WhatsApp: enforce allowFrom for explicit outbound sends (#20921)

* whatsapp: enforce allowFrom in explicit outbound mode * Update CHANGELOG.md --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-05-08 05:31:23 +00:00 · 2026-02-23 00:13:23 +01:00
parent d7747148d0
commit 22c9018303
3 changed files with 30 additions and 17 deletions
--- a/src/whatsapp/resolve-outbound-target.test.ts
+++ b/src/whatsapp/resolve-outbound-target.test.ts
@@ -208,8 +208,8 @@ describe("resolveWhatsAppOutboundTarget", () => {
    });
  });

-  describe("other modes (allow all valid targets)", () => {
-    it("allows message in null mode", () => {
+  describe("explicit/custom modes", () => {
+    it("allows message in null mode when allowList is not set", () => {
      vi.mocked(normalize.normalizeWhatsAppTarget).mockReturnValueOnce("+11234567890");
      vi.mocked(normalize.isWhatsAppGroupJid).mockReturnValueOnce(false);

@@ -223,7 +223,7 @@ describe("resolveWhatsAppOutboundTarget", () => {
      );
    });

-    it("allows message in undefined mode", () => {
+    it("allows message in undefined mode when allowList is not set", () => {
      vi.mocked(normalize.normalizeWhatsAppTarget).mockReturnValueOnce("+11234567890");
      vi.mocked(normalize.isWhatsAppGroupJid).mockReturnValueOnce(false);

@@ -237,16 +237,29 @@ describe("resolveWhatsAppOutboundTarget", () => {
      );
    });

-    it("allows message in custom mode string", () => {
+    it("enforces allowList in custom mode string", () => {
      vi.mocked(normalize.normalizeWhatsAppTarget)
        .mockReturnValueOnce("+19876543210") // for allowFrom[0] (happens first!)
        .mockReturnValueOnce("+11234567890"); // for 'to' param (happens second)
      vi.mocked(normalize.isWhatsAppGroupJid).mockReturnValueOnce(false);

+      expectResolutionError({
+        to: "+11234567890",
+        allowFrom: ["+19876543210"],
+        mode: "broadcast",
+      });
+    });
+
+    it("allows message in custom mode string when target is in allowList", () => {
+      vi.mocked(normalize.normalizeWhatsAppTarget)
+        .mockReturnValueOnce("+11234567890") // for allowFrom[0]
+        .mockReturnValueOnce("+11234567890"); // for 'to' param
+      vi.mocked(normalize.isWhatsAppGroupJid).mockReturnValueOnce(false);
+
      expectResolutionOk(
        {
          to: "+11234567890",
-          allowFrom: ["+19876543210"],
+          allowFrom: ["+11234567890"],
          mode: "broadcast",
        },
        "+11234567890",
--- a/src/whatsapp/resolve-outbound-target.ts
+++ b/src/whatsapp/resolve-outbound-target.ts
@@ -31,19 +31,18 @@ export function resolveWhatsAppOutboundTarget(params: {
    if (isWhatsAppGroupJid(normalizedTo)) {
      return { ok: true, to: normalizedTo };
    }
-    if (params.mode === "implicit" || params.mode === "heartbeat") {
-      if (hasWildcard || allowList.length === 0) {
-        return { ok: true, to: normalizedTo };
-      }
-      if (allowList.includes(normalizedTo)) {
-        return { ok: true, to: normalizedTo };
-      }
-      return {
-        ok: false,
-        error: missingTargetError("WhatsApp", "<E.164|group JID>"),
-      };
+    // Enforce allowFrom for all direct-message send modes (including explicit).
+    // Group destinations are handled by group policy and are allowed above.
+    if (hasWildcard || allowList.length === 0) {
+      return { ok: true, to: normalizedTo };
    }
-    return { ok: true, to: normalizedTo };
+    if (allowList.includes(normalizedTo)) {
+      return { ok: true, to: normalizedTo };
+    }
+    return {
+      ok: false,
+      error: missingTargetError("WhatsApp", "<E.164|group JID>"),
+    };
  }

  return {