vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 01:50:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enforce strict allowlist across pairing stores (#23017)

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 00:00:23 +01:00
committed by GitHub
parent 617e38cec0
commit 0bd9f0d4ac
31 changed files with 162 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/web/auto-reply/monitor/process-message.ts
View File

@@ -28,6 +28,7 @@ import { getAgentScopedMediaLocalRoots } from "../../../media/local-roots.js";
import { readChannelAllowFromStore } from "../../../pairing/pairing-store.js";
import type { resolveAgentRoute } from "../../../routing/resolve-route.js";
import { jidToE164, normalizeE164 } from "../../../utils.js";
import { resolveWhatsAppAccount } from "../../accounts.js";
import { newConnectionId } from "../../reconnect.js";
import { formatError } from "../../session.js";
import { deliverWebReply } from "../deliver-reply.js";
@@ -73,10 +74,11 @@ async function resolveWhatsAppCommandAuthorized(params: {
return false;
}
const configuredAllowFrom = params.cfg.channels?.whatsapp?.allowFrom ?? [];
const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId: params.msg.accountId });
const dmPolicy = account.dmPolicy ?? "pairing";
const configuredAllowFrom = account.allowFrom ?? [];
const configuredGroupAllowFrom =
params.cfg.channels?.whatsapp?.groupAllowFrom ??
(configuredAllowFrom.length > 0 ? configuredAllowFrom : undefined);
account.groupAllowFrom ?? (configuredAllowFrom.length > 0 ? configuredAllowFrom : undefined);
if (isGroup) {
if (!configuredGroupAllowFrom || configuredGroupAllowFrom.length === 0) {
@@ -88,11 +90,12 @@ async function resolveWhatsAppCommandAuthorized(params: {
return normalizeAllowFromE164(configuredGroupAllowFrom).includes(senderE164);
}
const storeAllowFrom = await readChannelAllowFromStore(
"whatsapp",
process.env,
params.msg.accountId,
).catch(() => []);
const storeAllowFrom =
dmPolicy === "allowlist"
? []
: await readChannelAllowFromStore("whatsapp", process.env, params.msg.accountId).catch(
() => [],
);
const combinedAllowFrom = Array.from(
new Set([...(configuredAllowFrom ?? []), ...storeAllowFrom]),
);