omi Fix: App Uninstallation Data Access

(Fix #1836)

A security vulnerability was identified where external apps (like omi-telebot) continued to have access to user data even after being uninstalled. This occurred because:

The app uninstallation process only removed the app from the user's enabled apps list
It did not properly clean up webhooks or notify external services

Fix Implementation

Modified disable_app() in Redis to clean up any app-specific webhook keys
Added code to notify external services when an app is uninstalled (and update doc)
Added exception handling to ensure uninstallation succeeds even if notification fails

External Integration Tracking

Added methods to the ExternalIntegration class to store and clean up webhook URLs
Ensured webhook URLs are stored in a way that allows for proper cleanup on uninstallation

Tests

I made test_security.py (in the backend/tests directory)

pip install pytest pytest-cov requests redis

This test script verifies the key functionality:

Simulates app installation and data storage in Redis
Tests the uninstallation process to ensure all data is cleaned up
Verifies no app-related data remains after uninstallation

Running the Tests

There are two main ways to run the tests:

1. Using pytest (recommended for detailed testing)


# Run all tests
python -m pytest backend/tests

2. Using the standalone script (quick verification)

# Run directly from any directory
python backend/tests/test_security.py

Tests Before:

✅ Test 1: App removed from enabled plugins ❌ Test 2: Webhook key deleted ❌ Test 3: Token key deleted ❌ Test 4: Settings key deleted ❌ Test 5: No app keys remain

After fix 667dce10a395e61385eb91d0d5a3e8a3740ff239

✅ Test 1: App removed from enabled plugins ✅ Test 2: Webhook key deleted ✅ Test 3: Token key deleted ✅ Test 4: Settings key deleted ✅ Test 5: No app keys remain

Mar 13 '25 21:03 skywinder

Tests works be fine, ready for review!

Can't access to the apps, so I test it locally:

before: CleanShot 2025-03-13 at 22 58 29@2x

after fix 667dce10a395e61385eb91d0d5a3e8a3740ff239 CleanShot 2025-03-13 at 22 58 52@2x

Mar 13 '25 22:03 skywinder

1/ what is the cause, exactly, man ?

@skywinder

Mar 14 '25 01:03 beastoin

@beastoin, I describe the whole process in #1836. The app grants unlimited access to my data upon installation, which I can’t revoke. This is super creepy.

Mar 15 '25 19:03 skywinder

1/ the problem is clear, but i am asking for the cause, man. just tell me exactly what the cause is, so that you can get to the point and fix it. no rush, read more code if you needed.

@skywinder ~

Mar 16 '25 04:03 beastoin

There is no specific check or logic to handle this scenario. I added the necessary logic and tests.

In the issue, I stated:

This occurred because: 1. The app uninstallation process only removed the app from the user’s enabled apps list. 2. It did not properly clean up webhooks or notify external services.

That is exactly the error causing the problem.

What is your exact question regarding this issue? @beastoin

Mar 16 '25 06:03 skywinder

1/ let me make the question clearer(and smaller).

do you really understand how the app omi-telebot works ? if yes, tell me.
how does it integrate(work) with the omi system to perform the specific triggered events ?
what's the the faulty part in the flow causing the issue at #1836 ? show me the related code from omi repo.

@skywinder

Mar 16 '25 07:03 beastoin

/ draft

feel free to ping me after 2 weeks, have a nice trip @skywinder

Mar 17 '25 04:03 beastoin

/ closed

feel free to reopen it any time man.

Mar 24 '25 23:03 beastoin

hey man, it's cleaning time.

/ closed

3 days with no updates feel free to reopen it anytime

Apr 14 '25 10:04 beastoin