fix: enforce strict allowlist across pairing stores (#23017)

2026-05-10 13:05:01 +00:00 · 2026-02-22 00:00:23 +01:00
parent 617e38cec0
commit 0bd9f0d4ac
31 changed files with 162 additions and 45 deletions
--- a/src/security/dm-policy-shared.ts
+++ b/src/security/dm-policy-shared.ts
@@ -6,6 +6,7 @@ export function resolveEffectiveAllowFromLists(params: {
  allowFrom?: Array<string | number> | null;
  groupAllowFrom?: Array<string | number> | null;
  storeAllowFrom?: Array<string | number> | null;
+  dmPolicy?: string | null;
 }): {
  effectiveAllowFrom: string[];
  effectiveGroupAllowFrom: string[];
@@ -16,9 +17,12 @@ export function resolveEffectiveAllowFromLists(params: {
  const configGroupAllowFrom = normalizeStringEntries(
    Array.isArray(params.groupAllowFrom) ? params.groupAllowFrom : undefined,
  );
-  const storeAllowFrom = normalizeStringEntries(
-    Array.isArray(params.storeAllowFrom) ? params.storeAllowFrom : undefined,
-  );
+  const storeAllowFrom =
+    params.dmPolicy === "allowlist"
+      ? []
+      : normalizeStringEntries(
+          Array.isArray(params.storeAllowFrom) ? params.storeAllowFrom : undefined,
+        );
  const effectiveAllowFrom = normalizeStringEntries([...configAllowFrom, ...storeAllowFrom]);
  const groupBase = configGroupAllowFrom.length > 0 ? configGroupAllowFrom : configAllowFrom;
  const effectiveGroupAllowFrom = normalizeStringEntries([...groupBase, ...storeAllowFrom]);