Open
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Findings
- [Blocker] 飞书 App 凭据明文提交,仓库泄露即不可控使用;需立刻移除并轮换。
FEISHU_SETUP.md:6,FEISHU_SETUP.md:24,FEISHU_SETUP.md:49,hub/test-feishu.sh:17,start-hub-feishu.bat:9,start-hub-feishu.ps1:10
Suggested fix:export FEISHU_APP_ID="<FEISHU_APP_ID>" export FEISHU_APP_SECRET="<FEISHU_APP_SECRET>" export FEISHU_VERIFICATION_TOKEN="<FEISHU_VERIFICATION_TOKEN>"
- [Major] 生产路径打印消息内容/事件体,可能泄露用户内容与凭据且高频日志。
hub/src/notifications/eventParsing.ts:50,hub/src/notifications/notificationHub.ts:61,hub/src/feishu/bot.ts:126
Suggested fix:const debug = process.env.HAPI_DEBUG_NOTIFICATIONS === 'true' if (debug) { console.log('[extractAssistantMessageText] role=%s', role) }
Summary
- Review mode: initial
- Blocker: 明文凭据入库,需移除并轮换
- Major: 消息内容日志泄露风险
Testing
- Not run (automation)
FEISHU_SETUP.md
Outdated
| ## ⚠️ 安全提醒 | ||
|
|
||
| **以下凭据为敏感信息,请妥善保管:** | ||
| - App ID: `cli_a933a4feadb81cc9` |
There was a problem hiding this comment.
[BLOCKER] 明文凭据已提交。请移除真实值并替换为占位符/示例值,同时轮换已泄露凭据。
Suggested fix:
- App ID: `<FEISHU_APP_ID>`
- App Secret: `<FEISHU_APP_SECRET>`
- Verification Token: `<FEISHU_VERIFICATION_TOKEN>`| } | ||
|
|
||
| const content = event.message?.content | ||
| console.log('[extractAssistantMessageText] Content:', JSON.stringify(content).substring(0, 200)) |
There was a problem hiding this comment.
[MAJOR] 生产路径日志打印消息内容,可能泄露用户数据/凭据。建议删除或受 HAPI_DEBUG_NOTIFICATIONS 开关控制,且不要打印正文。
Suggested fix:
const debug = process.env.HAPI_DEBUG_NOTIFICATIONS === 'true'
if (debug) {
console.log('[extractAssistantMessageText] role=%s', role)
}
- Add explicit type definitions for Feishu events (ImMessageReceiveV1Data, CardActionEventData) - Fix type casting issues in bot.ts for better TypeScript compatibility - Remove debug console.log statements from eventParsing.ts - Add 'feishu' to sentFrom type in messageService.ts and syncEngine.ts - Remove obsolete Windows startup scripts (start-hub-feishu.bat/.ps1) - Update FEISHU_SETUP.md documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Findings
- [Blocker] 明文提交 Feishu 凭据,仓库泄露风险,违反自身“不要提交凭据”要求。
hub/test-feishu.sh:17
Suggested fix:: "${FEISHU_APP_ID:?Set FEISHU_APP_ID}" : "${FEISHU_APP_SECRET:?Set FEISHU_APP_SECRET}" : "${FEISHU_VERIFICATION_TOKEN:?Set FEISHU_VERIFICATION_TOKEN}" export FEISHU_ENABLED="${FEISHU_ENABLED:-true}" export FEISHU_NOTIFICATION="${FEISHU_NOTIFICATION:-true}" export FEISHU_BASE_URL="${FEISHU_BASE_URL:-https://open.feishu.cn}"
- [Major] Feishu 事件与消息正文完整打印到日志,可能包含 token/open_id/消息内容,泄露风险。
hub/src/feishu/bot.ts:199
Suggested fix:console.log('[FeishuBot] im.message.receive_v1', { messageId: data.message?.message_id, chatType: data.message?.chat_type, })
- [Major] NotificationHub 输出 assistant 文本到日志,可能泄露会话内容。
hub/src/notifications/notificationHub.ts:74
Suggested fix:const assistantText = extractAssistantMessageText(event) if (process.env.HAPI_DEBUG_NOTIFICATIONS === 'true') { console.log(`[NotificationHub] assistantTextLen=${assistantText?.length ?? 0}`) }
Summary
Review mode: initial. 3 issues (1 Blocker, 2 Major). 明文凭据 + 敏感日志输出。
Testing
- Not run (automation)
|
|
||
| # Set environment variables for testing | ||
| export FEISHU_APP_ID="cli_a933a4feadb81cc9" | ||
| export FEISHU_APP_SECRET="e7ScIG1itQdnQPPT4KFsZfsWxrKSXhAT" |
There was a problem hiding this comment.
[BLOCKER] 明文提交 Feishu 凭据,仓库泄露风险。建议仅读取外部环境变量/提示配置,避免写入真实值。
Suggested fix:
: "${FEISHU_APP_ID:?Set FEISHU_APP_ID}"
: "${FEISHU_APP_SECRET:?Set FEISHU_APP_SECRET}"
: "${FEISHU_VERIFICATION_TOKEN:?Set FEISHU_VERIFICATION_TOKEN}"
export FEISHU_ENABLED="${FEISHU_ENABLED:-true}"
export FEISHU_NOTIFICATION="${FEISHU_NOTIFICATION:-true}"
export FEISHU_BASE_URL="${FEISHU_BASE_URL:-https://open.feishu.cn}"| * Handle im.message.receive_v1 event | ||
| */ | ||
| private async handleMessageEvent(data: ImMessageReceiveV1Data): Promise<void> { | ||
| console.log('[FeishuBot] Received im.message.receive_v1 event:', JSON.stringify(data, null, 2)) |
There was a problem hiding this comment.
[MAJOR] 日志打印完整事件 payload,可能包含 token/open_id/消息内容。建议只记最小元数据或加调试开关。
Suggested fix:
console.log('[FeishuBot] im.message.receive_v1', {
messageId: data.message?.message_id,
chatType: data.message?.chat_type,
})|
|
||
| // Handle assistant messages | ||
| const assistantText = extractAssistantMessageText(event) | ||
| console.log(`[NotificationHub] Assistant text: ${assistantText ? assistantText.substring(0, 100) : 'null'}`) |
There was a problem hiding this comment.
[MAJOR] 日志输出 assistant 文本,可能泄露会话内容。建议移除或仅记录长度并加 DEBUG 开关。
Suggested fix:
const assistantText = extractAssistantMessageText(event)
if (process.env.HAPI_DEBUG_NOTIFICATIONS === 'true') {
console.log(`[NotificationHub] assistantTextLen=${assistantText?.length ?? 0}`)
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
增加飞书支持