fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom#50710
Conversation
openclaw-barnacle
bot
added
channel: telegram
Greptile SummaryThis PR adds a security-awareness
Confidence Score: 4/5
Prompt To Fix All With AIThis is a comment left during a code review.
Path: extensions/telegram/src/setup-surface.ts
Line: 115
Comment:
**"default" wording inaccurate for explicitly-set policy**
The `shouldShow` guard fires whenever `dmPolicy === "pairing"` — which includes users who *explicitly* selected `pairing` during setup. Telling those users they're on the *default* policy is factually misleading. Consider dropping the word "default" or branching on whether the value was explicitly set:
```suggestion
"Your bot is using DM policy: pairing.",
```
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: "fix(telegram): warn ..." |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| completionNote: { | ||
| title: "Telegram DM access warning", | ||
| lines: [ | ||
| "Your bot is using the default DM policy (pairing).", |
There was a problem hiding this comment.
The shouldShow guard fires whenever dmPolicy === "pairing" — which includes users who explicitly selected pairing during setup. Telling those users they're on the default policy is factually misleading. Consider dropping the word "default" or branching on whether the value was explicitly set:
| "Your bot is using the default DM policy (pairing).", | |
| "Your bot is using DM policy: pairing.", |
Prompt To Fix With AI
This is a comment left during a code review.
Path: extensions/telegram/src/setup-surface.ts
Line: 115
Comment:
**"default" wording inaccurate for explicitly-set policy**
The `shouldShow` guard fires whenever `dmPolicy === "pairing"` — which includes users who *explicitly* selected `pairing` during setup. Telling those users they're on the *default* policy is factually misleading. Consider dropping the word "default" or branching on whether the value was explicitly set:
```suggestion
"Your bot is using DM policy: pairing.",
```
How can I resolve this? If you propose a fix, please make it concise.![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 62c8e6a440
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| ` ${formatCliCommand('openclaw config set channels.telegram.dmPolicy "allowlist"')}`, | ||
| ` ${formatCliCommand('openclaw config set channels.telegram.allowFrom "[YOUR_USER_ID]"')}`, |
There was a problem hiding this comment.
This note runs after the setup wizard has already resolved the concrete accountId being configured (src/channels/plugins/setup-wizard.ts:429-447,851-861), but both commands here always target the top-level channels.telegram.* keys. In multi-account Telegram setups those top-level values are inherited by every account (extensions/telegram/src/accounts.ts:116-142), so a user configuring channels.telegram.accounts.work who follows this warning will unintentionally change DM policy and allowlist defaults for all Telegram bots, not just the account they just set up.
Useful? React with 👍 / 👎.
CI Failures NoteThe failing checks are unrelated to this PR's changes. All failures are in \�xtensions/matrix/src/matrix/sdk.test.ts\ (Matrix crypto extension), specifically an \ENOENT\ error for a missing fixture file (\crypto-idb-snapshot.json). This is a pre-existing issue in the test suite that affects the Matrix extension, not the Telegram extension. The Telegram-specific check (\�xtension-fast (telegram)) passed ✅, as did all other relevant checks (\check, \�uild-smoke, \checks (node, channels), \�xtension-src-outside-plugin-sdk-boundary, etc.). Happy to rebase on a newer main if that helps, but the failures appear to be infrastructure/pre-existing rather than caused by this change. |
CI failures noteThe failing jobs (\pnpm test:extensions, \pnpm test\ shards) are all in \�xtensions/matrix/src/matrix/sdk.test.ts\ — Matrix SDK crypto/IndexedDB tests that fail with \ENOENT: no such file or directory\ on the CI runner's temp path. This PR only touches \�xtensions/telegram/src/setup-surface.ts\ (one file, no matrix dependency). The telegram-specific job (\�xtension-fast (telegram)) passes. Happy to rebase if main has a fix for the matrix flakiness, but the failures appear pre-existing and unrelated to this change. |
obviyus
force-pushed
the
fix/telegram-pairing-security-warning
branch
from
82da190 to
af400f1
Compare
|
Landed on main. Thanks @ernestodeoliveira. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: af400f1256
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "Any Telegram user who discovers the bot can send pairing requests.", | ||
| "For private use, configure an allowlist with your Telegram user id:", | ||
| " " + formatCliCommand(`openclaw config set ${configBase}.dmPolicy "allowlist"`), | ||
| " " + formatCliCommand(`openclaw config set ${configBase}.allowFrom '["YOUR_USER_ID"]'`), |
There was a problem hiding this comment.
The new remediation line uses openclaw config set ... allowFrom '["YOUR_USER_ID"]'. That fixes POSIX shells, but on Windows cmd.exe the single quotes are passed through literally, so config set parses the value as a JSON5 string and writes allowFrom as the scalar string [“YOUR_USER_ID”] instead of an array (src/cli/config-cli.ts:158-171). Users who follow this warning from cmd.exe will still end up with an invalid Telegram allowlist, so this needs a shell-neutral form such as a --strict-json example.
Useful? React with 👍 / 👎.
| const hasAllowFrom = | ||
| Array.isArray(merged.allowFrom) && merged.allowFrom.some((e) => String(e).trim()); | ||
| return policy === "pairing" && !hasAllowFrom; |
There was a problem hiding this comment.
shouldShowTelegramDmAccessWarning currently treats any non-empty allowFrom entry as sufficient to skip the new warning. Telegram authorization later drops non-numeric entries (extensions/telegram/src/bot-access.ts:42-58), and the suite already covers that allowFrom: ["@testuser"] does not authorize senders (extensions/telegram/src/bot.create-telegram-bot.test.ts:793-805). In configs that still contain unresolved usernames or other invalid values, setup will now hide the warning even though dmPolicy: "pairing" still lets every real user initiate pairing.
Useful? React with 👍 / 👎.
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 80110c5) # Conflicts: # CHANGELOG.md # extensions/telegram/src/setup-surface.ts
…owFrom (openclaw#50710) * fix(telegram): warn when setup leaves dmPolicy as pairing without allowFrom * fix(telegram): scope setup warning to account config * fix(telegram): quote setup allowFrom example * fix: warn on insecure Telegram setup defaults (openclaw#50710) (thanks @ernestodeoliveira) --------- Co-authored-by: Claude Code <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 80110c5)
2 participants
Summary
When a user completes the Telegram channel setup without configuring an
allowFromlist, the bot silently defaults todmPolicy: "pairing". This means any Telegram user who discovers the bot can send pairing requests — potentially gaining access to a bot that handles private data, files, or system commands.Most users are not aware of this exposure. There is currently no warning in the setup flow to inform them.
Problem
The
getCurrentfallback insetup-surface.tsdefaults topairing:A user who completes the wizard without explicitly choosing a DM policy, or without adding
allowFromentries, ends up with an open bot and no indication of the risk.Solution
Added a
completionNotetotelegramSetupWizardthat is conditionally shown after setup completes. It only triggers when:dmPolicyis effectivelypairing(default or explicitly set), andallowFromis empty or not configuredWhen shown, the note includes:
Design decisions
pairingto avoid breaking existing users. This is purely informational.setup-surface.ts). No schema changes, no new dependencies beyond existingplugin-sdk/setup-toolshelpers.Testing
pnpm typecheck)pnpm format:check)Files changed
extensions/telegram/src/setup-surface.ts— addedcompletionNotewithshouldShowguard