fix(whatsapp/bridge): #8389 patch critical authorization bypass in self-chat mode

[dip8989]

What does this PR do?

Resolves #8389

🚨 Security Incident Report

A medium-high severity authorization vulnerability was identified within the WhatsApp Bridge component. Under the default configuration (WHATSAPP_MODE = 'self-chat'), the system was inadvertently processing inbound payloads from unauthorized third-party senders. This occurred because the absence of an explicitly defined WHATSAPP_ALLOWED_USERS list was defaulting to a permissive state (true), effectively bypassing the intended self-isolation constraints and exposing the bridge to public interaction.

🔬 Vulnerability Analysis

The root cause stems from a logical flaw in the boundary validation checks across two modules:

1. In allowlist.js, an empty evaluation set inherently returned a bypass (return true), violating the principle of least privilege by failing open instead of failing closed.
2. In bridge.js, the routing logic did not distinctly enforce the self-chat execution mode boundary when processing non-origin (!msg.key.fromMe) events.

🛡️ Mitigation Strategy

The authorization architecture has been patched to enforce a strict "deny-by-default" policy:

• Fail-Closed Enforcement (allowlist.js): An empty or uninitialized allowlist now correctly resolves to return false, explicitly denying access to unregistered external identifiers.
• Strict Mode Isolation (bridge.js): Injected a pre-computation gateway check that actively inspects WHATSAPP_MODE. If the environment is constrained to self-chat, all non-origin payloads are immediately dropped (continue) prior to any allowlist evaluation.

🔒 Security Impact

• Complete isolation restored for default self-chat deployments.
• Unintended public interaction vectors neutralized.
• Enforced zero-trust validation on empty configuration arrays.

Related Issue

Fixes #

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

How to Test

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform:

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

For New Skills

• This skill is broadly useful to most users (if bundled) — see Contributing Guide
• SKILL.md follows the standard format (frontmatter, trigger conditions, steps, pitfalls)
• No external dependencies that aren't already available (prefer stdlib, curl, existing Hermes tools)
• I've tested the skill end-to-end: hermes --toolsets skills -q "Use the X skill to do Y"

Screenshots / Logs

[alt-glitch]

Likely duplicate of #8410 — both fix the same authorization bypass in WhatsApp self-chat mode (#8389). Also related to #7073.

[egilewski]

This appears superseded by the fix already on current main via #21291 / merge commit 6a4ecc0a9fdb857cd6ef93cf0ebce77250a2a290.

I checked current main at d29caf382868f8f5fb5e0c09f632f70f27e6e64e against this PR head e2d11b4515b2d54de4845ac3e170c4e24e58a51b:

• node --test scripts/whatsapp-bridge/allowlist.test.mjs passes on current main (5 passed), including the empty-allowlist regression for [SECURITY] WhatsApp self-chat mode responds to ALL incoming messages (empty allowlist = allow everyone) #8389.
• A focused invariant probe confirmed matchesAllowedUser(..., parseAllowedUsers(''), ...) rejects external senders, and bridge.js still drops non-fromMe messages in WHATSAPP_MODE === 'self-chat' before allowlist matching.
• CodeRabbit completed on the PR diff with No findings.

Recommendation: close this PR as duplicate/superseded rather than merging it for #8389.

Signed: GPT-5.5-xhigh in Codex