diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cc8df3e9..ddb6c4431 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ Docs: https://docs.openclaw.ai - Sandbox/Media: map container workspace paths (`/workspace/...` and `file:///workspace/...`) back to the host sandbox root for outbound media validation, preventing false deny errors for sandbox-generated local media. (#23083) Thanks @echo931. - Sandbox/Docker: apply custom bind mounts after workspace mounts and prioritize bind-source resolution on overlapping paths, so explicit workspace binds are no longer ignored. (#22669) Thanks @tasaankaeris. - Exec approvals/Forwarding: restore Discord text forwarding when component approvals are not configured, and carry request snapshots through resolve events so resolved notices still forward after cache misses/restarts. (#22988) Thanks @bubmiller. +- Security/Elevated: match `tools.elevated.allowFrom` against sender identities only (not recipient `ctx.To`), closing a recipient-token bypass for `/elevated` authorization. (#11022) Thanks @coygeek. - Config/Memory: allow `"mistral"` in `agents.defaults.memorySearch.provider` and `agents.defaults.memorySearch.fallback` schema validation. (#14934) Thanks @ThomsenDrake. - Security/Feishu: enforce ID-only allowlist matching for DM/group sender authorization, normalize Feishu ID prefixes during checks, and ignore mutable display names so display-name collisions cannot satisfy allowlist entries. This ships in the next npm release. Thanks @jiseoung for reporting. - Feishu/Commands: in group chats, command authorization now falls back to top-level `channels.feishu.allowFrom` when per-group `allowFrom` is not set, so `/command` no longer gets blocked by an unintended empty allowlist. (#23756) diff --git a/src/auto-reply/reply/reply-elevated.test.ts b/src/auto-reply/reply/reply-elevated.test.ts new file mode 100644 index 000000000..51371cb90 --- /dev/null +++ b/src/auto-reply/reply/reply-elevated.test.ts @@ -0,0 +1,58 @@ +import { describe, expect, it } from "vitest"; +import type { OpenClawConfig } from "../../config/config.js"; +import type { MsgContext } from "../templating.js"; +import { resolveElevatedPermissions } from "./reply-elevated.js"; + +function buildConfig(allowFrom: string[]): OpenClawConfig { + return { + tools: { + elevated: { + allowFrom: { + whatsapp: allowFrom, + }, + }, + }, + } as OpenClawConfig; +} + +function buildContext(overrides?: Partial): MsgContext { + return { + Provider: "whatsapp", + Surface: "whatsapp", + From: "whatsapp:+15550001111", + SenderE164: "+15550001111", + To: "+15559990000", + ...overrides, + } as MsgContext; +} + +describe("resolveElevatedPermissions", () => { + it("authorizes when sender matches allowFrom", () => { + const result = resolveElevatedPermissions({ + cfg: buildConfig(["+15550001111"]), + agentId: "main", + provider: "whatsapp", + ctx: buildContext(), + }); + + expect(result.enabled).toBe(true); + expect(result.allowed).toBe(true); + expect(result.failures).toHaveLength(0); + }); + + it("does not authorize when only recipient matches allowFrom", () => { + const result = resolveElevatedPermissions({ + cfg: buildConfig(["+15559990000"]), + agentId: "main", + provider: "whatsapp", + ctx: buildContext(), + }); + + expect(result.enabled).toBe(true); + expect(result.allowed).toBe(false); + expect(result.failures).toContainEqual({ + gate: "allowFrom", + key: "tools.elevated.allowFrom.whatsapp", + }); + }); +}); diff --git a/src/auto-reply/reply/reply-elevated.ts b/src/auto-reply/reply/reply-elevated.ts index 43727aa9e..744274fda 100644 --- a/src/auto-reply/reply/reply-elevated.ts +++ b/src/auto-reply/reply/reply-elevated.ts @@ -97,8 +97,6 @@ function isApprovedElevatedSender(params: { addToken(params.ctx.SenderE164); addToken(params.ctx.From); addToken(stripSenderPrefix(params.ctx.From)); - addToken(params.ctx.To); - addToken(stripSenderPrefix(params.ctx.To)); for (const rawEntry of allowTokens) { const entry = rawEntry.trim();