Skip to content

fix(core): restrict send_message_to_user to current session (security fix #7822)#7824

Merged
Soulter merged 3 commits intoAstrBotDevs:masterfrom
Soulter:fix/issue-7822-send-message-security
Apr 28, 2026
Merged

fix(core): restrict send_message_to_user to current session (security fix #7822)#7824
Soulter merged 3 commits intoAstrBotDevs:masterfrom
Soulter:fix/issue-7822-send-message-security

Conversation

@Soulter
Copy link
Copy Markdown
Member

@Soulter Soulter commented Apr 26, 2026
edited by sourcery-ai Bot
Loading

Description

This PR fixes a high-security vulnerability (Issue #7822) in the send_message_to_user tool.

The Problem

The tool previously accepted a user-controlled session parameter, allowing any regular user to ask the LLM to send arbitrary messages to any group chat by crafting a target session string (e.g., KevinBot:GroupMessage:704943246). This is a severe security risk — attackers could send untrusted links/messages to any session.

The Fix

  1. Removed the session parameter from the tool's parameter schema — the LLM can no longer propose it.
  2. Hardcoded the target session to context.context.event.unified_msg_origin — always uses the current user's own session.
  3. Updated the tool description to clearly state that it can only send messages to the current user's session.

Changes

  • astrbot/core/tools/message_tools.py: +9/-7 lines

Security Audit

Also verified that no other built-in tools (e.g., cron_tools.py) have similar session injection vulnerabilities.

Closes #7822

Summary by Sourcery

Restrict the send_message_to_user tool to only send messages to the current user session to address a security vulnerability.

Bug Fixes:

  • Fix a security issue where send_message_to_user could be used to send messages to arbitrary sessions by removing the user-controlled session parameter and always targeting the current session.

Documentation:

  • Clarify the send_message_to_user tool description to state that it only sends messages to the current user's session and cannot target other sessions.

@Soulter
fix(core): security fix - restrict send_message_to_user to current se…
59fa9fd 
…ssion only

Closes AstrBotDevs#7822

SECURITY: Remove the user-controlled 'session' parameter from the
send_message_to_user tool. Previously, a regular user could ask the
LLM to send messages to any arbitrary session (group chat) by
providing a crafted session string, which is a high-risk
vulnerability.

Changes:
- Remove 'session' parameter from tool schema (LLM can no longer
  propose it)
- Always use context.context.event.unified_msg_origin as the target
  session
- Update description to clearly state that messages can only be sent
  to the current user's session
@auto-assign auto-assign Bot requested review from advent259141 and anka-afk April 26, 2026 18:16
@dosubot dosubot Bot added size:S This PR changes 10-29 lines, ignoring generated files. area:core The bug / feature is about astrbot's core, backend labels Apr 26, 2026
sourcery-ai[bot]
sourcery-ai Bot reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider adding a guard for context.context.event.unified_msg_origin being None or missing so the tool fails explicitly instead of passing an invalid session downstream in non-interactive contexts (e.g., cron-like triggers).
  • The description still suggests use in cron-job-like scenarios; if such jobs don’t naturally have a unified_msg_origin, it may be worth clarifying how/if this tool can be used there now that the session is hardcoded to the triggering user.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Consider adding a guard for `context.context.event.unified_msg_origin` being `None` or missing so the tool fails explicitly instead of passing an invalid session downstream in non-interactive contexts (e.g., cron-like triggers).
- The description still suggests use in cron-job-like scenarios; if such jobs don’t naturally have a `unified_msg_origin`, it may be worth clarifying how/if this tool can be used there now that the session is hardcoded to the triggering user.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a security vulnerability in the SendMessageToUserTool by removing the optional session parameter, ensuring messages are only sent to the current user's session. The tool's description and logic were updated to enforce this restriction. Feedback suggests adding a validation check to handle cases where the session origin might be unavailable, providing a clearer error message.

Comment thread astrbot/core/tools/message_tools.py Outdated
AstrBot and others added 2 commits April 29, 2026 00:01
fix: restore session param but restrict to admin only
1063a45 
- Re-add the  parameter removed in the original PR
- Non-admin users can only send to their own session (current_session)
- Admin users can send to any session via the  param
- Uses  from computer_tools.util (same pattern as fs.py)
- Ref: AstrBotDevs#7822

Co-authored-by: Soulter <soulter@astrbot.app>
@Soulter
Update message_tools.py
b61149c
@Soulter Soulter merged commit 8f356b8 into AstrBotDevs:master Apr 28, 2026
21 checks passed
LIghtJUNction pushed a commit that referenced this pull request Apr 28, 2026
@Soulter @LIghtJUNction
fix(core): restrict send_message_to_user to current session (security f…
e3da5f1 
…ix #7822) (#7824)

* fix(core): security fix - restrict send_message_to_user to current session only

Closes #7822

SECURITY: Remove the user-controlled 'session' parameter from the
send_message_to_user tool. Previously, a regular user could ask the
LLM to send messages to any arbitrary session (group chat) by
providing a crafted session string, which is a high-risk
vulnerability.

Changes:
- Remove 'session' parameter from tool schema (LLM can no longer
  propose it)
- Always use context.context.event.unified_msg_origin as the target
  session
- Update description to clearly state that messages can only be sent
  to the current user's session

* fix: restore session param but restrict to admin only

- Re-add the  parameter removed in the original PR
- Non-admin users can only send to their own session (current_session)
- Admin users can send to any session via the  param
- Uses  from computer_tools.util (same pattern as fs.py)
- Ref: #7822

Co-authored-by: Soulter <soulter@astrbot.app>

* Update message_tools.py

---------

Co-authored-by: AstrBot <bot@astrbot.app>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@advent259141 advent259141 Awaiting requested review from advent259141

@anka-afk anka-afk Awaiting requested review from anka-afk

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area:core The bug / feature is about astrbot's core, backend size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]

1 participant

@Soulter