github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 03:51:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): unify command gating and blocked-key guards

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 13:04:31 +01:00
parent 356d61aacf
commit 08e020881d
10 changed files with 111 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/auto-reply/reply/commands-allowlist.ts
View File

@@ -3,7 +3,6 @@ import { resolveChannelConfigWrites } from "../../channels/plugins/config-writes
import { listPairingChannels } from "../../channels/plugins/pairing.js";
import type { ChannelId } from "../../channels/plugins/types.js";
import { normalizeChannelId } from "../../channels/registry.js";
import { isCommandFlagEnabled } from "../../config/commands.js";
import type { OpenClawConfig } from "../../config/config.js";
import {
readConfigFileSnapshot,
@@ -12,7 +11,6 @@ import {
} from "../../config/config.js";
import { resolveDiscordAccount } from "../../discord/accounts.js";
import { resolveDiscordUserAllowlist } from "../../discord/resolve-users.js";
import { logVerbose } from "../../globals.js";
import { resolveIMessageAccount } from "../../imessage/accounts.js";
import {
addChannelAllowFromStoreEntry,
@@ -25,6 +23,7 @@ import { resolveSlackAccount } from "../../slack/accounts.js";
import { resolveSlackUserAllowlist } from "../../slack/resolve-users.js";
import { resolveTelegramAccount } from "../../telegram/accounts.js";
import { resolveWhatsAppAccount } from "../../web/accounts.js";
import { rejectUnauthorizedCommand, requireCommandFlagEnabled } from "./command-gates.js";
import type { CommandHandler } from "./commands-types.js";
type AllowlistScope = "dm" | "group" | "all";
@@ -331,11 +330,9 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
if (parsed.action === "error") {
return { shouldContinue: false, reply: { text: `⚠️ ${parsed.message}` } };
}
if (!params.command.isAuthorizedSender) {
logVerbose(
`Ignoring /allowlist from unauthorized sender: ${params.command.senderId || "<unknown>"}`,
);
return { shouldContinue: false };
const unauthorized = rejectUnauthorizedCommand(params, "/allowlist");
if (unauthorized) {
return unauthorized;
}
const channelId =
@@ -520,11 +517,13 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
return { shouldContinue: false, reply: { text: lines.join("\n") } };
}
if (!isCommandFlagEnabled(params.cfg, "config")) {
return {
shouldContinue: false,
reply: { text: "⚠️ /allowlist edits are disabled. Set commands.config=true to enable." },
};
const disabled = requireCommandFlagEnabled(params.cfg, {
label: "/allowlist edits",
configKey: "config",
disabledVerb: "are",
});
if (disabled) {
return disabled;
}
const shouldUpdateConfig = parsed.target !== "store";