fix(qqbot): require auth for bot-approve · openclaw/openclaw@9694a45
vincentkoc
·
2026-04-24
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -8,6 +8,7 @@ Docs: https://docs.openclaw.ai
|
8 | 8 | |
9 | 9 | ### Fixes |
10 | 10 | |
| 11 | +- QQBot/security: require framework auth for `/bot-approve` so unauthorized QQ senders cannot change exec approval settings through the unauthenticated pre-dispatch slash-command path. (#70706) Thanks @vincentkoc. |
11 | 12 | - MCP/tools: stop the ACPX OpenClaw tools bridge from listing or invoking owner-only tools such as `cron`, closing a privilege-escalation path for non-owner MCP callers. (#70698) Thanks @vincentkoc. |
12 | 13 | - Feishu/onboarding: load Feishu setup surfaces through a setup-only barrel so first-run setup no longer imports Feishu's Lark SDK before bundled runtime deps are staged. (#70339) Thanks @andrejtr. |
13 | 14 | - WhatsApp/security: keep contact/vCard/location structured-object free text out of the inline message body and render it through fenced untrusted metadata JSON, limiting hidden prompt-injection payloads in names, phone fields, and location labels/comments. |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +import { describe, expect, it } from "vitest"; |
| 2 | +import { getFrameworkCommands } from "./slash-commands-impl.js"; |
| 3 | + |
| 4 | +describe("QQBot framework slash commands", () => { |
| 5 | +it("routes bot-approve through the auth-gated framework registry", () => { |
| 6 | +expect(getFrameworkCommands().map((command) => command.name)).toContain("bot-approve"); |
| 7 | +}); |
| 8 | +}); |
| Original file line number | Diff line number | Diff line change |
|---|
@@ -746,6 +746,7 @@ export function registerApproveRuntimeGetter(
|
746 | 746 | registerCommand({ |
747 | 747 | name: "bot-approve", |
748 | 748 | description: "管理命令执行审批配置", |
| 749 | +requireAuth: true, |
749 | 750 | usage: [ |
750 | 751 | `/bot-approve 查看操作指引`, |
751 | 752 | `/bot-approve on 开启审批(白名单模式,推荐)`, |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。