fix(msteams): block untrusted Teams service URLs

[eleqtrizit]

Summary

Block Microsoft Teams Bot Framework outbound activity requests from using connector credentials with untrusted serviceUrl hosts.

Changes

• Add a Teams Bot Framework serviceUrl allowlist and matching SSRF policy for documented Microsoft Teams connector hosts.
• Validate serviceUrl before constructing the Teams API client or sending update/delete REST calls with Bot Framework tokens.
• Stop persisting blocked inbound serviceUrl values and remove blocked stored proactive references before reuse.
• Add regression coverage for send, update, delete, stored-reference cleanup, and valid-host guard policy behavior.

Validation

Behavior addressed: Teams outbound send/update/delete paths no longer attach Bot Framework credentials to non-allowlisted serviceUrl hosts.

Real environment tested: Local Linux source checkout; Crabbox/Testbox remote proof was unavailable because no working crabbox binary is installed in this container.

Exact steps or command run after this patch:

• node scripts/run-vitest.mjs extensions/msteams/src/sdk.test.ts extensions/msteams/src/send-context.test.ts extensions/msteams/src/monitor-handler/message-handler.authz.test.ts
• corepack pnpm check:changed
• node scripts/run-vitest.mjs extensions/msteams

Evidence after fix: Targeted Teams tests passed with 3 files / 62 tests; local changed check passed; full extensions/msteams Vitest lane passed with 66 files / 924 tests.

Observed result after fix: Blocked serviceUrl hosts reject before token lookup or fetch; valid Microsoft Teams service URLs still send through the guarded connector path.

What was not tested: Live Microsoft Teams tenant traffic and remote Crabbox/Testbox proof.

Notes

• AI-assisted with Codex.
• No CHANGELOG.md update.
• No exploit walkthrough or advisory details are included in this public PR body.

[clawsweeper]

Codex review: found issues before merge. Reviewed May 27, 2026, 12:14 PM ET / 16:14 UTC.

Summary
The PR adds a Microsoft Teams Bot Framework serviceUrl allowlist, applies it to send/update/delete and stored proactive references, and adds regression tests.

PR surface: Source +111, Tests +259. Total +370 across 8 files.

Reproducibility: yes. Source inspection shows a default-allowed trafficmanager.net serviceUrl can reach the Bot Framework attachment downloader, which acquires a Bot Framework token and sends Authorization on the initial fetch; the contributor proof covers send/update/delete but not this sibling path.

Review metrics: 1 noteworthy metric.

• Token-bearing serviceUrl coverage: 4 guarded, 1 unresolved. The PR guards SDK send, update, delete, and stored proactive reuse, but Bot Framework attachment downloads remain a credential-bearing serviceUrl path to settle before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🐚 platinum hermit
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Apply the same serviceUrl guard to Bot Framework attachment downloads or merge an equivalent attachment-auth fix first.
• Add regression coverage for a blocked trafficmanager.net attachment serviceUrl before token acquisition or first-hop Authorization.
• Resolve the overlap with fix(msteams): bind bot framework service urls #87160 so maintainers have one complete Teams serviceUrl hardening path.

Risk before merge

• The PR fail-closes stored or inbound Teams serviceUrls that are outside the new allowlist, so a legitimate missing sovereign or edge endpoint could break send/update/delete or proactive delivery until the bot receives a fresh allowed reference.
• The PR leaves the Bot Framework attachment serviceUrl path outside the new guard; current defaults allow trafficmanager.net media hosts and the attachment downloader can attach a Bot Framework token on the initial fetch.
• There is an overlapping open Teams serviceUrl/media-auth PR, so maintainers need to choose whether to merge, combine, or sequence the two security changes.

Maintainer options:

1. Cover every Bot Framework serviceUrl token path (recommended)
   Extend this branch, or combine it with the related media-auth branch, so send/update/delete/proactive and Bot Framework attachment downloads all reject or strip credentials consistently before merge.
2. Accept a scoped partial hardening
   Maintainers can intentionally land only the activity-send hardening if they also keep a tracked follow-up for attachment serviceUrl credential handling and own the temporary boundary gap.
3. Pause behind the related security PR
   If the serviceUrl contract should be solved in the media-auth PR first, pause this PR until the two branches have a single non-overlapping owner.

Next step before merge
Maintainer/security review should choose the canonical path between this PR and the related media-auth PR, then require the full Bot Framework serviceUrl credential boundary before merge.

Security
Needs attention: The diff improves Teams activity credential routing, but a concrete Bot Framework attachment serviceUrl token path remains outside the new allowlist.

Review findings

• [P1] Guard the Bot Framework attachment serviceUrl path — extensions/msteams/src/monitor-handler/message-handler.ts:157

Review details

Best possible solution:

Land one complete Teams serviceUrl hardening path that reuses the same allowlist for every token-bearing Bot Framework URL surface, with maintainer/security approval and explicit proof for default-host send/update/delete, proactive reuse, and attachment-download behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows a default-allowed trafficmanager.net serviceUrl can reach the Bot Framework attachment downloader, which acquires a Bot Framework token and sends Authorization on the initial fetch; the contributor proof covers send/update/delete but not this sibling path.

Is this the best way to solve the issue?

No. The send/update/delete guard is the right direction, but the PR is incomplete until the inbound Bot Framework attachment serviceUrl path reuses the same allowlist or is explicitly split to a merged canonical fix.

Full review comments:

• [P1] Guard the Bot Framework attachment serviceUrl path — extensions/msteams/src/monitor-handler/message-handler.ts:157
  This sanitizes the stored reference, but the same inbound activity.serviceUrl still flows into resolveMSTeamsInboundMedia. For personal-DM attachment fallbacks, downloadMSTeamsBotFrameworkAttachment accepts default trafficmanager.net media hosts, gets a Bot Framework token, and sends it on the initial ${serviceUrl}/v3/attachments/... request before authAllowHosts can strip redirects. Reuse this serviceUrl allowlist for that media path, or merge the equivalent attachment-auth fix before this PR lands.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d2a1f62d238b.

Label changes

Label changes:

• add merge-risk: 🚨 security-boundary: The PR is meant to prevent Bot Framework credentials from reaching untrusted serviceUrl hosts, and one sibling token-bearing path remains unresolved.
• add proof: sufficient: Contributor real behavior proof is sufficient. The follow-up comment provides redacted live output from a one-off runtime harness using the actual PR adapter and FS cleanup paths; it is sufficient for the changed local behavior but does not cover the remaining attachment path or live Teams tenant traffic.
• add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🐚 platinum hermit and patch quality is 🧂 unranked krab.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The follow-up comment provides redacted live output from a one-off runtime harness using the actual PR adapter and FS cleanup paths; it is sufficient for the changed local behavior but does not cover the remaining attachment path or live Teams tenant traffic.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🧂 unranked krab, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P1: This is an urgent Teams channel credential-boundary fix that can affect real message delivery and token routing.
• merge-risk: 🚨 compatibility: Existing stored references or legitimate Teams service hosts outside the new allowlist can start failing after upgrade.
• merge-risk: 🚨 message-delivery: A missing allowed host or removed stored reference can suppress Teams send/update/delete/proactive delivery.
• merge-risk: 🚨 security-boundary: The PR is meant to prevent Bot Framework credentials from reaching untrusted serviceUrl hosts, and one sibling token-bearing path remains unresolved.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🐚 platinum hermit and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The follow-up comment provides redacted live output from a one-off runtime harness using the actual PR adapter and FS cleanup paths; it is sufficient for the changed local behavior but does not cover the remaining attachment path or live Teams tenant traffic.
• proof: sufficient: Contributor real behavior proof is sufficient. The follow-up comment provides redacted live output from a one-off runtime harness using the actual PR adapter and FS cleanup paths; it is sufficient for the changed local behavior but does not cover the remaining attachment path or live Teams tenant traffic.

Evidence reviewed

PR surface:

Source +111, Tests +259. Total +370 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	131	20	+111
Tests	3	273	14	+259
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	404	34	+370

Security concerns:

• [high] Bot Framework attachment token can still follow raw serviceUrl — extensions/msteams/src/monitor-handler/message-handler.ts:157
  The current attachment downloader builds Bot Framework attachment URLs from the inbound serviceUrl and sends Authorization on the first fetch; this PR does not extend its new allowlist to that path, leaving the same credential-boundary class partially open.
  Confidence: 0.86

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/msteams/src/sdk.test.ts extensions/msteams/src/send-context.test.ts extensions/msteams/src/monitor-handler/message-handler.authz.test.ts
• node scripts/run-vitest.mjs extensions/msteams/src/attachments/bot-framework.test.ts extensions/msteams/src/attachments/shared.test.ts extensions/msteams/src/monitor-handler/inbound-media.test.ts

What I checked:

• Repository policy applied: Root AGENTS.md and extensions/AGENTS.md were read fully; the Teams plugin change is compatibility- and security-sensitive under the repo guidance for bundled plugins, provider/auth state, and whole-surface review. (AGENTS.md:13, d2a1f62d238b)
• PR send/update/delete hardening: The PR adds bot-framework-service-url.ts and normalizes or rejects serviceUrl before the Teams SDK client and update/delete REST paths use Bot Framework tokens. (extensions/msteams/src/bot-framework-service-url.ts:8, f199b817d07c)
• Current attachment default allowlist is broad: Current main allows trafficmanager.net for media downloads while the auth allowlist is narrower; that makes the Bot Framework attachment path part of the same credential boundary. (extensions/msteams/src/attachments/shared.ts:42, d2a1f62d238b)
• Current attachment path can send the token on the first hop: Current main obtains a Bot Framework-scoped token after the serviceUrl host passes media allowHosts and then builds the attachment URL from serviceUrl with an Authorization header before the initial safeFetchWithPolicy call. (extensions/msteams/src/attachments/bot-framework.ts:190, d2a1f62d238b)
• Initial fetch does not strip auth: safeFetchWithPolicy passes the initial request headers through; authorizationAllowHosts is only applied when following redirects, so callers must avoid adding Authorization for a non-auth-allowlisted first-hop URL. (extensions/msteams/src/attachments/shared.ts:547, d2a1f62d238b)
• Raw inbound serviceUrl still feeds media: The message handler currently passes activity.serviceUrl into resolveMSTeamsInboundMedia, and this PR only normalizes the stored conversation reference in that file. (extensions/msteams/src/monitor-handler/message-handler.ts:607, d2a1f62d238b)

Likely related people:

• steipete: Recent path history shows shared coercion and bounded media-download refactors touching the Teams SDK and media/auth helper surfaces involved in this review. (role: recent area contributor; confidence: medium; commits: 77d9ac30bb8d, 53d007bc878c; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/attachments/shared.ts)
• sudie-codes: Introduced the Bot Framework DM media attachment path that now needs to be reconciled with the new serviceUrl guard. (role: feature introducer; confidence: high; commits: ab9be8dba547; files: extensions/msteams/src/attachments/bot-framework.ts)
• Beandon13: Recently worked on Teams Bot Framework JWT validation and outbound reply network-error behavior in the same SDK and monitor area. (role: recent auth/runtime contributor; confidence: medium; commits: eecda912ee75; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/monitor.ts, extensions/msteams/src/monitor-handler/message-handler.ts)
• vincentkoc: Recent Teams auth history includes binding global audience tokens to the app id in the validator surface adjacent to this PR's credential handling. (role: auth behavior contributor; confidence: medium; commits: e1840b858125; files: extensions/msteams/src/sdk.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[eleqtrizit]

[CODEX BEHAVIORAL PROOF]

Behavior addressed: Teams outbound activity send/update/delete still work for an allowed Microsoft Bot Framework serviceUrl, and blocked serviceUrl hosts are rejected before Bot Framework token lookup, SDK send, or fetch. Existing blocked stored conversation references are also removed before proactive reuse.

Real environment tested: Local Linux source checkout at PR head f199b817d07ca83bcb0c0d32e544620e307bccd8. The proof imported the actual PR code from extensions/msteams/src/sdk.ts, used the actual createMSTeamsAdapter runtime path, and used the actual fetchWithSsrFGuard path for update/delete. No real Teams tenant secret was used; the token provider returned a redacted sentinel token. Crabbox/Testbox was not available in this container because the local Crabbox binary failed wrapper sanity checks.

Exact steps or command run after this patch: Ran a one-off runtime harness with node --import tsx --input-type=module from the repo root. It exercised:

• allowed proactive ctx.sendActivity, ctx.updateActivity, and ctx.deleteActivity using https://smba.trafficmanager.net/amer/
• blocked inbound sendActivity, updateActivity, and deleteActivity using a redacted non-Microsoft host
• blocked stored-reference proactive reuse and the real FS conversation-store cleanup path

Evidence after fix:

{
  "adapterRuntimeProof": {
    "result": "PASS",
    "allowed": {
      "sdkCreates": 1,
      "fetchCalls": 2,
      "tokenLookups": 3,
      "fetchMethods": [
        "PUT:smba.trafficmanager.net",
        "DELETE:smba.trafficmanager.net"
      ]
    },
    "blocked": [
      {
        "method": "sendActivity",
        "status": 500,
        "tokenLookupsDelta": 0,
        "fetchCallsDelta": 0,
        "sdkCreateCallsDelta": 0
      },
      {
        "method": "updateActivity",
        "status": 500,
        "tokenLookupsDelta": 0,
        "fetchCallsDelta": 0,
        "sdkCreateCallsDelta": 0
      },
      {
        "method": "deleteActivity",
        "status": 500,
        "tokenLookupsDelta": 0,
        "fetchCallsDelta": 0,
        "sdkCreateCallsDelta": 0
      },
      {
        "method": "storedReference",
        "error": "Blocked Microsoft Teams serviceUrl host: <blocked-host>",
        "tokenLookupsDelta": 0,
        "fetchCallsDelta": 0,
        "sdkCreateCallsDelta": 0
      }
    ]
  },
  "storedReferenceFsProof": {
    "result": "PASS",
    "removedFromFsStore": true,
    "error": "Stored Microsoft Teams conversation reference has blocked serviceUrl host: <blocked-host>. The bot must receive a new message from this conversation before it can send proactively."
  }
}

Observed result after fix: The allowed host path normalized the service URL to https://smba.trafficmanager.net/amer, constructed the SDK send client, performed a redacted token lookup for send/update/delete, and issued PUT/DELETE fetches through the guarded connector URL. The blocked inbound and blocked stored-reference paths performed no token lookup, no SDK send, and no fetch. The blocked FS-backed stored reference was removed from the conversation store before proactive send setup continued.

Dependency and host-contract proof: @microsoft/teams.api@2.0.11 builds conversation activity URLs from the supplied serviceUrl, and @microsoft/teams.common@2.0.11 attaches Authorization: Bearer ... when a token callback is configured. Microsoft Learn lists the public, GCC, GCC High, and DoD proactive Teams Bot Framework service URL endpoints covered by this PR's allowlist: https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/conversations/send-proactive-messages?tutorial-step=2

What was not tested: Live Microsoft Teams tenant traffic, real Bot Framework credentials, and remote Crabbox/Testbox proof.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26523163281
• Updated: 2026-05-27T16:15:26.611Z