fix(security): require sender-only matching for elevated allowFrom

Co-authored-by: coygeek <coygeek@users.noreply.github.com>
2026-05-09 20:54:30 +00:00 · 2026-02-22 20:33:19 +01:00
parent 51b0772e14
commit 02772b029d
3 changed files with 59 additions and 2 deletions
--- a/src/auto-reply/reply/reply-elevated.ts
+++ b/src/auto-reply/reply/reply-elevated.ts
@@ -97,8 +97,6 @@ function isApprovedElevatedSender(params: {
  addToken(params.ctx.SenderE164);
  addToken(params.ctx.From);
  addToken(stripSenderPrefix(params.ctx.From));
-  addToken(params.ctx.To);
-  addToken(stripSenderPrefix(params.ctx.To));

  for (const rawEntry of allowTokens) {
    const entry = rawEntry.trim();