From 8f4c0bf0882c3c7258a65e3adade12d5b08068ea Mon Sep 17 00:00:00 2001
From: chengoak <chengoak@users.noreply.github.com>
Date: Tue, 28 Apr 2026 22:02:16 +0800
Subject: [PATCH] fix(wecom): pad base64 AES key before decode

WeCom doesn't pad base64 aeskey, causing Python strict mode decode failure
on media/image/file messages. Add automatic padding before base64 decode:
aes_key + '=' * ((4 - len(aes_key) % 4) % 4).

Salvages the AES padding fix from @chengoak's PR #17040. The SSRF whitelist
entry for a private COS bucket hostname was dropped as it belongs in user
config, not the built-in trusted-private-IP-hosts list. The debug-level
full-body info log was dropped to avoid logging potentially sensitive
message content at INFO level.
---
 gateway/platforms/wecom.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gateway/platforms/wecom.py b/gateway/platforms/wecom.py
index 873284de79..c93a8fe3d6 100644
--- a/gateway/platforms/wecom.py
+++ b/gateway/platforms/wecom.py
@@ -1015,6 +1015,8 @@ class WeComAdapter(BasePlatformAdapter):
         if not aes_key:
             raise ValueError("aes_key is required")
 
+        # WeCom doesn't pad base64 keys; add padding if needed
+        aes_key = aes_key + '=' * ((4 - len(aes_key) % 4) % 4)
         key = base64.b64decode(aes_key)
         if len(key) != 32:
             raise ValueError(f"Invalid WeCom AES key length: expected 32 bytes, got {len(key)}")