openclaw
diff --git a/‎extensions/msteams/src/bot-framework-service-url.ts‎
Lines changed: 67 additions & 0 deletions b/‎extensions/msteams/src/bot-framework-service-url.ts‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎extensions/msteams/src/monitor-handler.ts‎
Lines changed: 3 additions & 1 deletion b/‎extensions/msteams/src/monitor-handler.ts‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎extensions/msteams/src/monitor-handler/message-handler.authz.test.ts‎
Lines changed: 43 additions & 1 deletion b/‎extensions/msteams/src/monitor-handler/message-handler.authz.test.ts‎
Lines changed: 43 additions & 1 deletion
diff --git a/‎extensions/msteams/src/monitor-handler/message-handler.ts‎
Lines changed: 3 additions & 1 deletion b/‎extensions/msteams/src/monitor-handler/message-handler.ts‎
Lines changed: 3 additions & 1 deletion
@@ -0,0 +1,67 @@
+import {
+  buildHostnameAllowlistPolicyFromSuffixAllowlist,
+  isHttpsUrlAllowedByHostnameSuffixAllowlist,
+  normalizeHostnameSuffixAllowlist,
+  type SsrFPolicy,
+} from "openclaw/plugin-sdk/ssrf-policy";
+
+const DEFAULT_BOT_FRAMEWORK_SERVICE_URL_HOST_ALLOWLIST = [
+  // Microsoft Teams Bot Framework serviceUrl endpoints documented for
+  // commercial, GCC, GCC High, and DOD clouds. These are the only hosts that may
+  // receive Bot Framework service tokens from this plugin.
+  "smba.trafficmanager.net",
+  "smba.infra.gcc.teams.microsoft.com",
+  "smba.infra.gov.teams.microsoft.us",
+  "smba.infra.dod.teams.microsoft.us",
+] as const;
+
+export const BOT_FRAMEWORK_SERVICE_URL_HOST_ALLOWLIST = normalizeHostnameSuffixAllowlist(
+  DEFAULT_BOT_FRAMEWORK_SERVICE_URL_HOST_ALLOWLIST,
+);
+
+const serviceUrlSsrfPolicy = buildHostnameAllowlistPolicyFromSuffixAllowlist(
+  BOT_FRAMEWORK_SERVICE_URL_HOST_ALLOWLIST,
+);
+
+if (!serviceUrlSsrfPolicy) {
+  throw new Error("Microsoft Teams Bot Framework serviceUrl allowlist is empty");
+}
+
+export const BOT_FRAMEWORK_SERVICE_URL_SSRF_POLICY: SsrFPolicy = serviceUrlSsrfPolicy;
+
+export function describeBotFrameworkServiceUrlHost(serviceUrl: string): string {
+  try {
+    const parsed = new URL(serviceUrl.trim());
+    return parsed.hostname || "invalid-url";
+  } catch {
+    return "invalid-url";
+  }
+}
+
+export function isAllowedBotFrameworkServiceUrl(serviceUrl: unknown): serviceUrl is string {
+  if (typeof serviceUrl !== "string") {
+    return false;
+  }
+  const trimmed = serviceUrl.trim();
+  return Boolean(
+    trimmed &&
+    isHttpsUrlAllowedByHostnameSuffixAllowlist(trimmed, BOT_FRAMEWORK_SERVICE_URL_HOST_ALLOWLIST),
+  );
+}
+
+export function tryNormalizeBotFrameworkServiceUrl(serviceUrl: unknown): string | undefined {
+  if (!isAllowedBotFrameworkServiceUrl(serviceUrl)) {
+    return undefined;
+  }
+  return serviceUrl.trim().replace(/\/+$/, "");
+}
+
+export function normalizeBotFrameworkServiceUrl(serviceUrl: string): string {
+  const normalized = tryNormalizeBotFrameworkServiceUrl(serviceUrl);
+  if (normalized) {
+    return normalized;
+  }
+  throw new Error(
+    `Blocked Microsoft Teams serviceUrl host: ${describeBotFrameworkServiceUrlHost(serviceUrl)}`,
+  );
+}
@@ -2,6 +2,7 @@ import path from "node:path";
 import { resolveThreadSessionKeys } from "openclaw/plugin-sdk/routing";
 import { appendRegularFile } from "openclaw/plugin-sdk/security-runtime";
 import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { tryNormalizeBotFrameworkServiceUrl } from "./bot-framework-service-url.js";
 import { formatUnknownError } from "./errors.js";
 import { buildFeedbackEvent, runFeedbackReflection } from "./feedback-reflection.js";
 import { respondToMSTeamsFileConsentInvoke } from "./file-consent-invoke.js";
@@ -268,6 +269,7 @@ async function handleFeedbackInvoke(
   }
 
   // Build conversation reference for proactive messages (ack + reflection follow-up)
+  const serviceUrl = tryNormalizeBotFrameworkServiceUrl(activity.serviceUrl);
   const conversationRef = {
     activityId: activity.id,
     user: {
@@ -287,7 +289,7 @@ async function handleFeedbackInvoke(
       tenantId: activity.conversation?.tenantId,
     },
     channelId: activity.channelId ?? "msteams",
-    serviceUrl: activity.serviceUrl,
+    ...(serviceUrl ? { serviceUrl } : {}),
     locale: activity.locale,
   };
 
 
@@ -441,7 +441,7 @@ describe("msteams monitor handler authz", () => {
       tenantId: "tenant-1",
       aadObjectId: "new-user-aad",
       channelId: "msteams",
-      serviceUrl: "https://smba.trafficmanager.net/amer/",
+      serviceUrl: "https://smba.trafficmanager.net/amer",
       locale: "en-US",
       timezone: "America/New_York",
     });
@@ -507,6 +507,48 @@ describe("msteams monitor handler authz", () => {
     expect(storedConversation.tenantId).toBe("tenant-from-channel-data");
   });
 
+  it("does not persist blocked serviceUrl hosts in conversation references", async () => {
+    const { conversationStore, deps } = createDeps({
+      channels: {
+        msteams: {
+          dmPolicy: "allowlist",
+          allowFrom: ["sender-aad"],
+        },
+      },
+    } as OpenClawConfig);
+
+    const handler = createMSTeamsMessageHandler(deps);
+    await handler({
+      activity: {
+        id: "msg-blocked-service-url",
+        type: "message",
+        text: "hello",
+        from: {
+          id: "sender-id",
+          aadObjectId: "sender-aad",
+          name: "Sender",
+        },
+        recipient: {
+          id: "bot-id",
+          name: "Bot",
+        },
+        conversation: {
+          id: "a:personal-chat",
+          conversationType: "personal",
+        },
+        channelId: "msteams",
+        serviceUrl: "https://attacker.example.com/teams/",
+        channelData: {},
+        attachments: [],
+      },
+      sendActivity: vi.fn(async () => undefined),
+    } as unknown as Parameters<typeof handler>[0]);
+
+    expect(conversationStore.upsert).toHaveBeenCalledTimes(1);
+    const storedRef = recordFromMockCall(mockCallArg(conversationStore.upsert, 0, 1));
+    expect("serviceUrl" in storedRef).toBe(false);
+  });
+
   it("stores no tenantId when channelData.tenant is missing", async () => {
     const { conversationStore, deps } = createDeps({
       channels: {
 
@@ -26,6 +26,7 @@ import {
   summarizeMSTeamsHtmlAttachments,
 } from "../attachments.js";
 import { isRecord } from "../attachments/shared.js";
+import { tryNormalizeBotFrameworkServiceUrl } from "../bot-framework-service-url.js";
 import type { StoredConversationReference } from "../conversation-store.js";
 import { formatUnknownError } from "../errors.js";
 import {
@@ -154,6 +155,7 @@ function buildStoredConversationReference(params: {
   const channelDataTenantId = activity.channelData?.tenant?.id;
   const tenantId = channelDataTenantId ?? conversation?.tenantId;
   const aadObjectId = from?.aadObjectId;
+  const serviceUrl = tryNormalizeBotFrameworkServiceUrl(activity.serviceUrl);
   return {
     activityId: activity.id,
     user: from ? { id: from.id, name: from.name, aadObjectId: from.aadObjectId } : undefined,
@@ -168,7 +170,7 @@ function buildStoredConversationReference(params: {
     ...(aadObjectId ? { aadObjectId } : {}),
     teamId,
     channelId: activity.channelId,
-    serviceUrl: activity.serviceUrl,
+    ...(serviceUrl ? { serviceUrl } : {}),
     locale: activity.locale,
     ...(clientInfo?.timezone ? { timezone: clientInfo.timezone } : {}),
     ...(threadId ? { threadId } : {}),