fix(mattermost): bind interaction callbacks to channel and post context#38057
Merged
vincentkoc merged 2 commits intomainfrom Mar 6, 2026
Merged
Conversation
openclaw-barnacle
bot
added
channel: mattermost
vincentkoc
deleted the
vincentkoc-code/mattermost-interaction-hmac-binding
branch
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2dbcd6e4f8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| break; | ||
| } | ||
| } | ||
| if (clickedButtonName === actionId) { |
There was a problem hiding this comment.
This check treats clickedButtonName === actionId as proof that the action was not found, but clickedButtonName is also the actual display label. If a valid button action has a name that exactly matches its id (a common pattern in integrations), the loop sets clickedButtonName to that same value and this branch incorrectly returns 403 Unknown action for a legitimate callback. Use a separate foundAction boolean (or store the matched action object) so label equality does not trigger false rejections.
Useful? React with 👍 / 👎.
Contributor
Greptile SummaryThis PR hardens Mattermost interactive button callbacks by: (1) signing the resolved channel ID into each button's HMAC context at send time, (2) rejecting callbacks where the signed channel or fetched-post channel diverges from the payload's Key issue found:
Confidence Score: 2/5
Last reviewed commit: 2dbcd6e |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
mrosmarin
added a commit
to mrosmarin/openclaw
that referenced
this pull request
Mar 6, 2026
* main: Mattermost: harden interaction callback binding (openclaw#38057) WhatsApp: honor outbound mediaMaxMb (openclaw#38097) openai-image-gen: validate --background and --style options (openclaw#36762) Docs: align BlueBubbles media cap wording Telegram/Discord: honor outbound mediaMaxMb uploads (openclaw#38065) CI: run changed-scope on main pushes Skills/nano-banana-pro: clarify MEDIA token comment (openclaw#38063) nano-banana-pro: respect explicit --resolution when editing images (openclaw#36880) CI: drop unused install-smoke bootstrap fix(nano-banana-pro): remove space after MEDIA: token in generate_image.py (openclaw#18706) docs: context engine docs(config): list the context engine plugin slot docs(plugins): add context-engine manifest kind example docs(plugins): document context engine slots and registration docs(protocol): document slash-delimited schema lookup plugin ids docs(tools): document slash-delimited config schema lookup paths fix(session): tighten direct-session webchat routing matching (openclaw#37867) feature(context): extend plugin system to support custom context management (openclaw#22201) Gateway: allow slash-delimited schema lookup paths
ant1eicher
pushed a commit
to ant1eicher/openclaw
that referenced
this pull request
Mar 6, 2026
18 tasks
Saitop
pushed a commit
to NomiciAI/openclaw
that referenced
this pull request
Mar 8, 2026
jenawant
pushed a commit
to jenawant/openclaw
that referenced
this pull request
Mar 10, 2026
dhoman
pushed a commit
to dhoman/chrono-claw
that referenced
this pull request
Mar 11, 2026
senw-developers
pushed a commit
to senw-developers/va-openclaw
that referenced
this pull request
Mar 17, 2026
V-Gutierrez
pushed a commit
to V-Gutierrez/openclaw-vendor
that referenced
this pull request
Mar 17, 2026
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 20, 2026
(cherry picked from commit a274ef9)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 20, 2026
(cherry picked from commit a274ef9)
alexey-pelykh
added a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 20, 2026
* fix(subagents): recover announce cleanup after kill/complete race (cherry picked from commit 2f86ae7) * feat(hooks): emit compaction lifecycle hooks (openclaw#16788) (cherry picked from commit 71ec421) * fix(agent): harden undici stream timeouts for long openai-completions runs (cherry picked from commit 05fb16d) * fix(agents): allow configured ollama endpoints without dummy api keys (cherry picked from commit 36afd1b) * feat(openai): add gpt-5.4 support for API and Codex OAuth (openclaw#36590) Co-authored-by: Tyler Yust <[email protected]> (cherry picked from commit 5d4b040) * Fix failover for zhipuai 1310 Weekly/Monthly Limit Exhausted (openclaw#33813) Co-authored-by: zhouhe-xydt <[email protected]> Co-authored-by: altaywtf <[email protected]> (cherry picked from commit a65d70f) * fix(failover): classify HTTP 402 as rate_limit when payload indicates usage limit (openclaw#30484) (openclaw#36802) Co-authored-by: Val Alexander <[email protected]> (cherry picked from commit 01b2017) * feat(onboarding): add web search to onboarding flow (openclaw#34009) * add web search to onboarding flow * remove post onboarding step (now redundant) * post-onboarding nudge if no web search set up * address comments * fix test mocking * add enabled: false assertion to the no-key test * --skip-search cli flag * use provider that a user has a key for * add assertions, replace the duplicated switch blocks * test for quickstart fast-path with existing config key * address comments * cover quickstart falls through to key test * bring back key source * normalize secret inputs instead of direct string trimming * preserve enabled: false if it's already set * handle missing API keys in flow * doc updates * hasExistingKey to detect both plaintext strings and SecretRef objects * preserve enabled state only on the "keep current" paths * add test for preserving * better gate flows * guard against invalid provider values in config * Update src/commands/configure.wizard.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * format fix * only mentions env var when it's actually available * search apiKey fields now typed as SecretInput * if no provider check if any search provider key is detectable * handle both kimi keys * remove .filter(Boolean) * do not disable web_search after user enables it * update resolveSearchProvider * fix(onboarding): skip search key prompt in ref mode * fix: add onboarding web search step (openclaw#34009) (thanks @kesku) --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: Shadow <[email protected]> (cherry picked from commit 3d7bc59) * fix(ci): restore protocol and schema checks (openclaw#37470) (cherry picked from commit ee6f7b1) * Infra: require explicit opt-in for prerelease npm installs (openclaw#38117) * Infra: tighten npm registry spec parsing * Infra: block implicit prerelease npm installs * Plugins: cover prerelease install policy * Infra: add npm registry spec tests * Hooks: cover prerelease install policy * Docs: clarify plugin guide version policy * Docs: clarify plugin install version policy * Docs: clarify hooks install version policy * Docs: clarify hook pack version policy (cherry picked from commit f392b81) * ci: trigger workflow * fix: resolve cherry-pick adaptation failures from upstream web search commit - Add missing hasConfiguredSecretInput() to types.secrets.ts - Add SecretInput import to types.tools.ts for apiKey fields - Replace OpenClawConfig with RemoteClawConfig in onboard-search - Remove non-existent DEFAULT_SECRET_PROVIDER_ALIAS import - Remove invalid 'provider' field from SecretRef literal - Stub resolveSyntheticLocalProviderAuth (models.providers was gutted) - Replace undefined registerRun/emitLifecycleEnd test helpers with existing mod.registerSubagentRun/lifecycleHandler patterns Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Plugins: clarify registerHttpHandler migration errors (openclaw#36794) * Changelog: note plugin HTTP route migration diagnostics * Tests: cover registerHttpHandler migration diagnostics * Plugins: clarify registerHttpHandler migration errors * Tests: cover registerHttpHandler diagnostic edge cases * Plugins: tighten registerHttpHandler migration hint (cherry picked from commit d4021f4) * Plugins: avoid false integrity drift prompts on unpinned updates (openclaw#37179) * Plugins: skip drift prompts for unpinned updates * Plugins: cover unpinned integrity update behavior (cherry picked from commit 428d176) * docs(protocol): document slash-delimited schema lookup plugin ids (cherry picked from commit f788ba1) * docs(plugins): document context engine slots and registration (cherry picked from commit eb2eeba) * docs(plugins): add context-engine manifest kind example (cherry picked from commit 7cc3376) * docs(config): list the context engine plugin slot (cherry picked from commit 5470337) * fix: Windows: openclaw plugins install fails with spawn EINVAL Fixes openclaw#7631 (cherry picked from commit d000316) * fix(whatsapp): remove implicit [openclaw] self-chat prefix (cherry picked from commit 4d9134f) * WhatsApp: honor outbound mediaMaxMb (openclaw#38097) * WhatsApp: add media cap helper * WhatsApp: cap outbound media loads * WhatsApp: align auto-reply media caps * WhatsApp: add outbound media cap test * WhatsApp: update auto-reply cap tests * Docs: update WhatsApp media caps * Changelog: note WhatsApp media cap fix (cherry picked from commit 222d635) * fix(mattermost): allow reachable interaction callback URLs (openclaw#37543) Merged via squash. Prepared head SHA: 4d59373 Co-authored-by: mukhtharcm <[email protected]> Co-authored-by: mukhtharcm <[email protected]> Reviewed-by: @mukhtharcm (cherry picked from commit 4a80d48) * Mattermost: harden interaction callback binding (openclaw#38057) (cherry picked from commit a274ef9) * chore: code/dead tests cleanup (openclaw#38286) * Discord: assert bot-self filter queue guard * Tests: remove dead gateway SIGTERM placeholder (cherry picked from commit 38f46e8) * Delete changelog/fragments directory (cherry picked from commit 8f69e07) * fix(feishu): restore explicit media request timeouts (cherry picked from commit b127333) * fix: adapt upstream naming to fork conventions Replace OpenClawConfig with RemoteClawConfig, openclaw/plugin-sdk with remoteclaw/plugin-sdk, and fix import paths for fork type exports. * fix: resolve type errors from upstream cherry-picks - Add missing RemoteClawConfig import in discord test - Use spread with as-any for feishu SDK timeout property - Remove allowUnresolvedSecretRef from mattermost test * ci: re-trigger CI after force push * fix: revert unintended onboarding changes from linter bleed * ci: sync PR head with branch --------- Co-authored-by: Vignesh Natarajan <[email protected]> Co-authored-by: Vincent Koc <[email protected]> Co-authored-by: dorukardahan <[email protected]> Co-authored-by: Tyler Yust <[email protected]> Co-authored-by: zhouhe-xydt <[email protected]> Co-authored-by: zhouhe-xydt <[email protected]> Co-authored-by: altaywtf <[email protected]> Co-authored-by: Xinhua Gu <[email protected]> Co-authored-by: Val Alexander <[email protected]> Co-authored-by: Kesku <[email protected]> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: Shadow <[email protected]> Co-authored-by: Altay <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: 0xlin2023 <[email protected]> Co-authored-by: Muhammed Mukhthar CM <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Describe the problem and fix in 2–5 bullets:
CommandAuthorized: true.Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
User-visible / Behavior Changes
Security Impact (required)
No)No)Yes)Yes)No)Yes, explain risk + mitigation:The send path resolves the target channel id before signing button context, which can add one pre-send Mattermost lookup for name/user targets. In exchange, callbacks are bound to the intended channel and validated against the fetched original post before any synthetic follow-up dispatch.
Repro + Verification
Environment
Steps
channel_idorpost_idno longer matches the original button context/post.Expected
Actual
Evidence
Attach at least one:
Human Verification (required)
What you personally verified (not just CI), and how:
interactions,send, andchannelpassed after the patch.Compatibility / Migration
Yes)No)No)Failure Recovery (if this breaks)
Mattermost: harden interaction callback binding.Channel mismatch,Post/channel mismatch, orUnknown action.Risks and Mitigations
List only real risks for this PR. Add/remove entries as needed. If none, write
None.