Skip to content

fix(security): truncate SecretRequest.reason in confirmation prompt#1482

Merged
bug-ops merged 2 commits intomainfrom
secret-reason-truncate
Mar 9, 2026
Merged

fix(security): truncate SecretRequest.reason in confirmation prompt#1482
bug-ops merged 2 commits intomainfrom
secret-reason-truncate

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Mar 9, 2026

Summary

  • Embeds SecretRequest.reason via text::truncate_to_chars(r, 200) instead of verbatim in the user-facing confirmation prompt
  • Prevents a malicious sub-agent from supplying an arbitrarily long reason string and flooding the terminal or Telegram message
  • Identified as SEC-M34-003 in the security audit of Wire DagScheduler execution into /plan confirm flow #1434

Changes

  • crates/zeph-core/src/agent/mod.rs: use crate::text::truncate_to_chars(r, 200) in process_pending_secret_requests()
  • 5 unit tests added: ASCII short/exact/over-limit, multi-byte UTF-8 (Cyrillic), and None reason cases
  • CHANGELOG.md: entry added to [Unreleased] ### Fixed

Follow-up

Closes #1456

@bug-ops
fix(security): truncate SecretRequest.reason in confirmation prompt (#…
b808b08 
…1456)

Embed reason via `text::truncate_to_chars(r, 200)` instead of verbatim
to prevent a malicious sub-agent from flooding the terminal or Telegram
message with an arbitrarily long reason string.

Adds 5 unit tests covering ASCII, exact boundary, over-limit, multi-byte
UTF-8 (Cyrillic), and None reason cases.

Closes #1456
@github-actions github-actions bot added documentation Improvements or additions to documentation rust Rust code changes bug Something isn't working core zeph-core crate size/M Medium PR (51-200 lines) labels Mar 9, 2026
@bug-ops bug-ops enabled auto-merge (squash) March 9, 2026 20:12
@bug-ops bug-ops merged commit d66e9af into main Mar 9, 2026
18 checks passed
@bug-ops bug-ops deleted the secret-reason-truncate branch March 9, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working core zeph-core crate documentation Improvements or additions to documentation rust Rust code changes size/M Medium PR (51-200 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sec(orchestration): truncate SecretRequest.reason before displaying to user

1 participant

@bug-ops