fix(security): lock down inbound DMs by default

2026-01-06 17:51:38 +01:00
parent 327ad3c9c7
commit 967cef80bc
36 changed files with 2093 additions and 203 deletions
--- a/src/signal/monitor.tool-result.test.ts
+++ b/src/signal/monitor.tool-result.test.ts
@@ -6,6 +6,8 @@ const sendMock = vi.fn();
 const replyMock = vi.fn();
 const updateLastRouteMock = vi.fn();
 let config: Record<string, unknown> = {};
+const readAllowFromStoreMock = vi.fn();
+const upsertPairingRequestMock = vi.fn();

 vi.mock("../config/config.js", async (importOriginal) => {
  const actual = await importOriginal<typeof import("../config/config.js")>();
@@ -23,6 +25,13 @@ vi.mock("./send.js", () => ({
  sendMessageSignal: (...args: unknown[]) => sendMock(...args),
 }));

+vi.mock("../pairing/pairing-store.js", () => ({
+  readProviderAllowFromStore: (...args: unknown[]) =>
+    readAllowFromStoreMock(...args),
+  upsertProviderPairingRequest: (...args: unknown[]) =>
+    upsertPairingRequestMock(...args),
+}));
+
 vi.mock("../config/sessions.js", () => ({
  resolveStorePath: vi.fn(() => "/tmp/clawdbot-sessions.json"),
  updateLastRoute: (...args: unknown[]) => updateLastRouteMock(...args),
@@ -47,7 +56,7 @@ const flush = () => new Promise((resolve) => setTimeout(resolve, 0));
 beforeEach(() => {
  config = {
    messages: { responsePrefix: "PFX" },
-    signal: { autoStart: false },
+    signal: { autoStart: false, dmPolicy: "open", allowFrom: ["*"] },
    routing: { allowFrom: [] },
  };
  sendMock.mockReset().mockResolvedValue(undefined);
@@ -56,6 +65,10 @@ beforeEach(() => {
  streamMock.mockReset();
  signalCheckMock.mockReset().mockResolvedValue({});
  signalRpcRequestMock.mockReset().mockResolvedValue({});
+  readAllowFromStoreMock.mockReset().mockResolvedValue([]);
+  upsertPairingRequestMock
+    .mockReset()
+    .mockResolvedValue({ code: "PAIRCODE", created: true });
 });

 describe("monitorSignalProvider tool results", () => {
@@ -93,4 +106,42 @@ describe("monitorSignalProvider tool results", () => {
    expect(sendMock.mock.calls[0][1]).toBe("PFX tool update");
    expect(sendMock.mock.calls[1][1]).toBe("PFX final reply");
  });
+
+  it("replies with pairing code when dmPolicy is pairing and no allowFrom is set", async () => {
+    config = {
+      ...config,
+      signal: { autoStart: false, dmPolicy: "pairing", allowFrom: [] },
+    };
+
+    streamMock.mockImplementation(async ({ onEvent }) => {
+      const payload = {
+        envelope: {
+          sourceNumber: "+15550001111",
+          sourceName: "Ada",
+          timestamp: 1,
+          dataMessage: {
+            message: "hello",
+          },
+        },
+      };
+      await onEvent({
+        event: "receive",
+        data: JSON.stringify(payload),
+      });
+    });
+
+    await monitorSignalProvider({
+      autoStart: false,
+      baseUrl: "http://127.0.0.1:8080",
+    });
+
+    await flush();
+
+    expect(replyMock).not.toHaveBeenCalled();
+    expect(upsertPairingRequestMock).toHaveBeenCalled();
+    expect(sendMock).toHaveBeenCalledTimes(1);
+    expect(String(sendMock.mock.calls[0]?.[1] ?? "")).toContain(
+      "Pairing code: PAIRCODE",
+    );
+  });
 });
--- a/src/signal/monitor.ts
+++ b/src/signal/monitor.ts
@@ -8,6 +8,10 @@ import { resolveStorePath, updateLastRoute } from "../config/sessions.js";
 import { danger, logVerbose, shouldLogVerbose } from "../globals.js";
 import { mediaKindFromMime } from "../media/constants.js";
 import { saveMediaBuffer } from "../media/store.js";
+import {
+  readProviderAllowFromStore,
+  upsertProviderPairingRequest,
+} from "../pairing/pairing-store.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { normalizeE164 } from "../utils.js";
 import { signalCheck, signalRpcRequest, streamSignalEvents } from "./client.js";
@@ -110,7 +114,7 @@ function resolveGroupAllowFrom(opts: MonitorSignalOpts): string[] {
 }

 function isAllowedSender(sender: string, allowFrom: string[]): boolean {
-  if (allowFrom.length === 0) return true;
+  if (allowFrom.length === 0) return false;
  if (allowFrom.includes("*")) return true;
  const normalizedAllow = allowFrom
    .map((entry) => entry.replace(/^signal:/i, ""))
@@ -245,6 +249,7 @@ export async function monitorSignalProvider(
  const textLimit = resolveTextChunkLimit(cfg, "signal");
  const baseUrl = resolveBaseUrl(opts);
  const account = resolveAccount(opts);
+  const dmPolicy = cfg.signal?.dmPolicy ?? "pairing";
  const allowFrom = resolveAllowFrom(opts);
  const groupAllowFrom = resolveGroupAllowFrom(opts);
  const groupPolicy = cfg.signal?.groupPolicy ?? "open";
@@ -317,18 +322,67 @@ export async function monitorSignalProvider(
      const groupId = dataMessage.groupInfo?.groupId ?? undefined;
      const groupName = dataMessage.groupInfo?.groupName ?? undefined;
      const isGroup = Boolean(groupId);
+      const storeAllowFrom = await readProviderAllowFromStore("signal").catch(
+        () => [],
+      );
+      const effectiveDmAllow = [...allowFrom, ...storeAllowFrom];
+      const effectiveGroupAllow = [...groupAllowFrom, ...storeAllowFrom];
+      const dmAllowed =
+        dmPolicy === "open" ? true : isAllowedSender(sender, effectiveDmAllow);
+
+      if (!isGroup) {
+        if (dmPolicy === "disabled") return;
+        if (!dmAllowed) {
+          if (dmPolicy === "pairing") {
+            const senderId = normalizeE164(sender);
+            const { code } = await upsertProviderPairingRequest({
+              provider: "signal",
+              id: senderId,
+              meta: {
+                name: envelope.sourceName ?? undefined,
+              },
+            });
+            logVerbose(
+              `signal pairing request sender=${senderId} code=${code}`,
+            );
+            try {
+              await sendMessageSignal(
+                senderId,
+                [
+                  "Clawdbot: access not configured.",
+                  "",
+                  `Pairing code: ${code}`,
+                  "",
+                  "Ask the bot owner to approve with:",
+                  "clawdbot pairing approve --provider signal <code>",
+                ].join("\n"),
+                { baseUrl, account, maxBytes: mediaMaxBytes },
+              );
+            } catch (err) {
+              logVerbose(
+                `signal pairing reply failed for ${senderId}: ${String(err)}`,
+              );
+            }
+          } else {
+            logVerbose(
+              `Blocked signal sender ${sender} (dmPolicy=${dmPolicy})`,
+            );
+          }
+          return;
+        }
+      }
      if (isGroup && groupPolicy === "disabled") {
        logVerbose("Blocked signal group message (groupPolicy: disabled)");
        return;
      }
      if (isGroup && groupPolicy === "allowlist") {
-        if (groupAllowFrom.length === 0) {
+        if (effectiveGroupAllow.length === 0) {
          logVerbose(
            "Blocked signal group message (groupPolicy: allowlist, no groupAllowFrom)",
          );
          return;
        }
-        if (!isAllowedSender(sender, groupAllowFrom)) {
+        if (!isAllowedSender(sender, effectiveGroupAllow)) {
          logVerbose(
            `Blocked signal group sender ${sender} (not in groupAllowFrom)`,
          );
@@ -337,14 +391,10 @@ export async function monitorSignalProvider(
      }

      const commandAuthorized = isGroup
-        ? groupAllowFrom.length > 0
-          ? isAllowedSender(sender, groupAllowFrom)
+        ? effectiveGroupAllow.length > 0
+          ? isAllowedSender(sender, effectiveGroupAllow)
          : true
-        : isAllowedSender(sender, allowFrom);
-      if (!isGroup && !commandAuthorized) {
-        logVerbose(`Blocked signal sender ${sender} (not in allowFrom)`);
-        return;
-      }
+        : dmAllowed;
      const messageText = (dataMessage.message ?? "").trim();

      let mediaPath: string | undefined;