fix(zalouser): reject unsafe inbound timestamps

steipete · steipete · commit aa75477533e3 · 2026-05-29T11:13:09.000-04:00
diff --git a/extensions/zalouser/src/zalo-js.ts b/extensions/zalouser/src/zalo-js.ts
@@ -3,7 +3,11 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { extensionForMime } from "openclaw/plugin-sdk/media-mime";
-import { parseStrictNonNegativeInteger } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asFiniteNumberInRange,
+  parseStrictFiniteNumber,
+  parseStrictNonNegativeInteger,
+} from "openclaw/plugin-sdk/number-runtime";
 import { loadOutboundMediaFromUrl } from "openclaw/plugin-sdk/outbound-media";
 import {
   privateFileStoreSync,
@@ -53,6 +57,8 @@ const GROUP_CONTEXT_CACHE_TTL_MS = 5 * 60_000;
 const GROUP_CONTEXT_CACHE_MAX_ENTRIES = 500;
 const LISTENER_WATCHDOG_INTERVAL_MS = 30_000;
 const LISTENER_WATCHDOG_MAX_GAP_MS = 35_000;
+const ZALO_TIMESTAMP_MS_THRESHOLD = 1_000_000_000_000;
+const MAX_SAFE_ZALO_TIMESTAMP_SECONDS = Number.MAX_SAFE_INTEGER / 1000;
 
 const apiByProfile = new Map<string, API>();
 const apiInitByProfile = new Map<string, Promise<API>>();
@@ -261,17 +267,27 @@ function normalizeMessageContent(content: unknown): string {
 }
 
 function resolveInboundTimestamp(rawTs: unknown): number {
-  if (typeof rawTs === "number" && Number.isFinite(rawTs)) {
-    return rawTs > 1_000_000_000_000 ? rawTs : rawTs * 1000;
+  const parsed =
+    typeof rawTs === "number"
+      ? rawTs
+      : typeof rawTs === "string"
+        ? parseStrictFiniteNumber(rawTs)
+        : undefined;
+  const timestamp = asFiniteNumberInRange(parsed, {
+    min: 0,
+    minExclusive: true,
+    max: Number.MAX_SAFE_INTEGER,
+  });
+  if (timestamp === undefined) {
+    return Date.now();
   }
-  const parsed = Number.parseInt(
-    typeof rawTs === "string" ? rawTs : typeof rawTs === "number" ? String(rawTs) : "",
-    10,
-  );
-  if (!Number.isFinite(parsed) || parsed <= 0) {
+  if (timestamp > ZALO_TIMESTAMP_MS_THRESHOLD) {
+    return Math.trunc(timestamp);
+  }
+  if (timestamp > MAX_SAFE_ZALO_TIMESTAMP_SECONDS) {
     return Date.now();
   }
-  return parsed > 1_000_000_000_000 ? parsed : parsed * 1000;
+  return Math.trunc(timestamp * 1000);
 }
 
 function extractMentionIds(rawMentions: unknown): string[] {
diff --git a/extensions/zalouser/src/zalo-quote-metadata.test.ts b/extensions/zalouser/src/zalo-quote-metadata.test.ts
@@ -1,6 +1,10 @@
-import { describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { __testing as zaloTesting } from "./zalo-js.js";
 
+afterEach(() => {
+  vi.useRealTimers();
+});
+
 describe("Zalo quote metadata extraction (#86851)", () => {
   it("extracts quote id, owner, and body from zca-js message data", () => {
     const message = zaloTesting.toInboundMessage(
@@ -43,3 +47,31 @@ describe("Zalo quote metadata extraction (#86851)", () => {
     expect(message?.quotedBody).toBeUndefined();
   });
 });
+
+describe("Zalo inbound timestamp normalization", () => {
+  function inboundTimestamp(ts: unknown): number | undefined {
+    return zaloTesting.toInboundMessage({
+      type: 0,
+      data: {
+        uidFrom: "123456789",
+        idTo: "987654321",
+        content: "plain message",
+        ts,
+      },
+    } as unknown as Parameters<typeof zaloTesting.toInboundMessage>[0])?.timestampMs;
+  }
+
+  it("normalizes second and millisecond timestamps", () => {
+    expect(inboundTimestamp(1_764_000_000)).toBe(1_764_000_000_000);
+    expect(inboundTimestamp("1764000000.5")).toBe(1_764_000_000_500);
+    expect(inboundTimestamp(1_764_000_000_000)).toBe(1_764_000_000_000);
+  });
+
+  it("falls back for partial or unsafe timestamps", () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(1_700_000_000_000);
+
+    expect(inboundTimestamp("1764000000abc")).toBe(1_700_000_000_000);
+    expect(inboundTimestamp("9007199254740993")).toBe(1_700_000_000_000);
+  });
+});
