kaiwu/openclaw-skill
1
0
Fork 0
forked from Selig/openclaw-skill
Code Pull Requests 1 Activity

improve(dispatch-webhook): enforce HTTPS for non-local webhook URLs

Browse Source
This commit is contained in:
Selig
2026-03-15 15:01:41 +08:00
parent 8bacc868bd
commit c0b7cf3415
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
skills/dispatch-webhook/handler.ts
View File

@@ -51,6 +51,13 @@ function validateInput(raw: any): DispatchInput {
throw new Error('Webhook URL 協定不支援,僅允許 http 或 https');
}
// 安全預設:正式環境僅允許 HTTPS避免 Bearer Token 明文傳輸
// 本機開發保留 http://localhost 與 http://127.0.0.1 例外
const isLocalhost = ['localhost', '127.0.0.1'].includes(parsedUrl.hostname);
if (parsedUrl.protocol !== 'https:' && !isLocalhost) {
throw new Error('Webhook URL 安全性不足:非本機位址必須使用 https');
}
if (!input.webhookToken || typeof input.webhookToken !== 'string') {
throw new Error(`${input.target.toUpperCase()} Webhook Token 未設定`);
}