negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(feishu): fail closed on webhook signature checks

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-13 03:10:12 +00:00
parent ec3c20d96d
commit 496ca3a637
3 changed files with 411 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
extensions/feishu/src/monitor.transport.ts
View File

@@ -1,7 +1,9 @@
import * as http from "http"; import * as http from "http";
import crypto from "node:crypto";
import * as Lark from "@larksuiteoapi/node-sdk"; import * as Lark from "@larksuiteoapi/node-sdk";
import { import {
applyBasicWebhookRequestGuards, applyBasicWebhookRequestGuards,
readJsonBodyWithLimit,
type RuntimeEnv, type RuntimeEnv,
installRequestBodyLimitGuard, installRequestBodyLimitGuard,
} from "openclaw/plugin-sdk/feishu"; } from "openclaw/plugin-sdk/feishu";
@@ -26,6 +28,50 @@ export type MonitorTransportParams = {
eventDispatcher: Lark.EventDispatcher; eventDispatcher: Lark.EventDispatcher;
}; };
function isFeishuWebhookPayload(value: unknown): value is Record<string, unknown> {
return !!value && typeof value === "object" && !Array.isArray(value);
}
function buildFeishuWebhookEnvelope(
req: http.IncomingMessage,
payload: Record<string, unknown>,
): Record<string, unknown> {
return Object.assign(Object.create({ headers: req.headers }), payload) as Record<string, unknown>;
}
function isFeishuWebhookSignatureValid(params: {
headers: http.IncomingHttpHeaders;
payload: Record<string, unknown>;
encryptKey?: string;
}): boolean {
const encryptKey = params.encryptKey?.trim();
if (!encryptKey) {
return true;
}
const timestampHeader = params.headers["x-lark-request-timestamp"];
const nonceHeader = params.headers["x-lark-request-nonce"];
const signatureHeader = params.headers["x-lark-signature"];
const timestamp = Array.isArray(timestampHeader) ? timestampHeader[0] : timestampHeader;
const nonce = Array.isArray(nonceHeader) ? nonceHeader[0] : nonceHeader;
const signature = Array.isArray(signatureHeader) ? signatureHeader[0] : signatureHeader;
if (!timestamp || !nonce || !signature) {
return false;
}
const computedSignature = crypto
.createHash("sha256")
.update(timestamp + nonce + encryptKey + JSON.stringify(params.payload))
.digest("hex");
return computedSignature === signature;
}
function respondText(res: http.ServerResponse, statusCode: number, body: string): void {
res.statusCode = statusCode;
res.setHeader("Content-Type", "text/plain; charset=utf-8");
res.end(body);
}
export async function monitorWebSocket({ export async function monitorWebSocket({
account, account,
accountId, accountId,
@@ -88,7 +134,6 @@ export async function monitorWebhook({
log(`feishu[${accountId}]: starting Webhook server on ${host}:${port}, path ${path}...`); log(`feishu[${accountId}]: starting Webhook server on ${host}:${port}, path ${path}...`);
const server = http.createServer(); const server = http.createServer();
const webhookHandler = Lark.adaptDefault(path, eventDispatcher, { autoChallenge: true });
server.on("request", (req, res) => { server.on("request", (req, res) => {
res.on("finish", () => { res.on("finish", () => {
@@ -118,15 +163,68 @@ export async function monitorWebhook({
return; return;
} }
void Promise.resolve(webhookHandler(req, res)) void (async () => {
.catch((err) => { try {
const bodyResult = await readJsonBodyWithLimit(req, {
maxBytes: FEISHU_WEBHOOK_MAX_BODY_BYTES,
timeoutMs: FEISHU_WEBHOOK_BODY_TIMEOUT_MS,
});
if (guard.isTripped() || res.writableEnded) {
return;
}
if (!bodyResult.ok) {
if (bodyResult.code === "INVALID_JSON") {
respondText(res, 400, "Invalid JSON");
}
return;
}
if (!isFeishuWebhookPayload(bodyResult.value)) {
respondText(res, 400, "Invalid JSON");
return;
}
// Lark's default adapter drops invalid signatures as an empty 200. Reject here instead.
if (
!isFeishuWebhookSignatureValid({
headers: req.headers,
payload: bodyResult.value,
encryptKey: account.encryptKey,
})
) {
respondText(res, 401, "Invalid signature");
return;
}
const { isChallenge, challenge } = Lark.generateChallenge(bodyResult.value, {
encryptKey: account.encryptKey ?? "",
});
if (isChallenge) {
res.statusCode = 200;
res.setHeader("Content-Type", "application/json; charset=utf-8");
res.end(JSON.stringify(challenge));
return;
}
const value = await eventDispatcher.invoke(
buildFeishuWebhookEnvelope(req, bodyResult.value),
{ needCheck: false },
);
if (!res.headersSent) {
res.statusCode = 200;
res.setHeader("Content-Type", "application/json; charset=utf-8");
res.end(JSON.stringify(value));
}
} catch (err) {
if (!guard.isTripped()) { if (!guard.isTripped()) {
error(`feishu[${accountId}]: webhook handler error: ${String(err)}`); error(`feishu[${accountId}]: webhook handler error: ${String(err)}`);
if (!res.headersSent) {
respondText(res, 500, "Internal Server Error");
} }
}) }
.finally(() => { } finally {
guard.dispose(); guard.dispose();
}); }
})();
}); });
httpServers.set(accountId, server); httpServers.set(accountId, server);

306
extensions/feishu/src/monitor.webhook-e2e.test.ts Normal file
View File

@@ -0,0 +1,306 @@
import crypto from "node:crypto";
import { createServer } from "node:http";
import type { AddressInfo } from "node:net";
import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
import { afterEach, describe, expect, it, vi } from "vitest";
import { createFeishuRuntimeMockModule } from "./monitor.test-mocks.js";
const probeFeishuMock = vi.hoisted(() => vi.fn());
vi.mock("./probe.js", () => ({
probeFeishu: probeFeishuMock,
}));
vi.mock("./client.js", async () => {
const actual = await vi.importActual<typeof import("./client.js")>("./client.js");
return {
...actual,
createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
};
});
vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
async function getFreePort(): Promise<number> {
const server = createServer();
await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()));
const address = server.address() as AddressInfo | null;
if (!address) {
throw new Error("missing server address");
}
await new Promise<void>((resolve) => server.close(() => resolve()));
return address.port;
}
async function waitUntilServerReady(url: string): Promise<void> {
for (let i = 0; i < 50; i += 1) {
try {
const response = await fetch(url, { method: "GET" });
if (response.status >= 200 && response.status < 500) {
return;
}
} catch {
// retry
}
await new Promise((resolve) => setTimeout(resolve, 20));
}
throw new Error(`server did not start: ${url}`);
}
function buildConfig(params: {
accountId: string;
path: string;
port: number;
verificationToken?: string;
encryptKey?: string;
}): ClawdbotConfig {
return {
channels: {
feishu: {
enabled: true,
accounts: {
[params.accountId]: {
enabled: true,
appId: "cli_test",
appSecret: "secret_test", // pragma: allowlist secret
connectionMode: "webhook",
webhookHost: "127.0.0.1",
webhookPort: params.port,
webhookPath: params.path,
encryptKey: params.encryptKey,
verificationToken: params.verificationToken,
},
},
},
},
} as ClawdbotConfig;
}
function signFeishuPayload(params: {
encryptKey: string;
payload: Record<string, unknown>;
timestamp?: string;
nonce?: string;
}): Record<string, string> {
const timestamp = params.timestamp ?? "1711111111";
const nonce = params.nonce ?? "nonce-test";
const signature = crypto
.createHash("sha256")
.update(timestamp + nonce + params.encryptKey + JSON.stringify(params.payload))
.digest("hex");
return {
"content-type": "application/json",
"x-lark-request-timestamp": timestamp,
"x-lark-request-nonce": nonce,
"x-lark-signature": signature,
};
}
function encryptFeishuPayload(encryptKey: string, payload: Record<string, unknown>): string {
const iv = crypto.randomBytes(16);
const key = crypto.createHash("sha256").update(encryptKey).digest();
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
return Buffer.concat([iv, encrypted]).toString("base64");
}
async function withRunningWebhookMonitor(
params: {
accountId: string;
path: string;
verificationToken: string;
encryptKey: string;
},
run: (url: string) => Promise<void>,
) {
const port = await getFreePort();
const cfg = buildConfig({
accountId: params.accountId,
path: params.path,
port,
encryptKey: params.encryptKey,
verificationToken: params.verificationToken,
});
const abortController = new AbortController();
const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
const monitorPromise = monitorFeishuProvider({
config: cfg,
runtime,
abortSignal: abortController.signal,
});
const url = `http://127.0.0.1:${port}${params.path}`;
await waitUntilServerReady(url);
try {
await run(url);
} finally {
abortController.abort();
await monitorPromise;
}
}
afterEach(() => {
stopFeishuMonitor();
});
describe("Feishu webhook signed-request e2e", () => {
it("rejects invalid signatures with 401 instead of empty 200", async () => {
probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
await withRunningWebhookMonitor(
{
accountId: "invalid-signature",
path: "/hook-e2e-invalid-signature",
verificationToken: "verify_token",
encryptKey: "encrypt_key",
},
async (url) => {
const payload = { type: "url_verification", challenge: "challenge-token" };
const response = await fetch(url, {
method: "POST",
headers: {
...signFeishuPayload({ encryptKey: "wrong_key", payload }),
},
body: JSON.stringify(payload),
});
expect(response.status).toBe(401);
expect(await response.text()).toBe("Invalid signature");
},
);
});
it("rejects missing signature headers with 401", async () => {
probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
await withRunningWebhookMonitor(
{
accountId: "missing-signature",
path: "/hook-e2e-missing-signature",
verificationToken: "verify_token",
encryptKey: "encrypt_key",
},
async (url) => {
const response = await fetch(url, {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({ type: "url_verification", challenge: "challenge-token" }),
});
expect(response.status).toBe(401);
expect(await response.text()).toBe("Invalid signature");
},
);
});
it("returns 400 for invalid json before invoking the sdk", async () => {
probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
await withRunningWebhookMonitor(
{
accountId: "invalid-json",
path: "/hook-e2e-invalid-json",
verificationToken: "verify_token",
encryptKey: "encrypt_key",
},
async (url) => {
const response = await fetch(url, {
method: "POST",
headers: { "content-type": "application/json" },
body: "{not-json",
});
expect(response.status).toBe(400);
expect(await response.text()).toBe("Invalid JSON");
},
);
});
it("accepts signed plaintext url_verification challenges end-to-end", async () => {
probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
await withRunningWebhookMonitor(
{
accountId: "signed-challenge",
path: "/hook-e2e-signed-challenge",
verificationToken: "verify_token",
encryptKey: "encrypt_key",
},
async (url) => {
const payload = { type: "url_verification", challenge: "challenge-token" };
const response = await fetch(url, {
method: "POST",
headers: signFeishuPayload({ encryptKey: "encrypt_key", payload }),
body: JSON.stringify(payload),
});
expect(response.status).toBe(200);
await expect(response.json()).resolves.toEqual({ challenge: "challenge-token" });
},
);
});
it("accepts signed non-challenge events and reaches the dispatcher", async () => {
probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
await withRunningWebhookMonitor(
{
accountId: "signed-dispatch",
path: "/hook-e2e-signed-dispatch",
verificationToken: "verify_token",
encryptKey: "encrypt_key",
},
async (url) => {
const payload = {
schema: "2.0",
header: { event_type: "unknown.event" },
event: {},
};
const response = await fetch(url, {
method: "POST",
headers: signFeishuPayload({ encryptKey: "encrypt_key", payload }),
body: JSON.stringify(payload),
});
expect(response.status).toBe(200);
expect(await response.text()).toContain("no unknown.event event handle");
},
);
});
it("accepts signed encrypted url_verification challenges end-to-end", async () => {
probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
await withRunningWebhookMonitor(
{
accountId: "encrypted-challenge",
path: "/hook-e2e-encrypted-challenge",
verificationToken: "verify_token",
encryptKey: "encrypt_key",
},
async (url) => {
const payload = {
encrypt: encryptFeishuPayload("encrypt_key", {
type: "url_verification",
challenge: "encrypted-challenge-token",
}),
};
const response = await fetch(url, {
method: "POST",
headers: signFeishuPayload({ encryptKey: "encrypt_key", payload }),
body: JSON.stringify(payload),
});
expect(response.status).toBe(200);
await expect(response.json()).resolves.toEqual({
challenge: "encrypted-challenge-token",
});
},
);
});
});

2
src/plugin-sdk/feishu.ts
View File

@@ -51,7 +51,7 @@ export {
} from "../config/types.secrets.js"; } from "../config/types.secrets.js";
export { buildSecretInputSchema } from "./secret-input-schema.js"; export { buildSecretInputSchema } from "./secret-input-schema.js";
export { createDedupeCache } from "../infra/dedupe.js"; export { createDedupeCache } from "../infra/dedupe.js";
export { installRequestBodyLimitGuard } from "../infra/http-body.js"; export { installRequestBodyLimitGuard, readJsonBodyWithLimit } from "../infra/http-body.js";
export { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js"; export { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
export { emptyPluginConfigSchema } from "../plugins/config-schema.js"; export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
export type { PluginRuntime } from "../plugins/runtime/types.js"; export type { PluginRuntime } from "../plugins/runtime/types.js";