta-data/", {
-        resolveFn: publicResolve,
-      }),
-    ).rejects.toThrow("not in the allowed domains");
-  });
-
-  it("rejects localhost", async () => {
-    await expect(
-      validateConsentUploadUrl("https://localhost:8080/internal", { resolveFn: publicResolve }),
-    ).rejects.toThrow("not in the allowed domains");
-  });
-
-  it("rejects when DNS resolves to a private IPv4 (10.x)", async () => {
-    await expect(
-      validateConsentUploadUrl("https://malicious.sharepoint.com/exfil", {
-        resolveFn: privateResolve("10.0.0.1"),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("rejects when DNS resolves to loopback", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: privateResolve("127.0.0.1"),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("rejects when DNS resolves to link-local (169.254.x.x)", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: privateResolve("169.254.169.254"),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("rejects when DNS resolves to IPv6 loopback", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: privateResolve("::1"),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("rejects when DNS resolves to IPv4-mapped IPv6 private address", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: privateResolve("::ffff:10.0.0.1"),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("rejects when DNS resolves to IPv4-mapped IPv6 loopback", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: privateResolve("::ffff:127.0.0.1"),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("rejects when any DNS answer is private/reserved", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: multiResolve(["13.107.136.10", "10.0.0.1"]),
-      }),
-    ).rejects.toThrow("private/reserved IP");
-  });
-
-  it("accepts when all DNS answers are public", async () => {
-    await expect(
-      validateConsentUploadUrl("https://evil.sharepoint.com/path", {
-        resolveFn: multiResolve(["13.107.136.10", "52.96.0.1"]),
-      }),
-    ).resolves.toBeUndefined();
-  });
-
-  it("rejects when DNS resolution fails", async () => {
-    await expect(
-      validateConsentUploadUrl("https://nonexistent.sharepoint.com/path", {
-        resolveFn: failingResolve,
-      }),
-    ).rejects.toThrow("Failed to resolve");
-  });
-
-  it("accepts a custom allowlist", async () => {
-    await expect(
-      validateConsentUploadUrl("https://custom.example.org/file", {
-        allowlist: ["example.org"],
-        resolveFn: publicResolve,
-      }),
-    ).resolves.toBeUndefined();
-  });
-
-  it("rejects hosts that are suffix-tricked (e.g. notsharepoint.com)", async () => {
-    await expect(
-      validateConsentUploadUrl("https://notsharepoint.com/file", { resolveFn: publicResolve }),
-    ).rejects.toThrow("not in the allowed domains");
-  });
-
-  it("rejects file:// protocol", async () => {
-    await expect(
-      validateConsentUploadUrl("file:///etc/passwd", { resolveFn: publicResolve }),
-    ).rejects.toThrow("must use HTTPS");
-  });
-});
-
-// ─── CONSENT_UPLOAD_HOST_ALLOWLIST ───────────────────────────────────────────
-
-describe("CONSENT_UPLOAD_HOST_ALLOWLIST", () => {
-  it("contains only Microsoft/SharePoint domains", () => {
-    for (const domain of CONSENT_UPLOAD_HOST_ALLOWLIST) {
-      expect(
-        domain.includes("microsoft") ||
-          domain.includes("sharepoint") ||
-          domain.includes("onedrive") ||
-          domain.includes("1drv") ||
-          domain.includes("live.com"),
-      ).toBe(true);
-    }
-  });
-
-  it("does not contain overly broad domains", () => {
-    const broad = [
-      "microsoft.com",
-      "azure.com",
-      "blob.core.windows.net",
-      "azureedge.net",
-      "trafficmanager.net",
-    ];
-    for (const domain of broad) {
-      expect(CONSENT_UPLOAD_HOST_ALLOWLIST).not.toContain(domain);
-    }
-  });
-});
-
-// ─── uploadToConsentUrl (integration with validation) ────────────────────────
-
-describe("uploadToConsentUrl", () => {
-  it("sends the Klaw User-Agent header with consent uploads", async () => {
-    const fetchFn = vi.fn<typeof fetch>(async () => new Response(null, { status: 200 }));
-
-    await uploadToConsentUrl({
-      url: "https://contoso.sharepoint.com/upload",
-      buffer: Buffer.from("hello"),
-      fetchFn,
-      validationOpts: { resolveFn: publicResolve },
-    });
-
-    expect(fetchFn).toHaveBeenCalledOnce();
-    const [url, opts] = firstFetchCall(fetchFn);
-    expect(url).toBe("https://contoso.sharepoint.com/upload");
-    expect(opts?.method).toBe("PUT");
-    expect(opts?.headers).toEqual({
-      "Content-Range": "bytes 0-4/5",
-      "Content-Type": "application/octet-stream",
-      "User-Agent": buildUserAgent(),
-    });
-    expect(opts?.body).toEqual(new Uint8Array(Buffer.from("hello")));
-  });
-
-  it("blocks upload to a disallowed host", async () => {
-    const mockFetch = vi.fn();
-    await expect(
-      uploadToConsentUrl({
-        url: "https://evil.example.com/exfil",
-        buffer: Buffer.from("secret data"),
-        fetchFn: mockFetch,
-        validationOpts: { resolveFn: publicResolve },
-      }),
-    ).rejects.toThrow("not in the allowed domains");
-
-    expect(mockFetch).not.toHaveBeenCalled();
-  });
-
-  it("blocks upload to a private IP", async () => {
-    const mockFetch = vi.fn();
-    await expect(
-      uploadToConsentUrl({
-        url: "https://compromised.sharepoint.com/upload",
-        buffer: Buffer.from("data"),
-        fetchFn: mockFetch,
-        validationOpts: { resolveFn: privateResolve("10.0.0.1") },
-      }),
-    ).rejects.toThrow("private/reserved IP");
-
-    expect(mockFetch).not.toHaveBeenCalled();
-  });
-
-  it("allows upload to a valid SharePoint URL and performs PUT", async () => {
-    const mockFetch = vi.fn<typeof fetch>(async () => new Response(null, { status: 200 }));
-    const buffer = Buffer.from("file content");
-
-    await uploadToConsentUrl({
-      url: "https://contoso.sharepoint.com/sites/uploads/file.pdf",
-      buffer,
-      contentType: "application/pdf",
-      fetchFn: mockFetch,
-      validationOpts: { resolveFn: publicResolve },
-    });
-
-    expect(mockFetch).toHaveBeenCalledOnce();
-    const [url, opts] = firstFetchCall(mockFetch);
-    expect(url).toBe("https://contoso.sharepoint.com/sites/uploads/file.pdf");
-    expect(opts).toEqual({
-      method: "PUT",
-      headers: {
-        "User-Agent": buildUserAgent(),
-        "Content-Type": "application/pdf",
-        "Content-Range": "bytes 0-11/12",
-      },
-      body: new Uint8Array(buffer),
-    });
-  });
-
-  it("throws on non-OK response after passing validation", async () => {
-    const mockFetch = vi.fn().mockResolvedValue({
-      ok: false,
-      status: 403,
-      statusText: "Forbidden",
-    });
-
-    await expect(
-      uploadToConsentUrl({
-        url: "https://contoso.sharepoint.com/sites/uploads/file.pdf",
-        buffer: Buffer.from("data"),
-        fetchFn: mockFetch,
-        validationOpts: { resolveFn: publicResolve },
-      }),
-    ).rejects.toThrow("File upload to consent URL failed: 403 Forbidden");
-  });
-
-  it("blocks HTTP (non-HTTPS) upload before fetch is called", async () => {
-    const mockFetch = vi.fn();
-    await expect(
-      uploadToConsentUrl({
-        url: "http://contoso.sharepoint.com/upload",
-        buffer: Buffer.from("data"),
-        fetchFn: mockFetch,
-        validationOpts: { resolveFn: publicResolve },
-      }),
-    ).rejects.toThrow("must use HTTPS");
-
-    expect(mockFetch).not.toHaveBeenCalled();
-  });
-});

package/src/file-consent.ts

@@ -1,223 +0,0 @@
-/**
- * FileConsentCard utilities for MS Teams large file uploads (>4MB) in personal chats.
- *
- * Teams requires user consent before the bot can upload large files. This module provides
- * utilities for:
- * - Building FileConsentCard attachments (to request upload permission)
- * - Building FileInfoCard attachments (to confirm upload completion)
- * - Parsing fileConsent/invoke activities
- */
-
-import { lookup } from "node:dns/promises";
-import { isPrivateIpAddress } from "klaw/plugin-sdk/ssrf-policy";
-import { normalizeLowercaseStringOrEmpty } from "klaw/plugin-sdk/string-coerce-runtime";
-import { buildUserAgent } from "./user-agent.js";
-
-/**
- * Allowlist of domains that are valid targets for file consent uploads.
- * These are the Microsoft/SharePoint domains that Teams legitimately provides
- * as upload destinations in the FileConsentCard flow.
- */
-export const CONSENT_UPLOAD_HOST_ALLOWLIST = [
-  "sharepoint.com",
-  "sharepoint.us",
-  "sharepoint.de",
-  "sharepoint.cn",
-  "sharepoint-df.com",
-  "storage.live.com",
-  "onedrive.com",
-  "1drv.ms",
-  "graph.microsoft.com",
-  "graph.microsoft.us",
-  "graph.microsoft.de",
-  "graph.microsoft.cn",
-] as const;
-
-/**
- * Returns true if the given IPv4 or IPv6 address is private, internal, or
- * special-use and must never be reached via consent uploads.
- */
-export const isPrivateOrReservedIP: (ip: string) => boolean = isPrivateIpAddress;
-
-/**
- * Validate that a consent upload URL is safe to PUT to.
- * Checks:
- * 1. Protocol is HTTPS
- * 2. Hostname matches the consent upload allowlist
- * 3. Resolved IP is not in a private/reserved range (anti-SSRF)
- *
- * @throws Error if the URL fails validation
- */
-export async function validateConsentUploadUrl(
-  url: string,
-  opts?: {
-    allowlist?: readonly string[];
-    resolveFn?: (hostname: string) => Promise<{ address: string } | { address: string }[]>;
-  },
-): Promise<void> {
-  let parsed: URL;
-  try {
-    parsed = new URL(url);
-  } catch {
-    throw new Error("Consent upload URL is not a valid URL");
-  }
-
-  // 1. Protocol check
-  if (parsed.protocol !== "https:") {
-    throw new Error(`Consent upload URL must use HTTPS, got ${parsed.protocol}`);
-  }
-
-  // 2. Hostname allowlist check
-  const hostname = normalizeLowercaseStringOrEmpty(parsed.hostname);
-  const allowlist = opts?.allowlist ?? CONSENT_UPLOAD_HOST_ALLOWLIST;
-  const hostAllowed = allowlist.some(
-    (entry) => hostname === entry || hostname.endsWith(`.${entry}`),
-  );
-  if (!hostAllowed) {
-    throw new Error(`Consent upload URL hostname "${hostname}" is not in the allowed domains`);
-  }
-
-  // 3. DNS resolution — reject private/reserved IPs.
-  // Check all resolved addresses to avoid SSRF bypass via mixed public/private answers.
-  const resolveFn = opts?.resolveFn ?? ((name: string) => lookup(name, { all: true }));
-  let resolved: { address: string }[];
-  try {
-    const result = await resolveFn(hostname);
-    resolved = Array.isArray(result) ? result : [result];
-  } catch {
-    throw new Error(`Failed to resolve consent upload URL hostname "${hostname}"`);
-  }
-
-  for (const entry of resolved) {
-    if (isPrivateOrReservedIP(entry.address)) {
-      throw new Error(`Consent upload URL resolves to a private/reserved IP (${entry.address})`);
-    }
-  }
-}
-
-interface FileConsentCardParams {
-  filename: string;
-  description?: string;
-  sizeInBytes: number;
-  /** Custom context data to include in the card (passed back in the invoke) */
-  context?: Record<string, unknown>;
-}
-
-interface FileInfoCardParams {
-  filename: string;
-  contentUrl: string;
-  uniqueId: string;
-  fileType: string;
-}
-
-/**
- * Build a FileConsentCard attachment for requesting upload permission.
- * Use this for files >= 4MB in personal (1:1) chats.
- */
-export function buildFileConsentCard(params: FileConsentCardParams) {
-  return {
-    contentType: "application/vnd.microsoft.teams.card.file.consent",
-    name: params.filename,
-    content: {
-      description: params.description ?? `File: ${params.filename}`,
-      sizeInBytes: params.sizeInBytes,
-      acceptContext: { filename: params.filename, ...params.context },
-      declineContext: { filename: params.filename, ...params.context },
-    },
-  };
-}
-
-/**
- * Build a FileInfoCard attachment for confirming upload completion.
- * Send this after successfully uploading the file to the consent URL.
- */
-export function buildFileInfoCard(params: FileInfoCardParams) {
-  return {
-    contentType: "application/vnd.microsoft.teams.card.file.info",
-    contentUrl: params.contentUrl,
-    name: params.filename,
-    content: {
-      uniqueId: params.uniqueId,
-      fileType: params.fileType,
-    },
-  };
-}
-
-interface FileConsentUploadInfo {
-  name: string;
-  uploadUrl: string;
-  contentUrl: string;
-  uniqueId: string;
-  fileType: string;
-}
-
-interface FileConsentResponse {
-  action: "accept" | "decline";
-  uploadInfo?: FileConsentUploadInfo;
-  context?: Record<string, unknown>;
-}
-
-/**
- * Parse a fileConsent/invoke activity.
- * Returns null if the activity is not a file consent invoke.
- */
-export function parseFileConsentInvoke(activity: {
-  name?: string;
-  value?: unknown;
-}): FileConsentResponse | null {
-  if (activity.name !== "fileConsent/invoke") {
-    return null;
-  }
-
-  const value = activity.value as {
-    type?: string;
-    action?: string;
-    uploadInfo?: FileConsentUploadInfo;
-    context?: Record<string, unknown>;
-  };
-
-  if (value?.type !== "fileUpload") {
-    return null;
-  }
-
-  return {
-    action: value.action === "accept" ? "accept" : "decline",
-    uploadInfo: value.uploadInfo,
-    context: value.context,
-  };
-}
-
-/**
- * Upload a file to the consent URL provided by Teams.
- * The URL is provided in the fileConsent/invoke response after user accepts.
- *
- * @throws Error if the URL fails SSRF validation (non-HTTPS, disallowed host, private IP)
- */
-export async function uploadToConsentUrl(params: {
-  url: string;
-  buffer: Buffer;
-  contentType?: string;
-  fetchFn?: typeof fetch;
-  /** Override for testing — custom allowlist and DNS resolver */
-  validationOpts?: {
-    allowlist?: readonly string[];
-    resolveFn?: (hostname: string) => Promise<{ address: string } | { address: string }[]>;
-  };
-}): Promise<void> {
-  await validateConsentUploadUrl(params.url, params.validationOpts);
-
-  const fetchFn = params.fetchFn ?? fetch;
-  const res = await fetchFn(params.url, {
-    method: "PUT",
-    headers: {
-      "User-Agent": buildUserAgent(),
-      "Content-Type": params.contentType ?? "application/octet-stream",
-      "Content-Range": `bytes 0-${params.buffer.length - 1}/${params.buffer.length}`,
-    },
-    body: new Uint8Array(params.buffer),
-  });
-
-  if (!res.ok) {
-    throw new Error(`File upload to consent URL failed: ${res.status} ${res.statusText}`);
-  }
-}

package/src/graph-chat.ts

@@ -1,36 +0,0 @@
-import { normalizeLowercaseStringOrEmpty } from "klaw/plugin-sdk/string-coerce-runtime";
-import type { DriveItemProperties } from "./graph-upload.js";
-
-export function buildTeamsFileInfoCard(file: DriveItemProperties): {
-  contentType: string;
-  contentUrl: string;
-  name: string;
-  content: {
-    uniqueId: string;
-    fileType: string;
-  };
-} {
-  // Extract unique ID from eTag (remove quotes, braces, and version suffix)
-  // Example eTag formats: "{GUID},version" or "\"{GUID},version\""
-  const rawETag = file.eTag;
-  const uniqueId =
-    rawETag
-      .replace(/^["']|["']$/g, "") // Remove outer quotes
-      .replace(/[{}]/g, "") // Remove curly braces
-      .split(",")[0] ?? rawETag; // Take the GUID part before comma
-
-  // Extract file extension from filename
-  const lastDot = file.name.lastIndexOf(".");
-  const fileType =
-    lastDot >= 0 ? normalizeLowercaseStringOrEmpty(file.name.slice(lastDot + 1)) : "";
-
-  return {
-    contentType: "application/vnd.microsoft.teams.card.file.info",
-    contentUrl: file.webDavUrl,
-    name: file.name,
-    content: {
-      uniqueId,
-      fileType,
-    },
-  };
-}