[Bug] QQ bot token fetch still blocked by SSRF — RFC2544 benchmark range not allowed

[Jensenwgd]

Bug Description

The QQ bot plugin cannot obtain access tokens because fetchWithSsrFGuard in doFetchToken() is called without a policy parameter. When bots.qq.com resolves to a 198.18.x.x address (RFC 2544 benchmark range), the default SSRF policy blocks it.

Error Log

[security] blocked URL fetch (qqbot-token) target=https://bots.qq.com/app/getAppAccessToken reason=Blocked: resolves to private/internal/special-use IP address
[qqbot:token:1903616641] Connection failed: Network error getting access_token: Blocked: resolves to private/internal/special-use IP address

bots.qq.com resolves to 198.18.0.70 — an address in the RFC 2544 benchmark address range (198.18.0.0/15).

Root Cause

In the QQ bot plugin's bundled runtime JS (runtime-DWfbz21q.js), the doFetchToken() method calls fetchWithSsrFGuard() without passing a policy parameter:

const guarded = await fetchWithSsrFGuard({
    url: TOKEN_URL,
    auditContext: "qqbot-token",
    capture: false,
    // ❌ Missing: policy parameter — uses default strict SSRF policy
    init: { method: "POST", headers, body },
});

Meanwhile the media upload path already has the correct policy:

const QQBOT_MEDIA_SSRF_POLICY = {
    hostnameAllowlist: ["*.qpic.cn", "*.qq.com", ...],
    allowRfc2544BenchmarkRange: true  // ✅
};

The fix is to add policy: { allowRfc2544BenchmarkRange: true } to the token fetch call, exactly as the media path already does.

Environment

• OpenClaw 2026.5.28 (gateway, latest stable)
• QQ bot plugin 2026.5.28
• Linux (WSL2), Node 22.22.2
• DNS resolver returns 198.18.0.70 for bots.qq.com

Workaround

Patch the QQ bot plugin runtime JS file directly:

• File: ~/.openclaw/npm/projects/openclaw-qqbot-*/node_modules/@openclaw/qqbot/dist/runtime-DWfbz21q.js
• Target: doFetchToken() method's fetchWithSsrFGuard call
• Change: inject policy: { allowRfc2544BenchmarkRange: true } between capture: false and init

A systemd ExecStartPre can re-apply the patch on every gateway start.

Related

• Issue Bug: QQBot plugin token/API requests blocked by SSRF guard in fake-IP proxy environments (Surge/Clash) #70310 was filed for the same bug but incorrectly closed as "implemented". The bot clawsweeper[bot] marked it resolved without the fix actually shipping to the QQ plugin code.
• The media upload path has always worked correctly — only the token fetch path is affected.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 3:44 AM ET / 07:44 UTC.

Summary
Keep this open: current main and the latest release still call the QQBot token fetch through the default SSRF guard without an RFC2544 allowance, so the reported fake-IP proxy failure remains source-backed.

Reproducibility: Do we have a high-confidence way to reproduce the issue? Source inspection gives high confidence: the token fetch lacks policy while the SSRF classifier blocks 198.18.0.0/15 by default; I did not live-reproduce it because local DNS returned public IPs.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
The root cause is clear, but the repair relaxes an SSRF guard and should get maintainer/security review for the exact host-scoped policy before implementation.

Security
Needs attention: No patch is under review, but the requested repair changes an SSRF policy and should stay narrowly host-scoped.

Review details

Best possible solution:

Land a narrow QQBot-plugin fix that gives the token fetch a host-scoped RFC2544 SSRF policy and adds focused regression coverage for the guarded request shape.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? Source inspection gives high confidence: the token fetch lacks policy while the SSRF classifier blocks 198.18.0.0/15 by default; I did not live-reproduce it because local DNS returned public IPs.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Yes: a QQBot-owned, host-scoped token SSRF policy matches the existing media fake-IP pattern without adding a new config knob or weakening the global default.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The review did not live-reproduce the fake-IP resolver condition because the local resolver returned public addresses for bots.qq.com.
• The fix touches the SSRF boundary, so the RFC2544 allowance should stay narrowly scoped to the QQBot token host instead of broadly allowing private networks.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6640d57b647e.

Label changes

Label changes:

• add P1: Affected QQBot users behind fake-IP proxy DNS cannot obtain access tokens, which breaks a real channel workflow.
• add impact:security: The issue is directly about the SSRF guard policy and how narrowly to exempt RFC2544 fake-IP addresses.
• add impact:auth-provider: The failing path is QQBot access-token acquisition, so credentials/auth setup cannot complete for the affected environment.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: Affected QQBot users behind fake-IP proxy DNS cannot obtain access tokens, which breaks a real channel workflow.
• impact:security: The issue is directly about the SSRF guard policy and how narrowly to exempt RFC2544 fake-IP addresses.
• impact:auth-provider: The failing path is QQBot access-token acquisition, so credentials/auth setup cannot complete for the affected environment.

Evidence reviewed

Security concerns:

• [medium] Keep the RFC2544 allowance host-scoped — extensions/qqbot/src/engine/api/token.ts:233
  Adding allowRfc2544BenchmarkRange without a QQBot token hostname allowlist would weaken the SSRF boundary beyond the reported fake-IP proxy case.
  Confidence: 0.86

What I checked:

• Current token fetch lacks a policy: Current main calls fetchWithSsrFGuard for https://bots.qq.com/app/getAppAccessToken with url, auditContext, capture, and init, but no policy field. (extensions/qqbot/src/engine/api/token.ts:233, 6640d57b647e)
• Current test locks in the missing policy: The token manager test expects the guarded token request shape without any policy, so there is no regression coverage for fake-IP DNS. (extensions/qqbot/src/engine/api/token.test.ts:41, 6640d57b647e)
• Default SSRF policy blocks RFC2544: The net-policy classifier blocks 198.18.0.0/15 unless allowRfc2544BenchmarkRange is true. (packages/net-policy/src/ip.ts:358, 6640d57b647e)
• Sibling media path already has the fake-IP allowance: QQBot media download policy allowlists QQ/Tencent media hosts and sets allowRfc2544BenchmarkRange: true, matching the pattern the report points to. (extensions/qqbot/src/engine/utils/file-utils.ts:66, 6640d57b647e)
• Latest shipped release still lacks the policy: The v2026.5.28 tag has the same token fetch call shape with no policy field, so the reported stable release is not fixed. (extensions/qqbot/src/engine/api/token.ts:227, e93216080aa1)
• History provenance for guarded token path: Commit b855b1d added fetchWithSsrFGuard to the QQBot token and API request paths without adding an RFC2544 token policy. (extensions/qqbot/src/api.ts, b855b1d047ee)

Likely related people:

• Sliverp: Introduced the QQBot channel in commit bf6f506 and later expanded the QQBot media SSRF allowlist in commit ddb7a8d. (role: feature introducer and adjacent QQBot contributor; confidence: high; commits: bf6f506dfae6, ddb7a8dd80b8; files: extensions/qqbot/src/api.ts, extensions/qqbot/src/engine/utils/file-utils.ts)
• vincentkoc: Added the guarded QQBot token/API fetch path without a policy in commit b855b1d and is the recent current-file history owner in the available shallow blame. (role: recent area contributor; confidence: high; commits: b855b1d047ee, abe2145153f0; files: extensions/qqbot/src/api.ts, extensions/qqbot/src/engine/api/token.ts)
• drobison00: Introduced the QQBot media SSRF policy with allowRfc2544BenchmarkRange in commit 37d7c716, which is the closest existing pattern for this token-fetch fix. (role: sibling behavior contributor; confidence: medium; commits: 37d7c716f420; files: extensions/qqbot/src/utils/file-utils.ts, extensions/qqbot/src/utils/file-utils.test.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.