Hua/nanobot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: deny by default in is_allowed for all channels

Browse Source 
When allow_from is not configured, block all access by default
instead of allowing everyone. This prevents unauthorized access
when channels are enabled without explicit allow lists.
This commit is contained in:
chengyongru
2026-03-02 13:17:39 +08:00
parent a5962170f6
commit d447be5ca2
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
nanobot/channels/base.py
View File

@@ -70,9 +70,16 @@ class BaseChannel(ABC):
""" """
allow_list = getattr(self.config, "allow_from", []) allow_list = getattr(self.config, "allow_from", [])
# If no allow list, allow everyone # Security fix: If no allow list, deny everyone by default
# This prevents unauthorized access when allow_from is not configured
if not allow_list: if not allow_list:
return True logger.warning(
"Channel {} has no allow_from configured - "
"blocking all access by default for security. "
"Add allowed senders to config to enable access.",
self.name,
)
return False
sender_str = str(sender_id) sender_str = str(sender_id)
if sender_str in allow_list: if sender_str in allow_list: