Feat/fix qq ssrf url list (openclaw#65788)

sliverp · web-flow · commit ddb7a8dd80b8 · 2026-04-13T15:49:32.000+08:00
* fix: update qqbot media host allowlist

* fix: update qqbot media host allowlist

* fix: update qqbot media host allowlist

* fix: update qqbot media host allowlist
diff --git a/extensions/qqbot/src/utils/file-utils.test.ts b/extensions/qqbot/src/utils/file-utils.test.ts
@@ -47,7 +47,16 @@ describe("qqbot file-utils downloadFile", () => {
       ssrfPolicy: QQBOT_MEDIA_SSRF_POLICY,
     });
     expect(QQBOT_MEDIA_SSRF_POLICY).toEqual({
-      hostnameAllowlist: ["*.myqcloud.com", "*.qpic.cn", "*.qq.com", "*.tencentcos.com"],
+      hostnameAllowlist: [
+        "*.qpic.cn",
+        "*.qq.com",
+        "*.weiyun.com",
+        "*.qq.com.cn",
+        "*.ugcimg.cn",
+        "*.myqcloud.com",
+        "*.tencentcos.cn",
+        "*.tencentcos.com",
+      ],
       allowRfc2544BenchmarkRange: true,
     });
   });
diff --git a/extensions/qqbot/src/utils/file-utils.ts b/extensions/qqbot/src/utils/file-utils.ts
@@ -16,9 +16,18 @@ export const MAX_UPLOAD_SIZE = 20 * 1024 * 1024;
 export const LARGE_FILE_THRESHOLD = 5 * 1024 * 1024;
 
 const QQBOT_MEDIA_HOSTNAME_ALLOWLIST = [
-  "*.myqcloud.com",
+  // QQ富媒体
   "*.qpic.cn",
   "*.qq.com",
+  "*.weiyun.com",
+  "*.qq.com.cn",
+
+  // QQ机器人
+  "*.ugcimg.cn",
+
+  // 腾讯云COS
+  "*.myqcloud.com",
+  "*.tencentcos.cn",
   "*.tencentcos.com",
 ];
 
