[security] fix(permissions): scope channel approval targets#2566
Merged
gavrielc merged 1 commit intoMay 22, 2026
Merged
Conversation
Filter channel registration target options to the approver's authorized agent groups and re-check target authorization before applying a pending approval. Add regression coverage for scoped admins attempting to connect channels to out-of-scope groups.
Collaborator
|
@Hinotoi-agent Thank you for the contribution!! |
tamasPetki
pushed a commit
to tamasPetki/nanoclaw
that referenced
this pull request
Jun 4, 2026
…val-target-authz [security] fix(permissions): scope channel approval targets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR tightens the channel-registration approval flow so scoped admins can only connect unknown channels to agent groups they are authorized to administer.
Before this change, the pending channel approval row used one agent group as the approval context, but the follow-up selection and final
connect:<agentGroupId>response could point at a different target agent group. A scoped admin for the approval context could therefore attempt to register the unknown channel against an out-of-scope target group.This patch fixes both sides of the boundary:
Security issues covered
This PR covers one authorization issue:
Before this PR
connect:<agentGroupId>response checked that the clicker could approve the pending row, but did not also verify that the same clicker could administer the selected target group.After this PR
connect:<agentGroupId>if the approver is not authorized for that target group.Why this matters
Channel registration controls which external messaging channels can send into an agent group. Scoped admins are intentionally limited to the groups they administer. If the approval context and selected target group diverge, a scoped admin can cross that boundary and wire a channel into a group they should not control.
That can expose an out-of-scope agent group to messages from an unapproved channel and let a scoped administrator influence or observe behavior outside their delegated administrative scope.
Attack flow
A, but not agent groupB.Aas the approval context.connect:B.B.Bis not exposed in selectable options for that approver, and a forged or staleconnect:Bvalue is rejected before any wiring is created.Affected code
src/modules/permissions/channel-approval.tssrc/modules/permissions/index.tsconnect:<agentGroupId>target selectionsrc/modules/permissions/channel-approval.test.tsRoot cause
CVSS assessment
Issue: scoped admin channel registration target authorization bypass
CVSS v3.1: 6.4 Medium
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NRationale:
Safe reproduction steps
A safe local reproduction is included in the regression test:
ag-1andag-2.telegram:scoped-adminadmin rights only forag-1.telegram:scoped-admin.connect:ag-1but notconnect:ag-2.connect:ag-2response value.messaging_group_agentsrow is created and the pending approval remains pending.Expected vulnerable behavior
On vulnerable code, the final
connect:ag-2response can be accepted even though the approver only administersag-1. That creates messaging-channel wiring for an out-of-scope target group.Changes in this PR
connect:<targetAgentGroupId>.Files changed
src/modules/permissions/channel-approval.tshasAdminPrivilege(approverUserId, agentGroup.id)src/modules/permissions/index.tssrc/modules/permissions/channel-approval.test.tsMaintainer impact
This is intended to be a narrow authorization fix. It does not change the owner/global-admin flow, the pending approval schema, or the general unknown-channel registration behavior. It only scopes target selection to the approver's existing authorization and rejects target values that do not match that scope.
Fix rationale
The approval flow has two separate security decisions:
Both checks need to be enforced. Filtering options improves the normal UI path, while the response-handler check protects the server-side boundary against stale cards, hidden options, or direct callback/value submission.
Type of change
Test plan
Commands run locally:
Final validation passed after formatting the touched files. The focused channel-approval test file passed, and the full test suite passed locally.
Disclosure notes
This PR is intentionally bounded to the scoped-admin channel-registration target authorization path. It does not claim a broader bypass of all approval flows or all permission checks. The fix is submitted directly as a defensive code change with regression coverage.