

























@@ -24,6 +24,36 @@ function collectInvalidTelegramAllowFromEntries(params: { entries: unknown; targ
2424}
2525}
262627+function appendInvalidTelegramAllowFromFinding(
28+findings: Array<{
29+checkId: string;
30+severity: "info" | "warn" | "critical";
31+title: string;
32+detail: string;
33+remediation?: string;
34+}>,
35+invalidTelegramAllowFromEntries: Set<string>,
36+) {
37+if (invalidTelegramAllowFromEntries.size === 0) {
38+return;
39+}
40+const examples = Array.from(invalidTelegramAllowFromEntries).slice(0, 5);
41+const more =
42+invalidTelegramAllowFromEntries.size > examples.length
43+ ? ` (+${invalidTelegramAllowFromEntries.size - examples.length} more)`
44+ : "";
45+findings.push({
46+checkId: "channels.telegram.allowFrom.invalid_entries",
47+severity: "warn",
48+title: "Telegram allowlist contains non-numeric entries",
49+detail:
50+"Telegram sender authorization requires numeric Telegram user IDs. " +
51+`Found non-numeric allowFrom entries: ${examples.join(", ")}${more}.`,
52+remediation:
53+"Replace @username entries with numeric Telegram user IDs (use setup to resolve), then re-run the audit.",
54+});
55+}
56+2757export async function collectTelegramSecurityAuditFindings(params: {
2858cfg: OpenClawConfig;
2959accountId?: string | null;
@@ -36,13 +66,20 @@ export async function collectTelegramSecurityAuditFindings(params: {
3666detail: string;
3767remediation?: string;
3868}> = [];
39-if (params.cfg.commands?.text === false) {
40-return findings;
41-}
42694370const telegramCfg = params.account.config ?? {};
4471const accountId =
4572normalizeOptionalString(params.accountId) ?? params.account.accountId ?? "default";
73+const invalidTelegramAllowFromEntries = new Set<string>();
74+collectInvalidTelegramAllowFromEntries({
75+entries: Array.isArray(telegramCfg.allowFrom) ? telegramCfg.allowFrom : [],
76+target: invalidTelegramAllowFromEntries,
77+});
78+if (params.cfg.commands?.text === false) {
79+appendInvalidTelegramAllowFromFinding(findings, invalidTelegramAllowFromEntries);
80+return findings;
81+}
82+4683const defaultGroupPolicy = params.cfg.channels?.defaults?.groupPolicy;
4784const groupPolicy =
4885(telegramCfg.groupPolicy as string | undefined) ?? defaultGroupPolicy ?? "allowlist";
@@ -51,6 +88,7 @@ export async function collectTelegramSecurityAuditFindings(params: {
5188const groupAccessPossible =
5289groupPolicy === "open" || (groupPolicy === "allowlist" && groupsConfigured);
5390if (!groupAccessPossible) {
91+appendInvalidTelegramAllowFromFinding(findings, invalidTelegramAllowFromEntries);
5492return findings;
5593}
5694@@ -60,7 +98,6 @@ export async function collectTelegramSecurityAuditFindings(params: {
6098const storeHasWildcard = storeAllowFrom.some(
6199(value) => (normalizeOptionalString(value) ?? "") === "*",
62100);
63-const invalidTelegramAllowFromEntries = new Set<string>();
64101collectInvalidTelegramAllowFromEntries({
65102entries: storeAllowFrom,
66103target: invalidTelegramAllowFromEntries,
@@ -75,10 +112,6 @@ export async function collectTelegramSecurityAuditFindings(params: {
75112entries: groupAllowFrom,
76113target: invalidTelegramAllowFromEntries,
77114});
78-collectInvalidTelegramAllowFromEntries({
79-entries: Array.isArray(telegramCfg.allowFrom) ? telegramCfg.allowFrom : [],
80-target: invalidTelegramAllowFromEntries,
81-});
8211583116let anyGroupOverride = false;
84117if (groups) {
@@ -119,23 +152,7 @@ export async function collectTelegramSecurityAuditFindings(params: {
119152const hasAnySenderAllowlist =
120153storeAllowFrom.length > 0 || groupAllowFrom.length > 0 || anyGroupOverride;
121154122-if (invalidTelegramAllowFromEntries.size > 0) {
123-const examples = Array.from(invalidTelegramAllowFromEntries).slice(0, 5);
124-const more =
125-invalidTelegramAllowFromEntries.size > examples.length
126- ? ` (+${invalidTelegramAllowFromEntries.size - examples.length} more)`
127- : "";
128-findings.push({
129-checkId: "channels.telegram.allowFrom.invalid_entries",
130-severity: "warn",
131-title: "Telegram allowlist contains non-numeric entries",
132-detail:
133-"Telegram sender authorization requires numeric Telegram user IDs. " +
134-`Found non-numeric allowFrom entries: ${examples.join(", ")}${more}.`,
135-remediation:
136-"Replace @username entries with numeric Telegram user IDs (use setup to resolve), then re-run the audit.",
137-});
138-}
155+appendInvalidTelegramAllowFromFinding(findings, invalidTelegramAllowFromEntries);
139156140157if (storeHasWildcard || groupAllowFromHasWildcard) {
141158findings.push({
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。