Skip to content

fix(chat): require per-channel sender allowlist for inbound commands#309

Open
jtalborough wants to merge 1 commit into
xintaofei:mainfrom
jtalborough:security/chat-sender-allowlist
Open

fix(chat): require per-channel sender allowlist for inbound commands#309
jtalborough wants to merge 1 commit into
xintaofei:mainfrom
jtalborough:security/chat-sender-allowlist

Conversation

@jtalborough

Copy link
Copy Markdown

Summary

Adds a fail-closed, per-channel sender allowlist so only authorized senders can drive agents through chat channels (Telegram / Lark / WeChat).

Why (security)

dispatch_command currently routes purely on the command verb — the inbound sender_id is logged and used for per-sender context, but it is never authorized. The chat commands it routes to are not read-only: /task spawns and drives an agent with the host's full tool access, and /approve always enables auto-approval that removes the human-in-the-loop for subsequent tool calls.

The practical consequence: anyone who can message the bot (e.g. anyone who finds a Telegram bot's handle, or is in a group it's added to) can run arbitrary tasks → effectively unauthenticated remote code execution on the host, especially for an always-on / internet-reachable deployment. chat_id only scopes outbound messages; inbound getUpdates delivers from any chat.

What this does

  • A fail-closed authorization gate at the top of dispatch_command (one place → covers all backends). Only sender ids listed in the channel's config_json.allowed_senders may drive the bot.
  • Empty/unset allowlist authorizes no one. A blocked sender is replied with their own sender id so the operator can add it from the channel settings.
  • chat_channel/authz.rs — pure is_sender_allowed() with unit tests.
  • Unauthorized reply is localized (all 10 languages).
  • "Allowed Sender IDs" field added to the add/edit channel dialogs.

Validation

cargo test/cargo clippy -D warnings (server mode) and eslint pass.

Notes

  • The new dialog field labels are English-only for now — happy to wire them through i18n/messages/* if you'd prefer that before merge.
  • Discovered while hardening a self-hosted deployment; reporting with the fix attached rather than as a bare issue. Glad to coordinate on disclosure/versioning however you prefer.

🤖 Generated with Claude Code

)

* fix(chat): require per-channel sender allowlist for inbound commands

Chat-channel commands (/task, /folder, /approve, …) spawn and drive agents
with the host's full privileges, but the dispatcher routed purely on the
command verb — sender_id was logged and used for context yet never authorized.
Any user who could message the bot could run arbitrary tasks (RCE) and
/approve always disabled the human-in-the-loop. This is acute for an always-on
server reachable via Telegram.

Add a fail-closed authorization gate at the top of dispatch_command (covers
Telegram, Lark, and WeChat in one place): only sender ids listed in the
channel's config_json `allowed_senders` may drive the bot. An empty/unset list
authorizes no one; a blocked sender is told their own id so the operator can
add it. Surfaced in the add/edit channel dialogs as an "Allowed Sender IDs"
field.

- chat_channel/authz.rs: pure is_sender_allowed() + unit tests
- command_dispatcher.rs: gate before any command, incl. follow-ups
- i18n.rs: unauthorized reply (10 languages)
- add/edit-chat-channel-dialog.tsx: allowlist management UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(chat): annotate allowedSenders types for strict tsc

`pnpm build` (strict tsc) flagged the `.map((s) => …)` callback as implicit
`any`: in the edit dialog `config` comes from `JSON.parse` (any), so the
`allowedSenders` state inferred `any`. Type the state as `string` and annotate
the map parameter. eslint doesn't run the type-checker so it passed locally;
validated now with `pnpm build` + `pnpm test` (1747 passing).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@xintaofei

Copy link
Copy Markdown
Owner

First off — thank you for this. 🙏 Reporting a real authorization gap with the fix attached (plus unit tests and fully localized replies) is exactly the kind of contribution we love to get. The design is solid: fail-closed by default, a single gate in dispatch_command that covers all three backends at once, authentic per-platform sender IDs, and config read fresh from the DB so allowlist edits take effect without a restart. Really nice work.

I went through it carefully (and had a second reviewer double-check the security-sensitive parts). Here's where it stands — a few things to sort out before we merge, mostly because main has moved since you opened this.

1. Rebase needed — and it's security-relevant, not just textual

command_dispatcher.rs got a sizable rewrite on main (interactive button callbacks, forum-topic follow-ups), so GitHub shows conflicts. The part that matters: dispatch_command now starts with

if let Some(data) = callback_data {
    return DispatchResponse::current(handle_callback(...), target);
}

Your gate is anchored just before the // Strip prefix comment, which now sits below that callback branch. Rebased mechanically, interactive folder/agent picker callbacks would slip past the gate. Could you move the authorization check to the very top of dispatch_command, above the callback_data branch, so the one gate dominates everything?

Severity here is genuinely low — handle_callback only does cfg:folder: / cfg:agent: selection, so the /task and /approve RCE vectors stay protected either way — but it's cleanest to close it while rebasing. One more thing to carry through: the Telegram config now also has a topic_mode field, so the dialog's config rebuild should preserve that too.

2. One functional gap worth fixing before this ships for WeChat

The WeChat QR flow (weixin_check_qrcode_core in src-tauri/src/commands/chat_channel.rs) rewrites the whole config_json to { "base_url": ... } on every confirmation. That was harmless before, but now it wipes allowed_senders — so after a WeChat QR (re)auth the allowlist is empty and the channel, correctly and fail-closed, denies everyone, including the operator. Since the UI reconnects right after QR success and disables editing while connected, it's a little painful to recover from (disconnect → edit → reconnect, and it recurs on the next re-auth).

Could the QR path merge base_url into the existing config instead of replacing it, and keep allowed_senders? A small regression test around re-auth would be lovely. (Telegram and Lark aren't affected by this one.)

Non-blocking — take or leave

  • The two new dialog labels are English-only. Totally fine as a follow-up to wire through i18n/messages/* — you'd already offered, no need to block on it. 😄
  • Lark falls back to the sentinel "unknown" when open_id is absent. Denied by default, so it's just a minor footgun if anyone ever allowlists that literal string; dropping identity-less events would be marginally safer.

None of this takes away from the core, which is exactly the protection we want. Happy to help with the rebase or the WeChat config-merge fix if that's easier on your end — just say the word. Thanks again for flagging this and for doing it so thoroughly. 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants