nav/Fabric.OpenclawPlugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: nav:42228e0a23e9b82d8a05696ebd3a15982891c604
Branches Tags
nav:main nav:feat/dynamic-account-subscription nav:fix/routing-use-binding-accountid nav:fix/describe-account-stops-default-restart-loop nav:fix/socket-auth-callback-refresh nav:fix/presence-sync-tick-mutex nav:fix/presence-sync-api-prefix nav:fix/fabric-dm-routing-by-xtype nav:feat/expose-channel-type nav:feat/fabric-send-and-discover-tools nav:feat/triage-on-call-gate-and-queue nav:feat/inbound-listen-push-events nav:fix/inbound-dynamic-channel-sync
..
compare: nav:cc655ffcc38eedded4f8632b26e4afcbe4dbd4c1
Branches Tags
nav:main nav:feat/dynamic-account-subscription nav:fix/routing-use-binding-accountid nav:fix/describe-account-stops-default-restart-loop nav:fix/socket-auth-callback-refresh nav:fix/presence-sync-tick-mutex nav:fix/presence-sync-api-prefix nav:fix/fabric-dm-routing-by-xtype nav:feat/expose-channel-type nav:feat/fabric-send-and-discover-tools nav:feat/triage-on-call-gate-and-queue nav:feat/inbound-listen-push-events nav:fix/inbound-dynamic-channel-sync

1 Commits
42228e0a23 ... cc655ffcc3

Author SHA1 Message Date
hzhang
cc655ffcc3 fix(plugin): pass only local MediaPaths (drop SSRF-blocked MediaUrls) 
Live round-trip test showed openclaw's SSRF guard blocking the
localhost guild file URL passed via MediaUrls. We already download the
bytes with the agent's guild token, so MediaUrls is redundant and
noisy — provide only local MediaPaths/MediaTypes. Verified: plugin
logs 'fetched N attachment(s)' and the SSRF WARN is gone.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-15 21:50:34 +01:00
2 changed files with 8 additions and 4 deletions
Expand all files Collapse all files

6
dist/fabric/src/inbound.js vendored
View File

@@ -173,14 +173,16 @@ export class FabricInbound {
Timestamp: m.createdAt ? Date.parse(m.createdAt) : Date.now(),
OriginatingChannel: 'fabric',
OriginatingTo: `fabric:${channelId}`,
// Provide ONLY local paths. The guild file URL is on a private host
// (e.g. localhost); openclaw's SSRF guard blocks re-fetching it, so
// passing MediaUrls is both redundant (we already downloaded the
// bytes) and noisy. Local MediaPaths is the reliable delivery.
...(media.paths.length
? {
MediaPaths: media.paths,
MediaTypes: media.types,
MediaUrls: media.urls,
MediaPath: media.paths[0],
MediaType: media.types[0],
MediaUrl: media.urls[0],
}
: {}),
});

6
src/inbound.ts
View File

@@ -212,14 +212,16 @@ export class FabricInbound {
Timestamp: m.createdAt ? Date.parse(m.createdAt) : Date.now(),
OriginatingChannel: 'fabric',
OriginatingTo: `fabric:${channelId}`,
// Provide ONLY local paths. The guild file URL is on a private host
// (e.g. localhost); openclaw's SSRF guard blocks re-fetching it, so
// passing MediaUrls is both redundant (we already downloaded the
// bytes) and noisy. Local MediaPaths is the reliable delivery.
...(media.paths.length
? {
MediaPaths: media.paths,
MediaTypes: media.types,
MediaUrls: media.urls,
MediaPath: media.paths[0],
MediaType: media.types[0],
MediaUrl: media.urls[0],
}
: {}),
});