From b7ad3f478f9bc24768f88e4339fc3e6e23d0292b Mon Sep 17 00:00:00 2001 From: UgwujaGeorge Date: Fri, 1 May 2026 07:13:33 +0100 Subject: [PATCH] fix(yuanbao): enforce owner identity check on group slash commands The bot-owner identity check inside OwnerCommandMiddleware was commented out and replaced with a hardcoded `is_owner = True`, so any group member could trigger allowlisted privileged commands (/approve, /deny, /stop, /reset, /retry, /undo, /new, /background, /bg, /btw, /queue, /q) by sending the slash command without @-mentioning the bot. The most severe case is /approve: a non-owner could approve a dangerous tool call the bot was waiting on the owner to confirm. Re-enable the documented identity check (push.from_account == push.bot_owner_id) so only the configured owner can issue these commands. --- gateway/platforms/yuanbao.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/gateway/platforms/yuanbao.py b/gateway/platforms/yuanbao.py index 83cd6695657..f08f7266e19 100644 --- a/gateway/platforms/yuanbao.py +++ b/gateway/platforms/yuanbao.py @@ -1896,10 +1896,12 @@ class OwnerCommandMiddleware(InboundMiddleware): if cmd not in cls.ALLOWLIST: return None, None, False - # Sender identity check: bot owner <-> push.from_account == push.bot_owner_id - # owner_id = (push or {}).get("bot_owner_id") or "" - # is_owner = bool(owner_id) and owner_id == from_account - is_owner = True + # Sender identity check: bot owner <-> push.from_account == push.bot_owner_id. + # The allowlisted commands (/approve, /deny, /stop, /reset, ...) are + # privileged — leaking them to non-owners lets any group member approve + # a dangerous tool call, kill the owner's task, or wipe session state. + owner_id = str((push or {}).get("bot_owner_id") or "").strip() + is_owner = bool(owner_id) and owner_id == from_account return cmd, cmd_line, is_owner async def handle(self, ctx: InboundContext, next_fn) -> None: