github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 20:21:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security: owner-only tools + command auth hardening (#9202)

Browse Source 
* Security: gate whatsapp_login by sender auth

* Security: treat undefined senderAuthorized as unauthorized (opt-in)

* fix: gate whatsapp_login to owner senders (#8768) (thanks @victormier)

* fix: add explicit owner allowlist for tools (#8768) (thanks @victormier)

* fix: normalize escaped newlines in send actions (#8768) (thanks @victormier)

---------

Co-authored-by: Victor Mier <victormier@gmail.com>
This commit is contained in:
Gustavo Madeira Santana
2026-02-04 19:49:36 -05:00
committed by GitHub
parent 0cd47d830f
commit 392bbddf29
21 changed files with 202 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/auto-reply/reply/commands-compact.ts
View File

@@ -92,6 +92,7 @@ export const handleCompactCommand: CommandHandler = async (params) => {
defaultLevel: "off",
},
customInstructions,
senderIsOwner: params.command.senderIsOwner,
ownerNumbers: params.command.ownerList.length > 0 ? params.command.ownerList : undefined,
});

1
src/auto-reply/reply/commands-context-report.ts
View File

@@ -92,6 +92,7 @@ async function resolveContextReport(
groupChannel: params.sessionEntry?.groupChannel ?? undefined,
groupSpace: params.sessionEntry?.space ?? undefined,
spawnedBy: params.sessionEntry?.spawnedBy ?? undefined,
senderIsOwner: params.command.senderIsOwner,
modelProvider: params.provider,
modelId: params.model,
});

1
src/auto-reply/reply/commands-context.ts
View File

@@ -33,6 +33,7 @@ export function buildCommandContext(params: {
channel,
channelId: auth.providerId,
ownerList: auth.ownerList,
senderIsOwner: auth.senderIsOwner,
isAuthorizedSender: auth.isAuthorizedSender,
senderId: auth.senderId,
abortKey,

1
src/auto-reply/reply/commands-types.ts
View File

@@ -12,6 +12,7 @@ export type CommandContext = {
channel: string;
channelId?: ChannelId;
ownerList: string[];
senderIsOwner: boolean;
isAuthorizedSender: boolean;
senderId?: string;
abortKey?: string;

1
src/auto-reply/reply/get-reply-run.ts
View File

@@ -378,6 +378,7 @@ export async function runPreparedReply(
senderName: sessionCtx.SenderName?.trim() || undefined,
senderUsername: sessionCtx.SenderUsername?.trim() || undefined,
senderE164: sessionCtx.SenderE164?.trim() || undefined,
senderIsOwner: command.senderIsOwner,
sessionFile,
workspaceDir,
config: cfg,