ros/claude-plugins-official
1
0
Fork 0
mirror of https://github.com/anthropics/claude-plugins-official.git synced 2026-03-23 00:23:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict bot commands to DMs (security)

Browse Source 
- /status in a group would leak the sender's pending pairing code to
  other group members, who could then pair as that user
- Commands in non-allowlisted groups confirm bot presence and enable spam
- /start now acknowledges dmPolicy === 'disabled' instead of lying
- setMyCommands scoped to private chats so the / menu only shows in DMs
This commit is contained in:
Kenneth Lien
2026-03-20 11:54:48 -07:00
parent 521f858e11
commit 9a101ba34c
1 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
external_plugins/telegram/server.ts
View File

@@ -507,7 +507,18 @@ mcp.setRequestHandler(CallToolRequestSchema, async req => {
await mcp.connect(new StdioServerTransport()) await mcp.connect(new StdioServerTransport())
// Commands are DM-only. Responding in groups would: (1) leak pairing codes via
// /status to other group members, (2) confirm bot presence in non-allowlisted
// groups, (3) spam channels the operator never approved. Silent drop matches
// the gate's behavior for unrecognized groups.
bot.command('start', async ctx => { bot.command('start', async ctx => {
if (ctx.chat?.type !== 'private') return
const access = loadAccess()
if (access.dmPolicy === 'disabled') {
await ctx.reply(`This bot isn't accepting new connections.`)
return
}
await ctx.reply( await ctx.reply(
`👋 Hi! I'm a bridge between Telegram and Claude Code.\n\n` + `👋 Hi! I'm a bridge between Telegram and Claude Code.\n\n` +
`How to set up:\n` + `How to set up:\n` +
@@ -519,6 +530,7 @@ bot.command('start', async ctx => {
}) })
bot.command('help', async ctx => { bot.command('help', async ctx => {
if (ctx.chat?.type !== 'private') return
await ctx.reply( await ctx.reply(
`I relay messages between Telegram and Claude Code.\n\n` + `I relay messages between Telegram and Claude Code.\n\n` +
`What works:\n` + `What works:\n` +
@@ -530,6 +542,7 @@ bot.command('help', async ctx => {
}) })
bot.command('status', async ctx => { bot.command('status', async ctx => {
if (ctx.chat?.type !== 'private') return
const from = ctx.from const from = ctx.from
if (!from) return if (!from) return
const senderId = String(from.id) const senderId = String(from.id)
@@ -643,10 +656,13 @@ void bot.start({
onStart: info => { onStart: info => {
botUsername = info.username botUsername = info.username
process.stderr.write(`telegram channel: polling as @${info.username}\n`) process.stderr.write(`telegram channel: polling as @${info.username}\n`)
void bot.api.setMyCommands([ void bot.api.setMyCommands(
{ command: 'start', description: 'Welcome and setup guide' }, [
{ command: 'help', description: 'What this bot can do' }, { command: 'start', description: 'Welcome and setup guide' },
{ command: 'status', description: 'Check your pairing status' }, { command: 'help', description: 'What this bot can do' },
]).catch(() => {}) { command: 'status', description: 'Check your pairing status' },
],
{ scope: { type: 'all_private_chats' } },
).catch(() => {})
}, },
}) })