polygram 0.12.0-rc.42 → 0.12.0-rc.43

package/lib/process/channels-tool-dispatcher.js

@@ -38,6 +38,13 @@ const os = require('node:os');
 // additional roots (e.g. a configured uploads dir).
 const DEFAULT_ATTACHMENT_BASE = path.join(os.tmpdir(), 'polygram-attachments');
 
+// Review 2026-06-12 hardening: cap files[] per reply so one (possibly
+// prompt-injected) call can't fan out unlimited uploads past the per-call
+// rate limit; cap the per-session owned-message-id set so the edit-ownership
+// tracker can't grow unbounded on a long-lived session.
+const MAX_FILES_PER_REPLY = 10;
+const OWNED_MSG_CAP = 256;
+
 function isPathUnder(child, parent) {
   const rel = path.relative(parent, child);
   return rel !== '' && !rel.startsWith('..') && !path.isAbsolute(rel);
@@ -125,6 +132,23 @@ function createChannelsToolDispatcher({
   const deliverAgent = processAndDeliverAgentText
     || require('../telegram/process-agent-reply').processAndDeliverAgentText;
 
+  // Per-session set of message_ids THIS session created (via reply/edit).
+  // edit_message may only target an owned bubble — a prompt-injected
+  // edit_message can't tamper with a message it didn't send, or another
+  // session's bubble (review 2026-06-12). Bounded per session (insertion-order
+  // eviction) so a long session can't grow it without limit.
+  const ownedMessageIds = new Map();   // sessionKey → Set<number>
+  const rememberOwned = (sk, id) => {
+    if (id == null || sk == null) return;
+    const n = Number(id);
+    if (!Number.isFinite(n)) return;
+    let set = ownedMessageIds.get(sk);
+    if (!set) { set = new Set(); ownedMessageIds.set(sk, set); }
+    set.add(n);
+    while (set.size > OWNED_MSG_CAP) set.delete(set.values().next().value);
+  };
+  const ownsMessage = (sk, id) => ownedMessageIds.get(sk)?.has(Number(id)) === true;
+
   return async function channelsToolDispatcher(call) {
     const { sessionKey, chatId, threadId, toolName, text, files, sourceMsgId, maxOutboundFileBytes, messageId } = call;
 
@@ -149,10 +173,18 @@ function createChannelsToolDispatcher({
       if (clean.length > maxChunkLen) {
         return { ok: false, error: `edit text too long (${clean.length} > ${maxChunkLen}); a message edit is a single bubble — use reply for long content` };
       }
+      // Ownership gate (review 2026-06-12): only edit a bubble THIS session
+      // created (got its id from a reply/edit result). Blocks a prompt-injected
+      // edit_message from tampering with an arbitrary or cross-session message.
+      if (!ownsMessage(sessionKey, messageId)) {
+        logger.warn?.(`[channels-tool-dispatcher] ${sessionKey} edit_message DENIED: message_id ${messageId} not owned by this session`);
+        return { ok: false, error: `message_id ${messageId} was not created by this session — edit_message can only target a bubble you sent` };
+      }
       try {
         const params = { chat_id: chatId, message_id: messageId, text: clean };
         if (threadId) params.message_thread_id = threadId;
         await send(bot, 'editMessageText', params, { source: 'channels-tool-dispatcher', sessionKey, toolName });
+        rememberOwned(sessionKey, messageId);   // keep ownership across re-edits
         return { ok: true, message_id: messageId };
       } catch (err) {
         logger.error?.(`[channels-tool-dispatcher] ${sessionKey} edit_message failed: ${err.message}`);
@@ -209,6 +241,13 @@ function createChannelsToolDispatcher({
       // tolerate the {message_id} object shape too. null for solo sticker/reaction.
       const firstSent = dr && Array.isArray(dr.sent) ? dr.sent.find(x => x != null) : null;
       const replyMessageId = (firstSent && typeof firstSent === 'object') ? firstSent.message_id : firstSent;
+      // Remember every delivered bubble so claude can edit_message any of them
+      // (the ownership gate above) — not just the first one returned.
+      if (dr && Array.isArray(dr.sent)) {
+        for (const s of dr.sent) {
+          rememberOwned(sessionKey, (s && typeof s === 'object') ? s.message_id : s);
+        }
+      }
 
       // File attachments — sent as separate messages AFTER the text.
       // Photos for image MIMEs, Documents for everything else (matches
@@ -220,12 +259,22 @@ function createChannelsToolDispatcher({
       // keys, and AWS creds can't leak to Telegram.
       const failedAttachments = [];
       if (Array.isArray(files) && files.length > 0) {
+        // Cap the per-reply fan-out (review 2026-06-12): a single (possibly
+        // injected) call attaching dozens of files would bypass the per-call
+        // rate limit. Process the first MAX_FILES_PER_REPLY; surface the rest.
+        let toAttach = files;
+        if (files.length > MAX_FILES_PER_REPLY) {
+          toAttach = files.slice(0, MAX_FILES_PER_REPLY);
+          for (const extra of files.slice(MAX_FILES_PER_REPLY)) {
+            failedAttachments.push({ path: extra, error: `too many files in one reply (max ${MAX_FILES_PER_REPLY}); send the rest in a follow-up` });
+          }
+        }
         const allowedRoots = buildAllowedRoots({
           sessionKey,
           sessionCwd: call.sessionCwd,
           extraRoots: attachmentAllowlist,
         });
-        for (const filePath of files) {
+        for (const filePath of toAttach) {
           const check = validateAttachmentPath(filePath, allowedRoots);
           if (!check.ok) {
             logger.warn?.(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.0-rc.42",
+  "version": "0.12.0-rc.43",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {