fix(qqbot): validate cron payload base64

vincentkoc · vincentkoc · commit c8228245039b · 2026-05-14T18:04:32.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,7 @@ Docs: https://docs.openclaw.ai
 - QA channel: skip malformed inline inbound attachment base64 instead of staging silently corrupted media for agent turns.
 - Microsoft Teams: reject malformed inline HTML image base64 padding instead of decoding corrupted `data:` image attachments.
 - Voice-call realtime: ignore malformed provider media-frame base64 before forwarding audio into bridge and transcription paths.
+- QQBot: reject malformed stored cron payload base64 before JSON decoding structured reminder data.
 - Models config/auth: stop inferring provider env-var markers from broad `^[A-Z_][A-Z0-9_]*$` strings, and resolve config-backed provider `apiKey` values only through structured env SecretRefs (`secrets.providers[id]` / `secrets.defaults`), so unrelated env vars cannot accidentally become provider credentials. Thanks @sallyom.
 - Media fetch: skip allocating and buffering the response body for bodyless media responses (HEAD probes and 204-style empty bodies), avoiding wasted heap on streams that carry no payload. Thanks @shakkernerd.
 - CLI/onboarding: forward provider-specific auth flags (e.g. `--openai-api-key`) through the onboarding wizard so they reach provider auth methods via `ctx.opts`, letting `--openai-api-key "$OPENAI_API_KEY"` skip the redundant "use existing env var?" prompt in non-interactive harnesses. (#81669) Thanks @sjf.
diff --git a/extensions/qqbot/src/engine/utils/payload.test.ts b/extensions/qqbot/src/engine/utils/payload.test.ts
@@ -59,6 +59,9 @@ describe("engine/utils/payload", () => {
   it("reports cron decode errors without throwing", () => {
     expect(decodeCronPayload("plain")).toEqual({ isCronPayload: false });
     expect(decodeCronPayload("QQBOT_CRON:").error).toBe("Cron payload body is empty");
+    expect(decodeCronPayload("QQBOT_CRON:AAA@@@").error).toBe(
+      "Failed to decode cron payload: Cron payload body is not valid base64",
+    );
 
     const wrongType = Buffer.from('{"type":"media"}', "utf-8").toString("base64");
     expect(decodeCronPayload(`QQBOT_CRON:${wrongType}`).error).toBe(
diff --git a/extensions/qqbot/src/engine/utils/payload.ts b/extensions/qqbot/src/engine/utils/payload.ts
@@ -44,6 +44,18 @@ function formatErr(e: unknown): string {
   return e instanceof Error ? e.message : String(e);
 }
 
+function normalizeBase64ForCompare(value: string): string {
+  return value.replace(/=+$/u, "").replace(/-/gu, "+").replace(/_/gu, "/");
+}
+
+function decodeStrictBase64Utf8(value: string): string {
+  const buffer = Buffer.from(value, "base64");
+  if (normalizeBase64ForCompare(buffer.toString("base64")) !== normalizeBase64ForCompare(value)) {
+    throw new Error("Cron payload body is not valid base64");
+  }
+  return buffer.toString("utf-8");
+}
+
 /** Parse model output that may start with the QQ Bot structured payload prefix. */
 export function parseQQBotPayload(text: string): ParseResult {
   const trimmedText = text.trim();
@@ -114,7 +126,7 @@ export function decodeCronPayload(message: string): {
   }
 
   try {
-    const jsonString = Buffer.from(base64Content, "base64").toString("utf-8");
+    const jsonString = decodeStrictBase64Utf8(base64Content);
     const payload = JSON.parse(jsonString) as CronReminderPayload;
 
     if (payload.type !== "cron_reminder") {
