From ef28dc5001149193773f1196821c667d414ddbc3 Mon Sep 17 00:00:00 2001 From: Soulter <905617992@qq.com> Date: Tue, 13 Jan 2026 02:20:24 +0800 Subject: [PATCH 1/3] chore: makes world better --- .../process_stage/method/agent_sub_stages/internal.py | 9 +++++++++ astrbot/core/pipeline/process_stage/utils.py | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py b/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py index 198490d4f..4a1db8233 100644 --- a/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py +++ b/astrbot/core/pipeline/process_stage/method/agent_sub_stages/internal.py @@ -37,6 +37,7 @@ from ...stage import Stage from ...utils import ( KNOWLEDGE_BASE_QUERY_TOOL, LLM_SAFETY_MODE_SYSTEM_PROMPT, + decoded_blocked, retrieve_knowledge_base, ) @@ -501,6 +502,14 @@ class InternalAgentSubStage(Stage): logger.debug("skip llm request: empty message and no provider_request") return + api_base = provider.provider_config.get("api_base", "") + for host in decoded_blocked: + if host in api_base: + logger.error( + f"Provider API base {api_base} is blocked due to security reasons. Please use another ai provider." + ) + return + logger.debug("ready to request llm provider") # 通知等待调用 LLM(在获取锁之前) diff --git a/astrbot/core/pipeline/process_stage/utils.py b/astrbot/core/pipeline/process_stage/utils.py index 112238b73..107d9d640 100644 --- a/astrbot/core/pipeline/process_stage/utils.py +++ b/astrbot/core/pipeline/process_stage/utils.py @@ -1,3 +1,5 @@ +import base64 + from pydantic import Field from pydantic.dataclasses import dataclass @@ -135,3 +137,8 @@ async def retrieve_knowledge_base( KNOWLEDGE_BASE_QUERY_TOOL = KnowledgeBaseQueryTool() + +# we prevent astrbot from connecting to known malicious hosts +# these hosts are base64 encoded +BLOCKED = {"dGZid2h2d3IuY2xvdWQuc2VhbG9zLmlv", "a291cmljaGF0"} +decoded_blocked = [base64.b64decode(b).decode("utf-8") for b in BLOCKED] From a7eca40fe7c1afbedee424e0f53b20fec441281f Mon Sep 17 00:00:00 2001 From: Soulter <905617992@qq.com> Date: Tue, 13 Jan 2026 02:23:31 +0800 Subject: [PATCH 2/3] feat: implement localStorage persistence for showReservedPlugins state --- dashboard/src/views/ExtensionPage.vue | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/dashboard/src/views/ExtensionPage.vue b/dashboard/src/views/ExtensionPage.vue index 93364bd13..c84862f2d 100644 --- a/dashboard/src/views/ExtensionPage.vue +++ b/dashboard/src/views/ExtensionPage.vue @@ -50,7 +50,16 @@ const extension_data = reactive({ data: [], message: "", }); -const showReserved = ref(false); + +// 从 localStorage 恢复显示系统插件的状态,默认为 false(隐藏) +const getInitialShowReserved = () => { + if (typeof window !== "undefined" && window.localStorage) { + const saved = localStorage.getItem("showReservedPlugins"); + return saved === "true"; + } + return false; +}; +const showReserved = ref(getInitialShowReserved()); const snack_message = ref(""); const snack_show = ref(false); const snack_success = ref("success"); @@ -290,6 +299,10 @@ const updatableExtensions = computed(() => { // 方法 const toggleShowReserved = () => { showReserved.value = !showReserved.value; + // 保存到 localStorage + if (typeof window !== "undefined" && window.localStorage) { + localStorage.setItem("showReservedPlugins", showReserved.value.toString()); + } }; const toast = (message, success) => { From 6a86dae76efc989eb29c393f79acbffe25574fee Mon Sep 17 00:00:00 2001 From: Soulter <905617992@qq.com> Date: Tue, 13 Jan 2026 12:19:05 +0800 Subject: [PATCH 3/3] docs: refine EULA --- EULA.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/EULA.md b/EULA.md index 0647da350..0a44b36d9 100644 --- a/EULA.md +++ b/EULA.md @@ -15,8 +15,7 @@ For English edition, please refer to the section below the Chinese version. AstrBot 是一个遵循 **GNU Affero General Public License v3(AGPLv3)** 协议发布的**免费开源软件项目**。 -* AstrBot 项目不构成任何形式的商业服务; -* AstrBot 团队不通过本项目提供任何收费服务。 +* 截至目前,AstrBot 项目未开展任何形式的商业化服务,AstrBot 团队也未通过本项目向用户提供任何收费服务。若您因使用 AstrBot 被要求付费,请务必提高警惕,谨防诈骗行为。 * AstrBot 的代码实现未对任何第三方系统进行逆向工程、破解、反编译或绕过安全机制等行为。AstrBot 仅使用并支持各即时通讯(IM)平台官方公开提供的机器人接入接口、开放平台能力或相关通信协议进行集成与通信。 ## 2. 无担保声明