github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 16:48:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enforce strict allowlist across pairing stores (#23017)

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 00:00:23 +01:00
committed by GitHub
parent 617e38cec0
commit 0bd9f0d4ac
31 changed files with 162 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/discord/monitor/agent-components.ts
View File

@@ -464,7 +464,8 @@ async function ensureDmComponentAuthorized(params: {
return true;
}
const storeAllowFrom = await readChannelAllowFromStore("discord").catch(() => []);
const storeAllowFrom =
dmPolicy === "allowlist" ? [] : await readChannelAllowFromStore("discord").catch(() => []);
const effectiveAllowFrom = [...(ctx.allowFrom ?? []), ...storeAllowFrom];
const allowList = normalizeDiscordAllowList(effectiveAllowFrom, ["discord:", "user:", "pk:"]);
const allowMatch = allowList

3
src/discord/monitor/message-handler.preflight.ts
View File

@@ -178,7 +178,8 @@ export async function preflightDiscordMessage(
return null;
}
if (dmPolicy !== "open") {
const storeAllowFrom = await readChannelAllowFromStore("discord").catch(() => []);
const storeAllowFrom =
dmPolicy === "allowlist" ? [] : await readChannelAllowFromStore("discord").catch(() => []);
const effectiveAllowFrom = [...(params.allowFrom ?? []), ...storeAllowFrom];
const allowList = normalizeDiscordAllowList(effectiveAllowFrom, ["discord:", "user:", "pk:"]);
const allowMatch = allowList

7
src/discord/monitor/monitor.test.ts
View File

@@ -140,7 +140,7 @@ describe("agent components", () => {
expect(enqueueSystemEventMock).not.toHaveBeenCalled();
});
it("allows DM interactions when pairing store allowlist matches", async () => {
it("blocks DM interactions when only pairing store entries match in allowlist mode", async () => {
readAllowFromStoreMock.mockResolvedValue(["123456789"]);
const button = createAgentComponentButton({
cfg: createCfg(),
@@ -152,8 +152,9 @@ describe("agent components", () => {
await button.run(interaction, { componentId: "hello" } as ComponentData);
expect(defer).toHaveBeenCalledWith({ ephemeral: true });
expect(reply).toHaveBeenCalledWith({ content: "" });
expect(enqueueSystemEventMock).toHaveBeenCalled();
expect(reply).toHaveBeenCalledWith({ content: "You are not authorized to use this button." });
expect(enqueueSystemEventMock).not.toHaveBeenCalled();
expect(readAllowFromStoreMock).not.toHaveBeenCalled();
});
it("matches tag-based allowlist entries for DM select menus", async () => {

3
src/discord/monitor/native-command.ts
View File

@@ -1349,7 +1349,8 @@ async function dispatchDiscordCommandInteraction(params: {
return;
}
if (dmPolicy !== "open") {
const storeAllowFrom = await readChannelAllowFromStore("discord").catch(() => []);
const storeAllowFrom =
dmPolicy === "allowlist" ? [] : await readChannelAllowFromStore("discord").catch(() => []);
const effectiveAllowFrom = [
...(discordConfig?.allowFrom ?? discordConfig?.dm?.allowFrom ?? []),
...storeAllowFrom,