Selig/openclaw-skill
1
0
Fork 4
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

improve(dispatch-webhook): enforce HTTPS for non-local webhook URLs

Browse Source
This commit is contained in:
Selig
2026-03-15 15:01:41 +08:00
parent 8bacc868bd
commit c0b7cf3415
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
skills/dispatch-webhook/SKILL.md
View File

@@ -112,3 +112,4 @@ Task ID: {task_id}
| 401 Unauthorized | 立即失敗,提示設定 token |
| 超時(> 30s | 返回 accepted等待 callback |
| VPS 回傳 500 | 記錄錯誤,通知使用者 |
| 非 HTTPS Webhook且非 localhost/127.0.0.1 | 直接拒絕,避免 Bearer Token 明文傳輸 |

7
skills/dispatch-webhook/handler.ts
View File

@@ -51,6 +51,13 @@ function validateInput(raw: any): DispatchInput {
throw new Error('Webhook URL 協定不支援,僅允許 http 或 https');
}
// 安全預設:正式環境僅允許 HTTPS避免 Bearer Token 明文傳輸
// 本機開發保留 http://localhost 與 http://127.0.0.1 例外
const isLocalhost = ['localhost', '127.0.0.1'].includes(parsedUrl.hostname);
if (parsedUrl.protocol !== 'https:' && !isLocalhost) {
throw new Error('Webhook URL 安全性不足:非本機位址必須使用 https');
}
if (!input.webhookToken || typeof input.webhookToken !== 'string') {
throw new Error(`${input.target.toUpperCase()} Webhook Token 未設定`);
}