From d447be5ca22c335945c51d15d119562af82b27e8 Mon Sep 17 00:00:00 2001
From: chengyongru <2755839590@qq.com>
Date: Mon, 2 Mar 2026 13:17:39 +0800
Subject: [PATCH] security: deny by default in is_allowed for all channels

When allow_from is not configured, block all access by default
instead of allowing everyone. This prevents unauthorized access
when channels are enabled without explicit allow lists.
---
 nanobot/channels/base.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/nanobot/channels/base.py b/nanobot/channels/base.py
index f795931..d73d34c 100644
--- a/nanobot/channels/base.py
+++ b/nanobot/channels/base.py
@@ -70,9 +70,16 @@ class BaseChannel(ABC):
         """
         allow_list = getattr(self.config, "allow_from", [])
 
-        # If no allow list, allow everyone
+        # Security fix: If no allow list, deny everyone by default
+        # This prevents unauthorized access when allow_from is not configured
         if not allow_list:
-            return True
+            logger.warning(
+                "Channel {} has no allow_from configured - "
+                "blocking all access by default for security. "
+                "Add allowed senders to config to enable access.",
+                self.name,
+            )
+            return False
 
         sender_str = str(sender_id)
         if sender_str in allow_list: