fix(qqbot): scope token ssrf policy

sliverp · sliverp · commit 8c5c3e3dc5d4 · 2026-06-02T10:51:41.000+08:00
diff --git a/extensions/qqbot/src/engine/api/token.test.ts b/extensions/qqbot/src/engine/api/token.test.ts
@@ -42,7 +42,10 @@ describe("QQBot token manager", () => {
       url: "https://bots.qq.com/app/getAppAccessToken",
       auditContext: "qqbot-token",
       capture: false,
-      policy: { allowRfc2544BenchmarkRange: true },
+      policy: {
+        hostnameAllowlist: ["bots.qq.com"],
+        allowRfc2544BenchmarkRange: true,
+      },
       init: {
         method: "POST",
         headers: {
@@ -66,7 +69,10 @@ describe("QQBot token manager", () => {
       expect.objectContaining({
         url: "https://bots.qq.com/app/getAppAccessToken",
         auditContext: "qqbot-token",
-        policy: { allowRfc2544BenchmarkRange: true },
+        policy: {
+          hostnameAllowlist: ["bots.qq.com"],
+          allowRfc2544BenchmarkRange: true,
+        },
       }),
     );
   });
diff --git a/extensions/qqbot/src/engine/api/token.ts b/extensions/qqbot/src/engine/api/token.ts
@@ -33,6 +33,7 @@ const DEFAULT_TOKEN_EXPIRES_IN_SECONDS = 7200;
  * See https://github.com/openclaw/openclaw/issues/88984.
  */
 const QQBOT_TOKEN_SSRF_POLICY: SsrFPolicy = {
+  hostnameAllowlist: ["bots.qq.com"],
   allowRfc2544BenchmarkRange: true,
 };
 
