github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 00:08:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): gate slash/control commands

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-17 06:49:17 +00:00
parent 7ed55682b7
commit 6a3ed5c850
22 changed files with 758 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/channels/plugins/slack.ts
View File

@@ -13,7 +13,6 @@ import { probeSlack } from "../../slack/probe.js";
import { sendMessageSlack } from "../../slack/send.js";
import { getChatChannelMeta } from "../registry.js";
import { SlackConfigSchema } from "../../config/zod-schema.providers-core.js";
import { resolveNativeCommandsEnabled } from "../../config/commands.js";
import { buildChannelConfigSchema } from "./config-schema.js";
import {
deleteAccountFromConfigSection,
@@ -135,13 +134,11 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
normalizeEntry: (raw) => raw.replace(/^(slack|user):/i, ""),
};
},
collectWarnings: ({ cfg, account }) => {
collectWarnings: ({ account }) => {
const warnings: string[] = [];
const groupPolicy = account.config.groupPolicy ?? "allowlist";
const channelAllowlistConfigured =
Boolean(account.config.channels) && Object.keys(account.config.channels ?? {}).length > 0;
const roomAccessPossible =
groupPolicy === "open" || (groupPolicy === "allowlist" && channelAllowlistConfigured);
if (groupPolicy === "open") {
if (channelAllowlistConfigured) {
@@ -155,30 +152,6 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
}
}
const nativeEnabled = resolveNativeCommandsEnabled({
providerId: "slack",
providerSetting: account.config.commands?.native,
globalSetting: cfg.commands?.native,
});
const slashCommandEnabled = nativeEnabled || account.config.slashCommand?.enabled === true;
if (slashCommandEnabled && roomAccessPossible) {
const hasAnyUserAllowlist = Object.values(account.config.channels ?? {}).some(
(channel) => Array.isArray(channel.users) && channel.users.length > 0,
);
if (!hasAnyUserAllowlist) {
warnings.push(
`- Slack slash commands: no channel users allowlist configured; this allows any user in allowed channels to invoke /… commands (including skill commands). Set channels.slack.channels.<id>.users.`,
);
}
}
if (slashCommandEnabled && cfg.commands?.useAccessGroups === false) {
warnings.push(
`- Slack slash commands: commands.useAccessGroups=false disables channel allowlist gating; this allows any channel to invoke /… commands (including skill commands). Set commands.useAccessGroups=true and configure channels.slack.groupPolicy/channels.`,
);
}
return warnings;
},
},