Security: owner-only tools + command auth hardening (#9202)

gumadeiras · victormier · web-flow · commit 392bbddf29c7 · 2026-02-04T19:49:36.000-05:00
* Security: gate whatsapp_login by sender auth * Security: treat undefined senderAuthorized as unauthorized (opt-in) * fix: gate whatsapp_login to owner senders (#8768) (thanks @victormier) * fix: add explicit owner allowlist for tools (#8768) (thanks @victormier) * fix: normalize escaped newlines in send actions (#8768) (thanks @victormier) --------- Co-authored-by: Victor Mier <victormier@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,8 @@ Docs: https://docs.openclaw.ai
 - Web UI: apply button styling to the new-messages indicator.
 - Security: keep untrusted channel metadata out of system prompts (Slack/Discord). Thanks @KonstantinMirin.
 - Security: enforce sandboxed media paths for message tool attachments. (#9182) Thanks @victormier.
+- Security: require explicit credentials for gateway URL overrides to prevent credential leakage. (#8113) Thanks @victormier.
+- Security: gate `whatsapp_login` tool to owner senders and default-deny non-owner contexts. (#8768) Thanks @victormier.
 - Voice call: harden webhook verification with host allowlists/proxy trust and keep ngrok loopback bypass.
 - Voice call: add regression coverage for anonymous inbound caller IDs with allowlist policy. (#8104) Thanks @victormier.
 - Cron: accept epoch timestamps and 0ms durations in CLI `--at` parsing.
diff --git a/src/agents/pi-embedded-runner/compact.ts b/src/agents/pi-embedded-runner/compact.ts
@@ -88,6 +88,8 @@ export type CompactEmbeddedPiSessionParams = {
   groupSpace?: string | null;
   /** Parent session key for subagent policy inheritance. */
   spawnedBy?: string | null;
+  /** Whether the sender is an owner (required for owner-only tools). */
+  senderIsOwner?: boolean;
   sessionFile: string;
   workspaceDir: string;
   agentDir?: string;
@@ -227,6 +229,7 @@ export async function compactEmbeddedPiSessionDirect(
       groupChannel: params.groupChannel,
       groupSpace: params.groupSpace,
       spawnedBy: params.spawnedBy,
+      senderIsOwner: params.senderIsOwner,
       agentDir,
       workspaceDir: effectiveWorkspace,
       config: params.config,
diff --git a/src/agents/pi-embedded-runner/run.ts b/src/agents/pi-embedded-runner/run.ts
@@ -324,6 +324,7 @@ export async function runEmbeddedPiAgent(
             groupChannel: params.groupChannel,
             groupSpace: params.groupSpace,
             spawnedBy: params.spawnedBy,
+            senderIsOwner: params.senderIsOwner,
             currentChannelId: params.currentChannelId,
             currentThreadTs: params.currentThreadTs,
             replyToMode: params.replyToMode,
@@ -391,6 +392,7 @@ export async function runEmbeddedPiAgent(
                   agentDir,
                   config: params.config,
                   skillsSnapshot: params.skillsSnapshot,
+                  senderIsOwner: params.senderIsOwner,
                   provider,
                   model: modelId,
                   thinkLevel,
diff --git a/src/agents/pi-embedded-runner/run/attempt.ts b/src/agents/pi-embedded-runner/run/attempt.ts
@@ -225,6 +225,7 @@ export async function runEmbeddedAttempt(
           senderName: params.senderName,
           senderUsername: params.senderUsername,
           senderE164: params.senderE164,
+          senderIsOwner: params.senderIsOwner,
           sessionKey: params.sessionKey ?? params.sessionId,
           agentDir,
           workspaceDir: effectiveWorkspace,
diff --git a/src/agents/pi-embedded-runner/run/params.ts b/src/agents/pi-embedded-runner/run/params.ts
@@ -39,6 +39,8 @@ export type RunEmbeddedPiAgentParams = {
   senderName?: string | null;
   senderUsername?: string | null;
   senderE164?: string | null;
+  /** Whether the sender is an owner (required for owner-only tools). */
+  senderIsOwner?: boolean;
   /** Current channel ID for auto-threading (Slack). */
   currentChannelId?: string;
   /** Current thread timestamp for auto-threading (Slack). */
diff --git a/src/agents/pi-embedded-runner/run/types.ts b/src/agents/pi-embedded-runner/run/types.ts
@@ -31,6 +31,8 @@ export type EmbeddedRunAttemptParams = {
   senderName?: string | null;
   senderUsername?: string | null;
   senderE164?: string | null;
+  /** Whether the sender is an owner (required for owner-only tools). */
+  senderIsOwner?: boolean;
   currentChannelId?: string;
   currentThreadTs?: string;
   replyToMode?: "off" | "first" | "all";
diff --git a/src/agents/pi-tools.ts b/src/agents/pi-tools.ts
@@ -44,6 +44,7 @@ import {
 } from "./pi-tools.read.js";
 import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
 import {
+  applyOwnerOnlyToolPolicy,
   buildPluginToolGroups,
   collectExplicitAllowlist,
   expandPolicyWithPluginGroups,
@@ -161,6 +162,8 @@ export function createOpenClawCodingTools(options?: {
   requireExplicitMessageTarget?: boolean;
   /** If true, omit the message tool from the tool list. */
   disableMessageTool?: boolean;
+  /** Whether the sender is an owner (required for owner-only tools). */
+  senderIsOwner?: boolean;
 }): AnyAgentTool[] {
   const execToolName = "exec";
   const sandbox = options?.sandbox?.enabled ? options.sandbox : undefined;
@@ -357,14 +360,17 @@ export function createOpenClawCodingTools(options?: {
       requesterAgentIdOverride: agentId,
     }),
   ];
+  // Security: treat unknown/undefined as unauthorized (opt-in, not opt-out)
+  const senderIsOwner = options?.senderIsOwner === true;
+  const toolsByAuthorization = applyOwnerOnlyToolPolicy(tools, senderIsOwner);
   const coreToolNames = new Set(
-    tools
+    toolsByAuthorization
       .filter((tool) => !getPluginToolMeta(tool))
       .map((tool) => normalizeToolName(tool.name))
       .filter(Boolean),
   );
   const pluginGroups = buildPluginToolGroups({
-    tools,
+    tools: toolsByAuthorization,
     toolMeta: (tool) => getPluginToolMeta(tool),
   });
   const resolvePolicy = (policy: typeof profilePolicy, label: string) => {
@@ -401,8 +407,8 @@ export function createOpenClawCodingTools(options?: {
   const subagentPolicyExpanded = expandPolicyWithPluginGroups(subagentPolicy, pluginGroups);
 
   const toolsFiltered = profilePolicyExpanded
-    ? filterToolsByPolicy(tools, profilePolicyExpanded)
-    : tools;
+    ? filterToolsByPolicy(toolsByAuthorization, profilePolicyExpanded)
+    : toolsByAuthorization;
   const providerProfileFiltered = providerProfileExpanded
     ? filterToolsByPolicy(toolsFiltered, providerProfileExpanded)
     : toolsFiltered;
diff --git a/src/agents/pi-tools.whatsapp-login-gating.test.ts b/src/agents/pi-tools.whatsapp-login-gating.test.ts
@@ -0,0 +1,35 @@
+import { describe, expect, it, vi } from "vitest";
+import "./test-helpers/fast-coding-tools.js";
+import { createOpenClawCodingTools } from "./pi-tools.js";
+
+vi.mock("./channel-tools.js", () => {
+  const stubTool = (name: string) => ({
+    name,
+    description: `${name} stub`,
+    parameters: { type: "object", properties: {} },
+    execute: vi.fn(),
+  });
+  return {
+    listChannelAgentTools: () => [stubTool("whatsapp_login")],
+  };
+});
+
+describe("whatsapp_login tool gating", () => {
+  it("removes whatsapp_login for unauthorized senders", () => {
+    const tools = createOpenClawCodingTools({ senderIsOwner: false });
+    const toolNames = tools.map((tool) => tool.name);
+    expect(toolNames).not.toContain("whatsapp_login");
+  });
+
+  it("keeps whatsapp_login for authorized senders", () => {
+    const tools = createOpenClawCodingTools({ senderIsOwner: true });
+    const toolNames = tools.map((tool) => tool.name);
+    expect(toolNames).toContain("whatsapp_login");
+  });
+
+  it("defaults to removing whatsapp_login when owner status is unknown", () => {
+    const tools = createOpenClawCodingTools();
+    const toolNames = tools.map((tool) => tool.name);
+    expect(toolNames).not.toContain("whatsapp_login");
+  });
+});
diff --git a/src/agents/tool-policy.ts b/src/agents/tool-policy.ts
@@ -1,3 +1,5 @@
+import type { AnyAgentTool } from "./tools/common.js";
+
 export type ToolProfileId = "minimal" | "coding" | "messaging" | "full";
 
 type ToolProfilePolicy = {
@@ -56,6 +58,8 @@ export const TOOL_GROUPS: Record<string, string[]> = {
   ],
 };
 
+const OWNER_ONLY_TOOL_NAMES = new Set<string>(["whatsapp_login"]);
+
 const TOOL_PROFILES: Record<ToolProfileId, ToolProfilePolicy> = {
   minimal: {
     allow: ["session_status"],
@@ -80,6 +84,31 @@ export function normalizeToolName(name: string) {
   return TOOL_NAME_ALIASES[normalized] ?? normalized;
 }
 
+export function isOwnerOnlyToolName(name: string) {
+  return OWNER_ONLY_TOOL_NAMES.has(normalizeToolName(name));
+}
+
+export function applyOwnerOnlyToolPolicy(tools: AnyAgentTool[], senderIsOwner: boolean) {
+  const withGuard = tools.map((tool) => {
+    if (!isOwnerOnlyToolName(tool.name)) {
+      return tool;
+    }
+    if (senderIsOwner || !tool.execute) {
+      return tool;
+    }
+    return {
+      ...tool,
+      execute: async () => {
+        throw new Error("Tool restricted to owner senders.");
+      },
+    };
+  });
+  if (senderIsOwner) {
+    return withGuard;
+  }
+  return withGuard.filter((tool) => !isOwnerOnlyToolName(tool.name));
+}
+
 export function normalizeToolList(list?: string[]) {
   if (!list) {
     return [];
diff --git a/src/auto-reply/command-auth.ts b/src/auto-reply/command-auth.ts
@@ -9,6 +9,7 @@ export type CommandAuthorization = {
   providerId?: ChannelId;
   ownerList: string[];
   senderId?: string;
+  senderIsOwner: boolean;
   isAuthorizedSender: boolean;
   from?: string;
   to?: string;
@@ -83,6 +84,47 @@ function normalizeAllowFromEntry(params: {
   return normalized.filter((entry) => entry.trim().length > 0);
 }
 
+function resolveOwnerAllowFromList(params: {
+  dock?: ChannelDock;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+  providerId?: ChannelId;
+}): string[] {
+  const raw = params.cfg.commands?.ownerAllowFrom;
+  if (!Array.isArray(raw) || raw.length === 0) {
+    return [];
+  }
+  const filtered: string[] = [];
+  for (const entry of raw) {
+    const trimmed = String(entry ?? "").trim();
+    if (!trimmed) {
+      continue;
+    }
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex > 0) {
+      const prefix = trimmed.slice(0, separatorIndex);
+      const channel = normalizeAnyChannelId(prefix);
+      if (channel) {
+        if (params.providerId && channel !== params.providerId) {
+          continue;
+        }
+        const remainder = trimmed.slice(separatorIndex + 1).trim();
+        if (remainder) {
+          filtered.push(remainder);
+        }
+        continue;
+      }
+    }
+    filtered.push(trimmed);
+  }
+  return formatAllowFromList({
+    dock: params.dock,
+    cfg: params.cfg,
+    accountId: params.accountId,
+    allowFrom: filtered,
+  });
+}
+
 function resolveSenderCandidates(params: {
   dock?: ChannelDock;
   providerId?: ChannelId;
@@ -141,22 +183,31 @@ export function resolveCommandAuthorization(params: {
     accountId: ctx.AccountId,
     allowFrom: Array.isArray(allowFromRaw) ? allowFromRaw : [],
   });
+  const ownerAllowFromList = resolveOwnerAllowFromList({
+    dock,
+    cfg,
+    accountId: ctx.AccountId,
+    providerId,
+  });
   const allowAll =
     allowFromList.length === 0 || allowFromList.some((entry) => entry.trim() === "*");
 
-  const ownerCandidates = allowAll ? [] : allowFromList.filter((entry) => entry !== "*");
-  if (!allowAll && ownerCandidates.length === 0 && to) {
+  const ownerCandidatesForCommands = allowAll ? [] : allowFromList.filter((entry) => entry !== "*");
+  if (!allowAll && ownerCandidatesForCommands.length === 0 && to) {
     const normalizedTo = normalizeAllowFromEntry({
       dock,
       cfg,
       accountId: ctx.AccountId,
       value: to,
     });
     if (normalizedTo.length > 0) {
-      ownerCandidates.push(...normalizedTo);
+      ownerCandidatesForCommands.push(...normalizedTo);
     }
   }
-  const ownerList = Array.from(new Set(ownerCandidates));
+  const explicitOwners = ownerAllowFromList.filter((entry) => entry !== "*");
+  const ownerList = Array.from(
+    new Set(explicitOwners.length > 0 ? explicitOwners : ownerCandidatesForCommands),
+  );
 
   const senderCandidates = resolveSenderCandidates({
     dock,
@@ -170,16 +221,25 @@ export function resolveCommandAuthorization(params: {
   const matchedSender = ownerList.length
     ? senderCandidates.find((candidate) => ownerList.includes(candidate))
     : undefined;
+  const matchedCommandOwner = ownerCandidatesForCommands.length
+    ? senderCandidates.find((candidate) => ownerCandidatesForCommands.includes(candidate))
+    : undefined;
   const senderId = matchedSender ?? senderCandidates[0];
 
   const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands);
-  const isOwner = !enforceOwner || allowAll || ownerList.length === 0 || Boolean(matchedSender);
-  const isAuthorizedSender = commandAuthorized && isOwner;
+  const senderIsOwner = Boolean(matchedSender);
+  const isOwnerForCommands =
+    !enforceOwner ||
+    allowAll ||
+    ownerCandidatesForCommands.length === 0 ||
+    Boolean(matchedCommandOwner);
+  const isAuthorizedSender = commandAuthorized && isOwnerForCommands;
 
   return {
     providerId,
     ownerList,
     senderId: senderId || undefined,
+    senderIsOwner,
     isAuthorizedSender,
     from: from || undefined,
     to: to || undefined,
diff --git a/src/auto-reply/command-control.test.ts b/src/auto-reply/command-control.test.ts
@@ -132,6 +132,41 @@ describe("resolveCommandAuthorization", () => {
     expect(auth.senderId).toBe("+41796666864");
     expect(auth.isAuthorizedSender).toBe(true);
   });
+
+  it("uses explicit owner allowlist when allowFrom is wildcard", () => {
+    const cfg = {
+      commands: { ownerAllowFrom: ["whatsapp:+15551234567"] },
+      channels: { whatsapp: { allowFrom: ["*"] } },
+    } as OpenClawConfig;
+
+    const ownerCtx = {
+      Provider: "whatsapp",
+      Surface: "whatsapp",
+      From: "whatsapp:+15551234567",
+      SenderE164: "+15551234567",
+    } as MsgContext;
+    const ownerAuth = resolveCommandAuthorization({
+      ctx: ownerCtx,
+      cfg,
+      commandAuthorized: true,
+    });
+    expect(ownerAuth.senderIsOwner).toBe(true);
+    expect(ownerAuth.isAuthorizedSender).toBe(true);
+
+    const otherCtx = {
+      Provider: "whatsapp",
+      Surface: "whatsapp",
+      From: "whatsapp:+19995551234",
+      SenderE164: "+19995551234",
+    } as MsgContext;
+    const otherAuth = resolveCommandAuthorization({
+      ctx: otherCtx,
+      cfg,
+      commandAuthorized: true,
+    });
+    expect(otherAuth.senderIsOwner).toBe(false);
+    expect(otherAuth.isAuthorizedSender).toBe(true);
+  });
 });
 
 describe("control command parsing", () => {
diff --git a/src/auto-reply/reply/commands-compact.ts b/src/auto-reply/reply/commands-compact.ts
@@ -92,6 +92,7 @@ export const handleCompactCommand: CommandHandler = async (params) => {
       defaultLevel: "off",
     },
     customInstructions,
+    senderIsOwner: params.command.senderIsOwner,
     ownerNumbers: params.command.ownerList.length > 0 ? params.command.ownerList : undefined,
   });
 
diff --git a/src/auto-reply/reply/commands-context-report.ts b/src/auto-reply/reply/commands-context-report.ts
@@ -92,6 +92,7 @@ async function resolveContextReport(
         groupChannel: params.sessionEntry?.groupChannel ?? undefined,
         groupSpace: params.sessionEntry?.space ?? undefined,
         spawnedBy: params.sessionEntry?.spawnedBy ?? undefined,
+        senderIsOwner: params.command.senderIsOwner,
         modelProvider: params.provider,
         modelId: params.model,
       });
diff --git a/src/auto-reply/reply/commands-context.ts b/src/auto-reply/reply/commands-context.ts
@@ -33,6 +33,7 @@ export function buildCommandContext(params: {
     channel,
     channelId: auth.providerId,
     ownerList: auth.ownerList,
+    senderIsOwner: auth.senderIsOwner,
     isAuthorizedSender: auth.isAuthorizedSender,
     senderId: auth.senderId,
     abortKey,
diff --git a/src/auto-reply/reply/commands-types.ts b/src/auto-reply/reply/commands-types.ts
@@ -12,6 +12,7 @@ export type CommandContext = {
   channel: string;
   channelId?: ChannelId;
   ownerList: string[];
+  senderIsOwner: boolean;
   isAuthorizedSender: boolean;
   senderId?: string;
   abortKey?: string;
diff --git a/src/auto-reply/reply/get-reply-run.ts b/src/auto-reply/reply/get-reply-run.ts
diff --git a/src/commands/agent.ts b/src/commands/agent.ts
diff --git a/src/config/schema.ts b/src/config/schema.ts
diff --git a/src/config/types.messages.ts b/src/config/types.messages.ts
diff --git a/src/config/zod-schema.session.ts b/src/config/zod-schema.session.ts
diff --git a/src/infra/outbound/message-action-runner.ts b/src/infra/outbound/message-action-runner.ts
