Skip to content

fix(auto-reply): remove ctx.To from elevated authorization token set#11026

Closed
coygeek wants to merge 1 commit intoopenclaw:mainfrom
coygeek:fix/bl01-elevated-allowlist-bypass
Closed

fix(auto-reply): remove ctx.To from elevated authorization token set#11026
coygeek wants to merge 1 commit intoopenclaw:mainfrom
coygeek:fix/bl01-elevated-allowlist-bypass

Conversation

@coygeek
Copy link
Copy Markdown
Contributor

@coygeek coygeek commented Feb 7, 2026
edited
Loading

Fix Summary

Remove recipient identity (ctx.To) from the elevated allowlist check. In WhatsApp inbound DM flows, To is set to the bot's own number for every message, allowing any command-capable sender to bypass the elevated allowlist when the owner's number is in allowFrom.

Only sender-authenticated identities (SenderName, SenderUsername, SenderTag, SenderE164, From) should be used for authorization. Recipient fields are routing metadata, not authorization principals.

Issue Linkage

Fixes #11022

Security Snapshot

Metric Value
Score 9.9 / 10.0
Severity Critical
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Implementation Details

Files Changed

  • src/auto-reply/reply/reply-elevated.ts (+0/-2)

Technical Analysis

Remove recipient identity (ctx.To) from the elevated allowlist check. In WhatsApp inbound DM flows, To is set to the bot's own number for every message, allowing any command-capable sender to bypass the elevated allowlist when the owner's number is in allowFrom.

Validation Evidence

  • Command: pnpm build
  • Status: passed

Risk and Compatibility

non-breaking; compatibility impact was not explicitly documented in the original PR body.

AI-Assisted Disclosure

  • AI-assisted: yes
  • Model: Claude Code

Greptile Overview

Greptile Summary

  • Updates elevated-authorization allowlist matching to consider only sender-authenticated identities (e.g., From, Sender*) and no longer treat ctx.To as an authorization principal.
  • Prevents a WhatsApp inbound-DM bypass where To is always the bot’s own number, letting any command-capable sender pass elevated checks when the owner is listed in allowFrom.
  • Change is localized to src/auto-reply/reply/reply-elevated.ts and affects the token set used by isApprovedElevatedSender, leaving gating structure (enabled + allowFrom) intact.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk.
  • The change removes ctx.To from the elevated allowlist token set, which is a clear security-hardening fix and is narrowly scoped (2 lines removed) without altering control flow or config semantics. Review of the full file shows no remaining reliance on ctx.To for authorization decisions in this module.
  • No files require special attention

Context used:

  • Context from dashboard - CLAUDE.md (source)
  • Context from dashboard - AGENTS.md (source)

This was referenced Feb 7, 2026
Closed
Closed
@leszekszpunar
Copy link
Copy Markdown
Contributor

leszekszpunar commented Feb 7, 2026

Heads up: the lint failure (preserve-caught-error in extensions/memory-lancedb/index.ts) is a pre-existing issue on main, not caused by your changes. The fix is in #11061. Once it lands, rebase on main and re-push to get a clean CI run.

git fetch origin main && git rebase origin/main && git push --force-with-lease

@leszekszpunar
Copy link
Copy Markdown
Contributor

leszekszpunar commented Feb 7, 2026

Update: the lint failure has been resolved by #11093 (merged), which excluded extensions/ from oxlint scope. A rebase on main should give you a clean CI run.

git fetch origin main && git rebase origin/main && git push --force-with-lease

@LucasAIBuilder LucasAIBuilder mentioned this pull request Feb 11, 2026
Closed
13 tasks
@LucasAIBuilder
Copy link
Copy Markdown
Contributor

LucasAIBuilder commented Feb 19, 2026

Hey @coygeek — the fix here is correct and the issue is still present on main. CI just needs a rebase since #11093 landed — the lint failure isn't from your changes. Are you planning to rebase this? If not, happy to submit a fresh PR to get it moving.

@coygeek @claude
fix(auto-reply): remove ctx.To from elevated authorization token set
054487f 
Remove recipient identity (ctx.To) from the elevated allowlist check.
In WhatsApp inbound DM flows, To is set to the bot's own number for
every message, allowing any command-capable sender to bypass the
elevated allowlist when the owner's number is in allowFrom.

Only sender-authenticated identities (SenderName, SenderUsername,
SenderTag, SenderE164, From) should be used for authorization.
Recipient fields are routing metadata, not authorization principals.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@coygeek coygeek force-pushed the fix/bl01-elevated-allowlist-bypass branch from 4113bac to 054487f Compare February 19, 2026 19:49
@coygeek
Copy link
Copy Markdown
Contributor Author

coygeek commented Feb 22, 2026

Closing. Developer said about my issue:

Fixed by 02772b0.

What changed:

  • elevated allowlist matching now uses sender identities only.
  • recipient tokens (ctx.To and stripped ctx.To) were removed from the authorization token set.

Coverage:

  • src/auto-reply/reply/reply-elevated.test.ts

    • confirms sender-match still authorizes
    • confirms recipient-only match is denied

If you can still reproduce an elevation path via recipient identity on latest main, reopen with the exact inbound context fields (From, To, SenderId, SenderE164, provider).

@coygeek coygeek closed this Feb 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: /elevated allowlist can be bypassed by matching recipient (ctx.To) instead of sender

3 participants

@coygeek @leszekszpunar @LucasAIBuilder