github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 14:14:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(telegram): fail closed on empty group allowFrom override

Browse Source
This commit is contained in:
Brian Mendonca
2026-02-24 18:30:21 -07:00
committed by Ayaan Zaidi
parent 81752564e9
commit 6bc7544a6a
3 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/telegram/bot.create-telegram-bot.test.ts
View File

@@ -813,6 +813,29 @@ describe("createTelegramBot", () => {
}, },
expectedReplyCount: 1, expectedReplyCount: 1,
}, },
{
name: "blocks group messages when per-group allowFrom override is explicitly empty",
config: {
channels: {
telegram: {
groupPolicy: "open",
groups: {
"-100123456789": {
allowFrom: [],
requireMention: false,
},
},
},
},
},
message: {
chat: { id: -100123456789, type: "group", title: "Test Group" },
from: { id: 999999, username: "random" },
text: "hello",
date: 1736380800,
},
expectedReplyCount: 0,
},
{ {
name: "allows all group messages when groupPolicy is 'open'", name: "allows all group messages when groupPolicy is 'open'",
config: { config: {

56
src/telegram/group-access.base-access.test.ts Normal file
View File

@@ -0,0 +1,56 @@
import { describe, expect, it } from "vitest";
import type { NormalizedAllowFrom } from "./bot-access.js";
import { evaluateTelegramGroupBaseAccess } from "./group-access.js";
function allow(entries: string[], hasWildcard = false): NormalizedAllowFrom {
return {
entries,
hasWildcard,
hasEntries: entries.length > 0 || hasWildcard,
invalidEntries: [],
};
}
describe("evaluateTelegramGroupBaseAccess", () => {
it("fails closed when explicit group allowFrom override is empty", () => {
const result = evaluateTelegramGroupBaseAccess({
isGroup: true,
hasGroupAllowOverride: true,
effectiveGroupAllow: allow([]),
senderId: "12345",
senderUsername: "tester",
enforceAllowOverride: true,
requireSenderForAllowOverride: true,
});
expect(result).toEqual({ allowed: false, reason: "group-override-unauthorized" });
});
it("allows group message when override is not configured", () => {
const result = evaluateTelegramGroupBaseAccess({
isGroup: true,
hasGroupAllowOverride: false,
effectiveGroupAllow: allow([]),
senderId: "12345",
senderUsername: "tester",
enforceAllowOverride: true,
requireSenderForAllowOverride: true,
});
expect(result).toEqual({ allowed: true });
});
it("allows sender explicitly listed in override", () => {
const result = evaluateTelegramGroupBaseAccess({
isGroup: true,
hasGroupAllowOverride: true,
effectiveGroupAllow: allow(["12345"]),
senderId: "12345",
senderUsername: "tester",
enforceAllowOverride: true,
requireSenderForAllowOverride: true,
});
expect(result).toEqual({ allowed: true });
});
});

5
src/telegram/group-access.ts
View File

@@ -42,6 +42,11 @@ export const evaluateTelegramGroupBaseAccess = (params: {
return { allowed: true }; return { allowed: true };
} }
// Explicit per-group/topic allowFrom override must fail closed when empty.
if (!params.effectiveGroupAllow.hasEntries) {
return { allowed: false, reason: "group-override-unauthorized" };
}
const senderId = params.senderId ?? ""; const senderId = params.senderId ?? "";
if (params.requireSenderForAllowOverride && !senderId) { if (params.requireSenderForAllowOverride && !senderId) {
return { allowed: false, reason: "group-override-unauthorized" }; return { allowed: false, reason: "group-override-unauthorized" };