github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 22:48:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): gate slash commands by sender

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-17 05:25:37 +00:00
parent c8b826ea8c
commit a624878973
14 changed files with 525 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/slack/monitor/slash.ts
View File

@@ -167,6 +167,7 @@ export function registerSlackMonitorSlashCommands(params: {
const isDirectMessage = channelType === "im";
const isGroupDm = channelType === "mpim";
const isRoom = channelType === "channel" || channelType === "group";
const isRoomish = isRoom || isGroupDm;
if (
!ctx.isChannelAllowed({
@@ -270,14 +271,16 @@ export function registerSlackMonitorSlashCommands(params: {
const sender = await ctx.resolveUserName(command.user_id);
const senderName = sender?.name ?? command.user_name ?? command.user_id;
const channelUserAllowed = isRoom
const channelUsersAllowlistConfigured =
isRoom && Array.isArray(channelConfig?.users) && channelConfig.users.length > 0;
const channelUserAllowed = channelUsersAllowlistConfigured
? resolveSlackUserAllowed({
allowList: channelConfig?.users,
userId: command.user_id,
userName: senderName,
})
: true;
if (isRoom && !channelUserAllowed) {
: false;
if (channelUsersAllowlistConfigured && !channelUserAllowed) {
await respond({
text: "You are not authorized to use this command here.",
response_type: "ephemeral",
@@ -285,6 +288,22 @@ export function registerSlackMonitorSlashCommands(params: {
return;
}
const ownerAllowed = allowListMatches({
allowList: effectiveAllowFromLower,
id: command.user_id,
name: senderName,
});
if (isRoomish && ctx.useAccessGroups && !(ownerAllowed || channelUserAllowed)) {
await respond({
text: "You are not authorized to use this command.",
response_type: "ephemeral",
});
return;
}
if (isRoomish) {
commandAuthorized = ctx.useAccessGroups ? ownerAllowed || channelUserAllowed : true;
}
if (commandDefinition && supportsInteractiveArgMenus) {
const menu = resolveCommandArgMenu({
command: commandDefinition,
@@ -313,7 +332,6 @@ export function registerSlackMonitorSlashCommands(params: {
const channelName = channelInfo?.name;
const roomLabel = channelName ? `#${channelName}` : `#${command.channel_id}`;
const isRoomish = isRoom || isGroupDm;
const route = resolveAgentRoute({
cfg,
channel: "slack",