feat: LORE_HOSTED_MODE — disable FS operations on client-controlled paths#333
Merged
Conversation
…aths Add a process-wide hosted mode flag (LORE_HOSTED_MODE=1 env var) that makes all filesystem operations using client-controlled paths safe no-ops. This prevents path traversal, arbitrary file read/write, and subprocess execution when the gateway runs remotely from untrusted clients. Guard points: - git.ts: getGitRemote() returns null (no execSync with client cwd) - config.ts: load() skips .lore.json read, returns defaults - agents-file.ts: all 6 public functions no-op (export/import/exists) - lat-reader.ts: hasLatDir() and refresh() no-op - pipeline.ts: startKnowledgeFileWatcher() returns empty cleanup fn - pipeline.ts: enableHostedMode() called in initIfNeeded() from config The flag is set once at startup and cannot be unset. Idle work FS ops (knowledge export, lat-reader refresh) are guarded transitively via the core no-ops.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
LORE_HOSTED_MODE=1env var that sets a process-wide flag disabling all filesystem operations using client-controlled paths (fromX-Lore-Projectheader, system prompt inference, or/v1/compactbody)Security Issues Addressed
When the gateway runs hosted/remotely, clients supply project paths via headers or request bodies. Without guards, these paths are used for:
execSync("git remote -v", { cwd: clientPath })core/git.tsreadFileSync(join(clientPath, ".lore.json"))— controls gateway configcore/config.tswriteFileSync/readFileSyncon.lore.mdat client pathcore/agents-file.tswriteFileSync/mkdirSyncon AGENTS.md at client pathcore/agents-file.tsreaddirSync+readFileSynconlat.md/at client pathcore/lat-reader.tsfs.watch()on client-controlled file pathsgateway/pipeline.tsGuard Points
All guards check
isHostedMode()at function entry, returning safe no-op values:git.ts—getGitRemote(): returnsnullimmediatelyconfig.ts—load(): skips.lore.jsonread, returns defaultsagents-file.ts— all 6 public functions:exportToFile,shouldImport,importFromFile,loreFileExists,exportLoreFile,shouldImportLoreFile,importLoreFilereturnfalse/voidlat-reader.ts—hasLatDir()returnsfalse,refresh()returns0pipeline.ts—startKnowledgeFileWatcher()returns empty cleanup fnpipeline.ts—enableHostedMode()called ininitIfNeeded()fromGatewayConfig.hostedModeIdle work FS ops (knowledge export, lat-reader refresh) are guarded transitively via the core no-ops.
Design
packages/core/src/hosted.ts: module-level getter/setter (same pattern aslog.ts)_resetHostedModeForTest()exported for test isolationGatewayConfig.hostedModepopulated fromLORE_HOSTED_MODEenv var viaisTruthy()lore startdebug output document the new env var