From 385a7eba3376a4ca65093ce42c6d009c49089c40 Mon Sep 17 00:00:00 2001 From: Gustavo Madeira Santana Date: Wed, 4 Feb 2026 20:05:08 -0500 Subject: [PATCH] fix: enforce owner allowlist for commands --- src/auto-reply/command-auth.ts | 15 ++++++++++----- src/auto-reply/command-control.test.ts | 2 +- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/auto-reply/command-auth.ts b/src/auto-reply/command-auth.ts index 187fa6261..7db36d36a 100644 --- a/src/auto-reply/command-auth.ts +++ b/src/auto-reply/command-auth.ts @@ -204,6 +204,7 @@ export function resolveCommandAuthorization(params: { ownerCandidatesForCommands.push(...normalizedTo); } } + const ownerAllowAll = ownerAllowFromList.some((entry) => entry.trim() === "*"); const explicitOwners = ownerAllowFromList.filter((entry) => entry !== "*"); const ownerList = Array.from( new Set(explicitOwners.length > 0 ? explicitOwners : ownerCandidatesForCommands), @@ -228,11 +229,15 @@ export function resolveCommandAuthorization(params: { const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands); const senderIsOwner = Boolean(matchedSender); - const isOwnerForCommands = - !enforceOwner || - allowAll || - ownerCandidatesForCommands.length === 0 || - Boolean(matchedCommandOwner); + const ownerAllowlistConfigured = ownerAllowAll || explicitOwners.length > 0; + const requireOwner = enforceOwner || ownerAllowlistConfigured; + const isOwnerForCommands = !requireOwner + ? true + : ownerAllowAll + ? true + : ownerAllowlistConfigured + ? senderIsOwner + : allowAll || ownerCandidatesForCommands.length === 0 || Boolean(matchedCommandOwner); const isAuthorizedSender = commandAuthorized && isOwnerForCommands; return { diff --git a/src/auto-reply/command-control.test.ts b/src/auto-reply/command-control.test.ts index 860e7550b..4ef4ff7f4 100644 --- a/src/auto-reply/command-control.test.ts +++ b/src/auto-reply/command-control.test.ts @@ -165,7 +165,7 @@ describe("resolveCommandAuthorization", () => { commandAuthorized: true, }); expect(otherAuth.senderIsOwner).toBe(false); - expect(otherAuth.isAuthorizedSender).toBe(true); + expect(otherAuth.isAuthorizedSender).toBe(false); }); });