fix(security): require sender-only matching for elevated allowFrom

Co-authored-by: coygeek <coygeek@users.noreply.github.com>

CHANGELOG.md

@@ -37,6 +37,7 @@ Docs: https://docs.openclaw.ai
 - Sandbox/Media: map container workspace paths (`/workspace/...` and `file:///workspace/...`) back to the host sandbox root for outbound media validation, preventing false deny errors for sandbox-generated local media. (#23083) Thanks @echo931.
 - Sandbox/Docker: apply custom bind mounts after workspace mounts and prioritize bind-source resolution on overlapping paths, so explicit workspace binds are no longer ignored. (#22669) Thanks @tasaankaeris.
 - Exec approvals/Forwarding: restore Discord text forwarding when component approvals are not configured, and carry request snapshots through resolve events so resolved notices still forward after cache misses/restarts. (#22988) Thanks @bubmiller.
+- Security/Elevated: match `tools.elevated.allowFrom` against sender identities only (not recipient `ctx.To`), closing a recipient-token bypass for `/elevated` authorization. (#11022) Thanks @coygeek.
 - Config/Memory: allow `"mistral"` in `agents.defaults.memorySearch.provider` and `agents.defaults.memorySearch.fallback` schema validation. (#14934) Thanks @ThomsenDrake.
 - Security/Feishu: enforce ID-only allowlist matching for DM/group sender authorization, normalize Feishu ID prefixes during checks, and ignore mutable display names so display-name collisions cannot satisfy allowlist entries. This ships in the next npm release. Thanks @jiseoung for reporting.
 - Feishu/Commands: in group chats, command authorization now falls back to top-level `channels.feishu.allowFrom` when per-group `allowFrom` is not set, so `/command` no longer gets blocked by an unintended empty allowlist. (#23756)

src/auto-reply/reply/reply-elevated.test.ts

@@ -0,0 +1,58 @@
+import { describe, expect, it } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import type { MsgContext } from "../templating.js";
+import { resolveElevatedPermissions } from "./reply-elevated.js";
+
+function buildConfig(allowFrom: string[]): OpenClawConfig {
+  return {
+    tools: {
+      elevated: {
+        allowFrom: {
+          whatsapp: allowFrom,
+        },
+      },
+    },
+  } as OpenClawConfig;
+}
+
+function buildContext(overrides?: Partial<MsgContext>): MsgContext {
+  return {
+    Provider: "whatsapp",
+    Surface: "whatsapp",
+    From: "whatsapp:+15550001111",
+    SenderE164: "+15550001111",
+    To: "+15559990000",
+    ...overrides,
+  } as MsgContext;
+}
+
+describe("resolveElevatedPermissions", () => {
+  it("authorizes when sender matches allowFrom", () => {
+    const result = resolveElevatedPermissions({
+      cfg: buildConfig(["+15550001111"]),
+      agentId: "main",
+      provider: "whatsapp",
+      ctx: buildContext(),
+    });
+
+    expect(result.enabled).toBe(true);
+    expect(result.allowed).toBe(true);
+    expect(result.failures).toHaveLength(0);
+  });
+
+  it("does not authorize when only recipient matches allowFrom", () => {
+    const result = resolveElevatedPermissions({
+      cfg: buildConfig(["+15559990000"]),
+      agentId: "main",
+      provider: "whatsapp",
+      ctx: buildContext(),
+    });
+
+    expect(result.enabled).toBe(true);
+    expect(result.allowed).toBe(false);
+    expect(result.failures).toContainEqual({
+      gate: "allowFrom",
+      key: "tools.elevated.allowFrom.whatsapp",
+    });
+  });
+});

src/auto-reply/reply/reply-elevated.ts

@@ -97,8 +97,6 @@ function isApprovedElevatedSender(params: {
   addToken(params.ctx.SenderE164);
   addToken(params.ctx.From);
   addToken(stripSenderPrefix(params.ctx.From));
-  addToken(params.ctx.To);
-  addToken(stripSenderPrefix(params.ctx.To));
 
   for (const rawEntry of allowTokens) {
     const entry = rawEntry.trim();