[SECURITY] WhatsApp self-chat mode responds to ALL incoming messages (empty allowlist = allow everyone)
## Security Issue
**Severity:** Medium-High
**Component:** WhatsApp Bridge
### Description
In `self-chat` mode (default), the bridge processes messages from ANY sender. Anyone who messages the user triggers a Hermes response.
### Root Cause
Two issues compound:
1. **`allowlist.js` line 67-68** — Empty allowlist returns `true`:
```javascript
if (!allowedUsers || allowedUsers.size === 0) {
return true; // ← everyone allowed!
}
bridge.js line 231 — No mode distinction for non-fromMe messages:
if (!msg.key.fromMe && !matchesAllowedUser(senderId, ALLOWED_USERS, SESSION_DIR)) {
continue;
}WHATSAPP_ALLOWED_USERS defaults to empty → everyone passes.
Impact
Any person messaging the user gets a pairing code reply. Affects ALL users without explicit allowlist config.
Fix
In bridge.js, add mode-aware filtering:
if (!msg.key.fromMe) {
if (WHATSAPP_MODE === 'self-chat') {
continue; // Self-chat: never respond to other people
}
if (!matchesAllowedUser(senderId, ALLOWED_USERS, SESSION_DIR)) {
continue;
}
}And in allowlist.js, change empty allowlist default to return false.
---
For the PR, fork it, create a branch, apply those two changes, and submit. Want me to prepare the exact diff you can paste?
[SECURITY] WhatsApp self-chat mode responds to ALL incoming messages (empty allowlist = allow everyone)bridge.jsline 231 — No mode distinction for non-fromMemessages:WHATSAPP_ALLOWED_USERSdefaults to empty → everyone passes.Impact
Any person messaging the user gets a pairing code reply. Affects ALL users without explicit allowlist config.
Fix
In
bridge.js, add mode-aware filtering:And in
allowlist.js, change empty allowlist default toreturn false.