fix: tighten commands.allowFrom override + IPv6-safe callback URL

2026-04-23 14:45:46 +00:00 · 2026-02-15 08:52:01 -05:00
parent 5771f483fc
commit 1c1027634f
3 changed files with 37 additions and 2 deletions
--- a/extensions/mattermost/src/mattermost/slash-commands.ts
+++ b/extensions/mattermost/src/mattermost/slash-commands.ts
@@ -503,7 +503,13 @@ export function resolveCallbackUrl(params: {
  if (params.config.callbackUrl) {
    return params.config.callbackUrl;
  }
-  const host = params.gatewayHost || "localhost";
+  let host = params.gatewayHost || "localhost";
  const path = normalizeCallbackPath(params.config.callbackPath);
+
+  // Bracket IPv6 literals so the URL is valid: http://[::1]:3015/...
+  if (host.includes(":") && !(host.startsWith("[") && host.endsWith("]"))) {
+    host = `[${host}]`;
+  }
+
  return `http://${host}:${params.gatewayPort}${path}`;
 }
--- a/src/auto-reply/command-auth.ts
+++ b/src/auto-reply/command-auth.ts
@@ -165,7 +165,9 @@ function resolveCommandsAllowFromList(params: {

  const rawList = Array.isArray(providerList) ? providerList : globalList;
  if (!Array.isArray(rawList)) {
-    return null; // No applicable list found
+    // commands.allowFrom is configured, but there's no provider-specific list and no "*".
+    // Treat as an explicit deny for this provider (override semantics).
+    return [];
  }

  return formatAllowFromList({
--- a/src/auto-reply/command-control.test.ts
+++ b/src/auto-reply/command-control.test.ts
@@ -296,6 +296,33 @@ describe("resolveCommandAuthorization", () => {
      expect(whatsappAuth.isAuthorizedSender).toBe(true);
    });

+    it("denies providers not present in commands.allowFrom when no wildcard is set", () => {
+      const cfg = {
+        commands: {
+          allowFrom: {
+            signal: ["user123"],
+          },
+        },
+        // Channel allowFrom would normally allow, but commands.allowFrom should override.
+        channels: { whatsapp: { allowFrom: ["*"] } },
+      } as OpenClawConfig;
+
+      const ctx = {
+        Provider: "whatsapp",
+        Surface: "whatsapp",
+        From: "whatsapp:anyuser",
+        SenderId: "anyuser",
+      } as MsgContext;
+
+      const auth = resolveCommandAuthorization({
+        ctx,
+        cfg,
+        commandAuthorized: true,
+      });
+
+      expect(auth.isAuthorizedSender).toBe(false);
+    });
+
    it("falls back to channel allowFrom when commands.allowFrom not set", () => {
      const cfg = {
        channels: { whatsapp: { allowFrom: ["+15551234567"] } },