From ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d Mon Sep 17 00:00:00 2001
From: Sliverp <38134380+sliverp@users.noreply.github.com>
Date: Mon, 13 Apr 2026 15:49:32 +0800
Subject: [PATCH] Feat/fix qq ssrf url list (#65788)

* fix: update qqbot media host allowlist

* fix: update qqbot media host allowlist

* fix: update qqbot media host allowlist

* fix: update qqbot media host allowlist
---
 extensions/qqbot/src/utils/file-utils.test.ts | 11 ++++++++++-
 extensions/qqbot/src/utils/file-utils.ts      | 11 ++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/extensions/qqbot/src/utils/file-utils.test.ts b/extensions/qqbot/src/utils/file-utils.test.ts
index 3c0b64ca9f0..302db50627a 100644
--- a/extensions/qqbot/src/utils/file-utils.test.ts
+++ b/extensions/qqbot/src/utils/file-utils.test.ts
@@ -47,7 +47,16 @@ describe("qqbot file-utils downloadFile", () => {
       ssrfPolicy: QQBOT_MEDIA_SSRF_POLICY,
     });
     expect(QQBOT_MEDIA_SSRF_POLICY).toEqual({
-      hostnameAllowlist: ["*.myqcloud.com", "*.qpic.cn", "*.qq.com", "*.tencentcos.com"],
+      hostnameAllowlist: [
+        "*.qpic.cn",
+        "*.qq.com",
+        "*.weiyun.com",
+        "*.qq.com.cn",
+        "*.ugcimg.cn",
+        "*.myqcloud.com",
+        "*.tencentcos.cn",
+        "*.tencentcos.com",
+      ],
       allowRfc2544BenchmarkRange: true,
     });
   });
diff --git a/extensions/qqbot/src/utils/file-utils.ts b/extensions/qqbot/src/utils/file-utils.ts
index f7509cab660..27e017fc1a5 100644
--- a/extensions/qqbot/src/utils/file-utils.ts
+++ b/extensions/qqbot/src/utils/file-utils.ts
@@ -16,9 +16,18 @@ export const MAX_UPLOAD_SIZE = 20 * 1024 * 1024;
 export const LARGE_FILE_THRESHOLD = 5 * 1024 * 1024;
 
 const QQBOT_MEDIA_HOSTNAME_ALLOWLIST = [
-  "*.myqcloud.com",
+  // QQ富媒体
   "*.qpic.cn",
   "*.qq.com",
+  "*.weiyun.com",
+  "*.qq.com.cn",
+
+  // QQ机器人
+  "*.ugcimg.cn",
+
+  // 腾讯云COS
+  "*.myqcloud.com",
+  "*.tencentcos.cn",
   "*.tencentcos.com",
 ];