Copilot/refactor serverless azure function#17970
Copilot/refactor serverless azure function#17970ASISaga wants to merge 8 commits intoopenclaw:mainfrom
Conversation
…rovider and Bicep IaC Co-authored-by: ASISaga <[email protected]>
Co-authored-by: ASISaga <[email protected]>
- Created docs/install/azure.md with full Azure Functions deployment guide - Updated docs/vps.md to include Azure as a serverless deployment option - Updated docs/platforms/index.md to reference Azure deployment - Updated docs/docs.json navigation to include Azure in hosting section - Updated README.md with Cloud & VPS Deployment section highlighting Azure Co-authored-by: ASISaga <[email protected]>
Co-authored-by: ASISaga <[email protected]>
Co-authored-by: ASISaga <[email protected]>
…-deployment docs: Add Azure Functions deployment documentation
openclaw-barnacle
bot
added
docs
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| const results: MemorySearchResult[] = []; | ||
|
|
||
| const iter = this.chunksClient.listEntities<ChunkEntity>({ | ||
| queryOptions: { filter: `PartitionKey eq '${this.agentId}'` }, |
There was a problem hiding this comment.
SQL injection vulnerability via string interpolation in filter query.
agentId should be sanitized or parameterized.
| queryOptions: { filter: `PartitionKey eq '${this.agentId}'` }, | |
| queryOptions: { filter: `PartitionKey eq '${this.agentId.replace(/'/g, "''")}'` }, |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/memory/memory-provider-azure.ts
Line: 156:156
Comment:
SQL injection vulnerability via string interpolation in filter query.
`agentId` should be sanitized or parameterized.
```suggestion
queryOptions: { filter: `PartitionKey eq '${this.agentId.replace(/'/g, "''")}'` },
```
How can I resolve this? If you propose a fix, please make it concise.|
|
||
| const iter = this.chunksClient.listEntities<ChunkEntity>({ | ||
| queryOptions: { | ||
| filter: `PartitionKey eq '${this.agentId}' and path eq '${params.relPath}'`, |
There was a problem hiding this comment.
SQL injection vulnerability via string interpolation in filter query.
Both agentId and params.relPath should be sanitized.
| filter: `PartitionKey eq '${this.agentId}' and path eq '${params.relPath}'`, | |
| filter: `PartitionKey eq '${this.agentId.replace(/'/g, "''")}' and path eq '${params.relPath.replace(/'/g, "''")}'`, |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/memory/memory-provider-azure.ts
Line: 189:189
Comment:
SQL injection vulnerability via string interpolation in filter query.
Both `agentId` and `params.relPath` should be sanitized.
```suggestion
filter: `PartitionKey eq '${this.agentId.replace(/'/g, "''")}' and path eq '${params.relPath.replace(/'/g, "''")}'`,
```
How can I resolve this? If you propose a fix, please make it concise.| async deleteChunksByPath(path: string, source: MemorySource): Promise<void> { | ||
| const iter = this.chunksClient.listEntities<ChunkEntity>({ | ||
| queryOptions: { | ||
| filter: `PartitionKey eq '${this.agentId}' and path eq '${path}' and source eq '${source}'`, |
There was a problem hiding this comment.
SQL injection vulnerability via string interpolation in filter query.
All three variables (agentId, path, source) should be sanitized.
| filter: `PartitionKey eq '${this.agentId}' and path eq '${path}' and source eq '${source}'`, | |
| filter: `PartitionKey eq '${this.agentId.replace(/'/g, "''")}' and path eq '${path.replace(/'/g, "''")}' and source eq '${source.replace(/'/g, "''")}'`, |
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/memory/memory-provider-azure.ts
Line: 360:360
Comment:
SQL injection vulnerability via string interpolation in filter query.
All three variables (`agentId`, `path`, `source`) should be sanitized.
```suggestion
filter: `PartitionKey eq '${this.agentId.replace(/'/g, "''")}' and path eq '${path.replace(/'/g, "''")}' and source eq '${source.replace(/'/g, "''")}'`,
```
How can I resolve this? If you propose a fix, please make it concise.
| // Health-check endpoint | ||
| if (request.url.endsWith("/healthz")) { | ||
| return { status: 200, body: "ok" }; | ||
| } |
There was a problem hiding this comment.
Dead code — unreachable health check
This health-check branch is unreachable. The telegramWebhook handler is registered on route telegram-webhook (POST only), so a request to /healthz is never routed here — it goes to the dedicated healthz handler registered at line 143. This block should be removed to avoid confusion.
| // Health-check endpoint | |
| if (request.url.endsWith("/healthz")) { | |
| return { status: 200, body: "ok" }; | |
| } |
Prompt To Fix With AI
This is a comment left during a code review.
Path: azure-function/src/functions/webhook.ts
Line: 98:101
Comment:
**Dead code — unreachable health check**
This health-check branch is unreachable. The `telegramWebhook` handler is registered on route `telegram-webhook` (POST only), so a request to `/healthz` is never routed here — it goes to the dedicated `healthz` handler registered at line 143. This block should be removed to avoid confusion.
```suggestion
```
How can I resolve this? If you propose a fix, please make it concise.| try { | ||
| // grammy's webhookCallback returns a handler for the Node http module. | ||
| // In Azure Functions v4 we need to adapt the request/response ourselves. | ||
| const body = await request.text(); | ||
| const update = JSON.parse(body); | ||
|
|
||
| // Validate secret token header when configured. | ||
| if (secret) { | ||
| const headerSecret = request.headers.get("x-telegram-bot-api-secret-token") ?? ""; | ||
| if (headerSecret !== secret) { | ||
| context.warn("Telegram webhook secret mismatch"); | ||
| return { status: 401, body: "Unauthorized" }; | ||
| } | ||
| } |
There was a problem hiding this comment.
Webhook auth runs after body parsing
The request body is read and JSON-parsed (lines 109-110) before the webhook validation header is checked (lines 113-118). This means unauthenticated requests still trigger body reading and JSON parsing, wasting compute and exposing the parsing surface to untrusted input.
The existing webhook handler in src/telegram/webhook.ts validates authentication (via grammy's webhookCallback) before processing the body.
Move the header validation block (lines 113-118) to run before request.text() and JSON.parse(body) so unauthenticated requests are rejected early without reading the body.
Prompt To Fix With AI
This is a comment left during a code review.
Path: azure-function/src/functions/webhook.ts
Line: 106:119
Comment:
**Webhook auth runs after body parsing**
The request body is read and JSON-parsed (lines 109-110) *before* the webhook validation header is checked (lines 113-118). This means unauthenticated requests still trigger body reading and JSON parsing, wasting compute and exposing the parsing surface to untrusted input.
The existing webhook handler in `src/telegram/webhook.ts` validates authentication (via grammy's `webhookCallback`) before processing the body.
Move the header validation block (lines 113-118) to run before `request.text()` and `JSON.parse(body)` so unauthenticated requests are rejected early without reading the body.
How can I resolve this? If you propose a fix, please make it concise.
|
This pull request has been automatically marked as stale due to inactivity. |
openclaw-barnacle
bot
added
stale
|
This pull request has been automatically marked as stale due to inactivity. |
|
Closing due to inactivity. |
Resolved: - openclaw#25790 (Teams issue, CLOSED) - openclaw#47860 (Teams PR, CLOSED) - openclaw#48116 (Azure issue, CLOSED) - openclaw#48899 (Azure issue, CLOSED) - openclaw#47898 (Azure PR, MERGED) - openclaw#17970 (Azure PR, CLOSED) - openclaw#21678 (Windows issue, CLOSED)
Summary
Describe the problem and fix in 2–5 bullets:
Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
User-visible / Behavior Changes
List user-visible changes (including defaults/config).
If none, write
None.Security Impact (required)
Yes/No)Yes/No)Yes/No)Yes/No)Yes/No)Yes, explain risk + mitigation:Repro + Verification
Environment
Steps
Expected
Actual
Evidence
Attach at least one:
Human Verification (required)
What you personally verified (not just CI), and how:
Compatibility / Migration
Yes/No)Yes/No)Yes/No)Failure Recovery (if this breaks)
Risks and Mitigations
List only real risks for this PR. Add/remove entries as needed. If none, write
None.Greptile Summary
This PR adds a complete Azure Functions serverless deployment option for OpenClaw, including a Telegram webhook handler (
azure-function/), an Azure Table Storage memory provider (src/memory/memory-provider-azure.ts), an Azure Blob Storage session store, Bicep infrastructure-as-code, comprehensive docs, and tests.azure-function/src/functions/webhook.ts): Implements a POST-triggered Azure Function that validates Telegram webhook headers and processes updates via grammy. Contains two issues: (1) authentication validation runs after body parsing (should be before to reject unauthenticated requests early), and (2) dead health-check code inside the POST handler that's unreachable because/healthzhas its own route registration.src/memory/memory-provider-azure.ts): ImplementsMemorySearchManagerusing Azure Table Storage with keyword-based search, chunk/file/meta CRUD, and embedding cache. Previously flagged OData filter injection concerns remain. The provider is not yet wired into the search-manager factory.azure-function/src/storage/session-store-azure.ts): Clean Blob Storage session persistence implementation with proper 404 handling and idempotent container creation.infra/main.bicep): Well-structured Bicep template provisioning Storage, Key Vault (with RBAC), Function App, and App Insights with appropriate security defaults.Confidence Score: 3/5
azure-function/src/functions/webhook.ts(auth ordering bug and dead code) andsrc/memory/memory-provider-azure.ts(previously flagged OData filter injection concerns).Last reviewed commit: a35d2a5