openclaw-groupme 0.0.3 → 0.3.0

package/src/send.ts

@@ -1,6 +1,9 @@
 import { randomUUID } from "node:crypto";
+import { SsrFBlockedError, fetchWithSsrFGuard } from "openclaw/plugin-sdk";
 import type { CoreConfig } from "./types.js";
 import { resolveGroupMeAccount } from "./accounts.js";
+import { getGroupMeRuntime } from "./runtime.js";
+import { resolveGroupMeSecurity } from "./security.js";
 
 export const GROUPME_API_BASE = "https://api.groupme.com/v3";
 export const GROUPME_IMAGE_SERVICE = "https://image.groupme.com";
@@ -11,52 +14,46 @@ export type SendGroupMeResult = {
   timestamp: number;
 };
 
-type FetchLike = typeof fetch;
-
-type GroupMeBotPostPayload = {
-  bot_id: string;
-  text: string;
-  picture_url?: string;
-};
+type FetchLike = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+type RuntimeFetchRemoteMedia = (params: {
+  url: string;
+  fetchImpl?: FetchLike;
+  maxBytes?: number;
+  maxRedirects?: number;
+  ssrfPolicy?: {
+    allowPrivateNetwork?: boolean;
+  };
+}) => Promise<{
+  buffer: Buffer;
+  contentType?: string;
+}>;
 
-function buildGroupMeBotPostPayload(params: {
+export async function sendGroupMeMessage(params: {
   botId: string;
   text: string;
   pictureUrl?: string;
-}): GroupMeBotPostPayload {
-  const payload: GroupMeBotPostPayload = {
+  fetchFn?: FetchLike;
+}): Promise<SendGroupMeResult> {
+  const fetchFn = params.fetchFn ?? fetch;
+  const payload: { bot_id: string; text: string; picture_url?: string } = {
     bot_id: params.botId,
     text: params.text,
   };
   if (params.pictureUrl) {
     payload.picture_url = params.pictureUrl;
   }
-  return payload;
-}
-
-export async function sendGroupMeMessage(params: {
-  botId: string;
-  text: string;
-  pictureUrl?: string;
-  fetchFn?: FetchLike;
-}): Promise<SendGroupMeResult> {
-  const fetchFn = params.fetchFn ?? fetch;
   const response = await fetchFn(`${GROUPME_API_BASE}/bots/post`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
     },
-    body: JSON.stringify(
-      buildGroupMeBotPostPayload({
-        botId: params.botId,
-        text: params.text,
-        pictureUrl: params.pictureUrl,
-      }),
-    ),
+    body: JSON.stringify(payload),
   });
 
   if (!response.ok) {
-    throw new Error(`GroupMe API error: ${response.status} ${response.statusText}`);
+    throw new Error(
+      `GroupMe API error: ${response.status} ${response.statusText}`,
+    );
   }
 
   return {
@@ -66,22 +63,10 @@ export async function sendGroupMeMessage(params: {
 }
 
 function extractPictureUrl(value: unknown): string | null {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    return null;
-  }
-
-  const payload = (value as { payload?: unknown }).payload;
-  if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
-    return null;
-  }
-
-  const pictureUrl = (payload as { picture_url?: unknown }).picture_url;
-  if (typeof pictureUrl !== "string") {
-    return null;
-  }
-
-  const trimmed = pictureUrl.trim();
-  return trimmed || null;
+  const url = (value as { payload?: { picture_url?: unknown } })?.payload
+    ?.picture_url;
+  if (typeof url !== "string") return null;
+  return url.trim() || null;
 }
 
 export async function uploadGroupMeImage(params: {
@@ -115,18 +100,214 @@ export async function uploadGroupMeImage(params: {
 
 async function downloadRemoteMedia(params: {
   mediaUrl: string;
+  allowPrivateNetworks: boolean;
+  maxDownloadBytes: number;
+  requestTimeoutMs: number;
+  allowedMimePrefixes: string[];
   fetchFn?: FetchLike;
 }): Promise<{ data: Buffer; contentType: string }> {
-  const fetchFn = params.fetchFn ?? fetch;
-  const response = await fetchFn(params.mediaUrl);
-  if (!response.ok) {
-    throw new Error(`GroupMe media download failed: ${response.status} ${response.statusText}`);
+  const timedFetch = wrapFetchWithTimeout(
+    params.fetchFn,
+    params.requestTimeoutMs,
+  );
+
+  try {
+    const runtimeFetcher = getGroupMeRuntime().channel.media
+      .fetchRemoteMedia as RuntimeFetchRemoteMedia;
+    const fetched = await runtimeFetcher({
+      url: params.mediaUrl,
+      fetchImpl: timedFetch,
+      maxBytes: params.maxDownloadBytes,
+      maxRedirects: 3,
+      ssrfPolicy: {
+        allowPrivateNetwork: params.allowPrivateNetworks,
+      },
+    });
+
+    const contentType = enforceMimePolicy({
+      contentType: fetched.contentType,
+      allowedMimePrefixes: params.allowedMimePrefixes,
+    });
+    return { data: fetched.buffer, contentType };
+  } catch (error) {
+    if (!isRuntimeNotInitializedError(error)) {
+      if (isSsrfRelatedError(error)) {
+        throw new Error(`GroupMe media download blocked by SSRF policy`);
+      }
+      throw error;
+    }
+  }
+
+  try {
+    const guarded = await fetchWithSsrFGuard({
+      url: params.mediaUrl,
+      fetchImpl: timedFetch,
+      maxRedirects: 3,
+      policy: {
+        allowPrivateNetwork: params.allowPrivateNetworks,
+      },
+      auditContext: "groupme-outbound-media",
+    });
+
+    try {
+      const response = guarded.response;
+      if (!response.ok) {
+        throw new Error(
+          `GroupMe media download failed: ${response.status} ${response.statusText}`,
+        );
+      }
+
+      const contentLength = Number(response.headers.get("content-length"));
+      if (
+        Number.isFinite(contentLength) &&
+        contentLength > params.maxDownloadBytes
+      ) {
+        throw new Error(
+          `GroupMe media download exceeds maxDownloadBytes (${contentLength} > ${params.maxDownloadBytes})`,
+        );
+      }
+
+      const contentType = enforceMimePolicy({
+        contentType: response.headers.get("content-type") ?? "",
+        allowedMimePrefixes: params.allowedMimePrefixes,
+      });
+
+      const data = await readResponseBodyWithLimit(
+        response,
+        params.maxDownloadBytes,
+      );
+      return { data, contentType };
+    } finally {
+      await guarded.release();
+    }
+  } catch (error) {
+    if (error instanceof SsrFBlockedError) {
+      throw new Error(`GroupMe media download blocked by SSRF policy`);
+    }
+    throw error;
+  }
+}
+
+function wrapFetchWithTimeout(
+  fetchFn: FetchLike | undefined,
+  timeoutMs: number,
+): FetchLike {
+  const base = fetchFn ?? fetch;
+  return async (input: RequestInfo | URL, init?: RequestInit) => {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => {
+      controller.abort("GroupMe media fetch timed out");
+    }, timeoutMs);
+
+    const upstreamSignal = init?.signal;
+    const onAbort = () => controller.abort(upstreamSignal?.reason);
+    if (upstreamSignal) {
+      if (upstreamSignal.aborted) {
+        onAbort();
+      } else {
+        upstreamSignal.addEventListener("abort", onAbort, { once: true });
+      }
+    }
+
+    try {
+      return await base(input, {
+        ...init,
+        signal: controller.signal,
+      });
+    } finally {
+      clearTimeout(timeout);
+      if (upstreamSignal) {
+        upstreamSignal.removeEventListener("abort", onAbort);
+      }
+    }
+  };
+}
+
+function enforceMimePolicy(params: {
+  contentType: string | undefined;
+  allowedMimePrefixes: string[];
+}): string {
+  const contentType = (params.contentType ?? "")
+    .split(";")[0]
+    ?.trim()
+    .toLowerCase();
+  if (
+    !contentType ||
+    !params.allowedMimePrefixes.some((prefix) =>
+      contentType.startsWith(prefix.toLowerCase()),
+    )
+  ) {
+    throw new Error(
+      `GroupMe media download blocked by MIME policy (${contentType || "missing content-type"})`,
+    );
+  }
+  return contentType;
+}
+
+function isRuntimeNotInitializedError(error: unknown): boolean {
+  if (!(error instanceof Error)) {
+    return false;
   }
+  return /runtime not initialized/i.test(error.message);
+}
 
-  const contentType = response.headers.get("content-type") || "image/jpeg";
-  const data = Buffer.from(await response.arrayBuffer());
+function isSsrfRelatedError(error: unknown): boolean {
+  if (error instanceof SsrFBlockedError) {
+    return true;
+  }
+  if (!(error instanceof Error)) {
+    return false;
+  }
+  return /ssrf/i.test(error.message);
+}
 
-  return { data, contentType };
+async function readResponseBodyWithLimit(
+  response: Response,
+  maxDownloadBytes: number,
+): Promise<Buffer> {
+  const reader = response.body?.getReader();
+  if (!reader) {
+    const fallback = Buffer.from(await response.arrayBuffer());
+    if (fallback.length > maxDownloadBytes) {
+      throw new Error(
+        `GroupMe media download exceeds maxDownloadBytes (${fallback.length} > ${maxDownloadBytes})`,
+      );
+    }
+    return fallback;
+  }
+
+  const chunks: Uint8Array[] = [];
+  let totalBytes = 0;
+  let exceededLimit = false;
+  try {
+    while (true) {
+      const next = await reader.read();
+      if (next.done) {
+        break;
+      }
+      const chunk = next.value;
+      if (!chunk || chunk.length === 0) {
+        continue;
+      }
+      totalBytes += chunk.length;
+      if (totalBytes > maxDownloadBytes) {
+        exceededLimit = true;
+        throw new Error(
+          `GroupMe media download exceeds maxDownloadBytes (${totalBytes} > ${maxDownloadBytes})`,
+        );
+      }
+      chunks.push(chunk);
+    }
+  } finally {
+    if (exceededLimit) {
+      try {
+        await reader.cancel();
+      } catch {
+        // Ignore cancellation errors; preserve original failure reason.
+      }
+    }
+  }
+  return Buffer.concat(chunks.map((chunk) => Buffer.from(chunk)));
 }
 
 export async function sendGroupMeText(params: {
@@ -173,8 +354,13 @@ export async function sendGroupMeMedia(params: {
     );
   }
 
+  const security = resolveGroupMeSecurity(account.config);
   const { data, contentType } = await downloadRemoteMedia({
     mediaUrl: params.mediaUrl,
+    allowPrivateNetworks: security.media.allowPrivateNetworks,
+    maxDownloadBytes: security.media.maxDownloadBytes,
+    requestTimeoutMs: security.media.requestTimeoutMs,
+    allowedMimePrefixes: security.media.allowedMimePrefixes,
     fetchFn: params.fetchFn,
   });
 

package/src/types.ts

@@ -6,15 +6,63 @@ import type {
 
 export type GroupMeAllowFromEntry = string | number;
 
+export type GroupMeReplayConfig = {
+  ttlSeconds?: number;
+  maxEntries?: number;
+};
+
+export type GroupMeRateLimitConfig = {
+  windowMs?: number;
+  maxRequestsPerIp?: number;
+  maxRequestsPerSender?: number;
+  maxConcurrent?: number;
+};
+
+export type GroupMeMediaSecurityConfig = {
+  allowPrivateNetworks?: boolean;
+  maxDownloadBytes?: number;
+  requestTimeoutMs?: number;
+  allowedMimePrefixes?: string[];
+};
+
+export type GroupMeLoggingSecurityConfig = {
+  redactSecrets?: boolean;
+  logRejectedRequests?: boolean;
+};
+
+export type GroupMeCommandBypassSecurityConfig = {
+  requireAllowFrom?: boolean;
+  requireMentionForCommands?: boolean;
+};
+
+export type GroupMeProxySecurityConfig = {
+  trustedProxyCidrs?: string[];
+  allowedPublicHosts?: string[];
+  requireHttpsProto?: boolean;
+  rejectStatus?: 400 | 403 | 404;
+};
+
+export type GroupMeSecurityConfig = {
+  replay?: GroupMeReplayConfig;
+  rateLimit?: GroupMeRateLimitConfig;
+  media?: GroupMeMediaSecurityConfig;
+  logging?: GroupMeLoggingSecurityConfig;
+  commandBypass?: GroupMeCommandBypassSecurityConfig;
+  proxy?: GroupMeProxySecurityConfig;
+};
+
 export type GroupMeAccountConfig = {
   name?: string;
   enabled?: boolean;
   botId?: string;
   accessToken?: string;
   botName?: string;
-  callbackPath?: string;
+  groupId?: string;
+  publicDomain?: string;
+  callbackUrl?: string;
   mentionPatterns?: string[];
   requireMention?: boolean;
+  historyLimit?: number;
   allowFrom?: GroupMeAllowFromEntry[];
   markdown?: MarkdownConfig;
   textChunkLimit?: number;
@@ -22,6 +70,7 @@ export type GroupMeAccountConfig = {
   blockStreamingCoalesce?: BlockStreamingCoalesceConfig;
   responsePrefix?: string;
   mediaMaxMb?: number;
+  security?: GroupMeSecurityConfig;
 };
 
 export type GroupMeConfig = GroupMeAccountConfig & {
@@ -101,3 +150,51 @@ export type GroupMeProbe = {
   botId?: string;
   error?: string;
 };
+
+export type CallbackAuthResult =
+  | { ok: true; tokenId: "active" }
+  | {
+      ok: false;
+      reason: "missing" | "mismatch" | "disabled";
+    };
+
+export type GroupMeApiGroup = {
+  id: string;
+  name: string;
+  description: string;
+  image_url: string | null;
+  creator_user_id: string;
+  created_at: number;
+  updated_at: number;
+  messages: {
+    count: number;
+    last_message_created_at: number;
+    preview: {
+      nickname: string;
+      text: string;
+    };
+  };
+};
+
+export type GroupMeApiBot = {
+  bot_id: string;
+  group_id: string;
+  name: string;
+  avatar_url: string | null;
+  callback_url: string;
+  dm_notification: boolean;
+  active: boolean;
+};
+
+export type ReplayCheck =
+  | { kind: "accepted"; key: string }
+  | { kind: "duplicate"; key: string };
+
+export type WebhookDecision =
+  | { kind: "accept"; message: GroupMeCallbackData; release: () => void }
+  | {
+      kind: "reject";
+      status: number;
+      reason: string;
+      logLevel: "debug" | "warn";
+    };

package/.github/workflows/publish-npm.yml

@@ -1,30 +0,0 @@
-name: Publish to npm
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  id-token: write
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 24
-          registry-url: https://registry.npmjs.org
-
-      - name: Show package version
-        run: npm pkg get name version
-
-      - name: Publish package
-        run: npm publish --provenance --access public

package/openclaw.plugin.json

@@ -1,9 +0,0 @@
-{
-  "id": "groupme",
-  "channels": ["groupme"],
-  "configSchema": {
-    "type": "object",
-    "additionalProperties": false,
-    "properties": {}
-  }
-}

package/src/monitor.test.ts

@@ -1,186 +0,0 @@
-import type { AddressInfo } from "node:net";
-import type { RuntimeEnv } from "openclaw/plugin-sdk";
-import { createServer } from "node:http";
-import { describe, expect, it, vi } from "vitest";
-import type { CoreConfig, ResolvedGroupMeAccount } from "./types.js";
-
-const handleGroupMeInboundMock = vi.hoisted(() => vi.fn(async () => undefined));
-
-vi.mock("./inbound.js", () => ({
-  handleGroupMeInbound: handleGroupMeInboundMock,
-}));
-
-import { createGroupMeWebhookHandler } from "./monitor.js";
-
-async function withServer(
-  handler: Parameters<typeof createServer>[0],
-  fn: (baseUrl: string) => Promise<void>,
-) {
-  const server = createServer(handler);
-  await new Promise<void>((resolve, reject) => {
-    const onError = (error: Error) => {
-      server.off("listening", onListening);
-      reject(error);
-    };
-    const onListening = () => {
-      server.off("error", onError);
-      resolve();
-    };
-    server.once("error", onError);
-    server.once("listening", onListening);
-    server.listen(0, "127.0.0.1");
-  });
-
-  const address = server.address() as AddressInfo | null;
-  if (!address) {
-    throw new Error("missing server address");
-  }
-
-  try {
-    await fn(`http://127.0.0.1:${address.port}`);
-  } finally {
-    await new Promise<void>((resolve) => server.close(() => resolve()));
-  }
-}
-
-function isListenPermissionError(error: unknown): boolean {
-  if (!error || typeof error !== "object") {
-    return false;
-  }
-  const maybeErr = error as { code?: unknown; syscall?: unknown };
-  return maybeErr.code === "EPERM" && maybeErr.syscall === "listen";
-}
-
-async function runIfServerAllowed(fn: () => Promise<void>): Promise<void> {
-  try {
-    await fn();
-  } catch (error) {
-    if (isListenPermissionError(error)) {
-      return;
-    }
-    throw error;
-  }
-}
-
-function buildRuntime(): RuntimeEnv {
-  return {
-    log: vi.fn(),
-    error: vi.fn(),
-    exit: (() => {
-      throw new Error("exit");
-    }) as RuntimeEnv["exit"],
-  };
-}
-
-const account: ResolvedGroupMeAccount = {
-  accountId: "default",
-  enabled: true,
-  configured: true,
-  botId: "bot-1",
-  accessToken: "token-1",
-  config: {
-    botId: "bot-1",
-    accessToken: "token-1",
-  },
-};
-
-const config = {} as CoreConfig;
-
-describe("createGroupMeWebhookHandler", () => {
-  it("returns 405 for non-POST", async () => {
-    const runtime = buildRuntime();
-    const handler = createGroupMeWebhookHandler({ account, config, runtime });
-
-    await runIfServerAllowed(async () => {
-      await withServer(
-        async (req, res) => handler(req, res),
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/groupme`, { method: "GET" });
-          expect(response.status).toBe(405);
-          expect(await response.text()).toBe("Method Not Allowed");
-        },
-      );
-    });
-  });
-
-  it("returns 400 for invalid JSON", async () => {
-    const runtime = buildRuntime();
-    const handler = createGroupMeWebhookHandler({ account, config, runtime });
-
-    await runIfServerAllowed(async () => {
-      await withServer(
-        async (req, res) => handler(req, res),
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/groupme`, {
-            method: "POST",
-            headers: { "content-type": "application/json" },
-            body: "{",
-          });
-          expect(response.status).toBe(400);
-        },
-      );
-    });
-  });
-
-  it("acknowledges parseable payload and dispatches inbound", async () => {
-    handleGroupMeInboundMock.mockClear();
-    const runtime = buildRuntime();
-    const handler = createGroupMeWebhookHandler({ account, config, runtime });
-
-    const payload = {
-      id: "msg-1",
-      text: "hello",
-      name: "Alice",
-      sender_type: "user",
-      sender_id: "123",
-      user_id: "123",
-      group_id: "456",
-      source_guid: "source",
-      created_at: 1_700_000_000,
-      system: false,
-      attachments: [],
-    };
-
-    await runIfServerAllowed(async () => {
-      await withServer(
-        async (req, res) => handler(req, res),
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/groupme`, {
-            method: "POST",
-            headers: { "content-type": "application/json" },
-            body: JSON.stringify(payload),
-          });
-          expect(response.status).toBe(200);
-          expect(await response.text()).toBe("ok");
-
-          // Wait for fire-and-forget processing.
-          await new Promise((resolve) => setTimeout(resolve, 0));
-          expect(handleGroupMeInboundMock).toHaveBeenCalledTimes(1);
-        },
-      );
-    });
-  });
-
-  it("drops unparseable payload after returning 200", async () => {
-    handleGroupMeInboundMock.mockClear();
-    const runtime = buildRuntime();
-    const handler = createGroupMeWebhookHandler({ account, config, runtime });
-
-    await runIfServerAllowed(async () => {
-      await withServer(
-        async (req, res) => handler(req, res),
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/groupme`, {
-            method: "POST",
-            headers: { "content-type": "application/json" },
-            body: JSON.stringify({ nope: true }),
-          });
-          expect(response.status).toBe(200);
-          await new Promise((resolve) => setTimeout(resolve, 0));
-          expect(handleGroupMeInboundMock).not.toHaveBeenCalled();
-          expect(runtime.log).toHaveBeenCalledWith("groupme: unparseable callback payload");
-        },
-      );
-    });
-  });
-});