Skip to content

fix(chat): require per-channel sender allowlist for inbound commands#309

Open
jtalborough wants to merge 1 commit into
xintaofei:mainfrom
jtalborough:security/chat-sender-allowlist
Open

fix(chat): require per-channel sender allowlist for inbound commands#309
jtalborough wants to merge 1 commit into
xintaofei:mainfrom
jtalborough:security/chat-sender-allowlist

Conversation

@jtalborough

Copy link
Copy Markdown

Summary

Adds a fail-closed, per-channel sender allowlist so only authorized senders can drive agents through chat channels (Telegram / Lark / WeChat).

Why (security)

dispatch_command currently routes purely on the command verb — the inbound sender_id is logged and used for per-sender context, but it is never authorized. The chat commands it routes to are not read-only: /task spawns and drives an agent with the host's full tool access, and /approve always enables auto-approval that removes the human-in-the-loop for subsequent tool calls.

The practical consequence: anyone who can message the bot (e.g. anyone who finds a Telegram bot's handle, or is in a group it's added to) can run arbitrary tasks → effectively unauthenticated remote code execution on the host, especially for an always-on / internet-reachable deployment. chat_id only scopes outbound messages; inbound getUpdates delivers from any chat.

What this does

  • A fail-closed authorization gate at the top of dispatch_command (one place → covers all backends). Only sender ids listed in the channel's config_json.allowed_senders may drive the bot.
  • Empty/unset allowlist authorizes no one. A blocked sender is replied with their own sender id so the operator can add it from the channel settings.
  • chat_channel/authz.rs — pure is_sender_allowed() with unit tests.
  • Unauthorized reply is localized (all 10 languages).
  • "Allowed Sender IDs" field added to the add/edit channel dialogs.

Validation

cargo test/cargo clippy -D warnings (server mode) and eslint pass.

Notes

  • The new dialog field labels are English-only for now — happy to wire them through i18n/messages/* if you'd prefer that before merge.
  • Discovered while hardening a self-hosted deployment; reporting with the fix attached rather than as a bare issue. Glad to coordinate on disclosure/versioning however you prefer.

🤖 Generated with Claude Code

)

* fix(chat): require per-channel sender allowlist for inbound commands

Chat-channel commands (/task, /folder, /approve, …) spawn and drive agents
with the host's full privileges, but the dispatcher routed purely on the
command verb — sender_id was logged and used for context yet never authorized.
Any user who could message the bot could run arbitrary tasks (RCE) and
/approve always disabled the human-in-the-loop. This is acute for an always-on
server reachable via Telegram.

Add a fail-closed authorization gate at the top of dispatch_command (covers
Telegram, Lark, and WeChat in one place): only sender ids listed in the
channel's config_json `allowed_senders` may drive the bot. An empty/unset list
authorizes no one; a blocked sender is told their own id so the operator can
add it. Surfaced in the add/edit channel dialogs as an "Allowed Sender IDs"
field.

- chat_channel/authz.rs: pure is_sender_allowed() + unit tests
- command_dispatcher.rs: gate before any command, incl. follow-ups
- i18n.rs: unauthorized reply (10 languages)
- add/edit-chat-channel-dialog.tsx: allowlist management UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(chat): annotate allowedSenders types for strict tsc

`pnpm build` (strict tsc) flagged the `.map((s) => …)` callback as implicit
`any`: in the edit dialog `config` comes from `JSON.parse` (any), so the
`allowedSenders` state inferred `any`. Type the state as `string` and annotate
the map parameter. eslint doesn't run the type-checker so it passed locally;
validated now with `pnpm build` + `pnpm test` (1747 passing).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant