fix: security audit round 2 (v0.13.4.0)#640
Merged
Conversation
Restrict Chrome CDP to localhost by adding --remote-debugging-address=127.0.0.1 and --remote-allow-origins to prevent network-accessible debugging sessions. Clears 1 Socket anomaly (Chrome CDP session exposure). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add sender.id check and ALLOWED_TYPES allowlist to the Chrome extension's message handler. Defense-in-depth against message spoofing from external extensions or future externally_connectable changes. Clears 2 Socket anomalies (extension permissions). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace unverified curl|bash bun installation with checksum-verified download-then-execute pattern. The install script is downloaded, sha256 verified against a known hash, then executed. Preserves the Bun-native install path without adding a Node/npm dependency. Clears Snyk W012 + 3 Socket anomalies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wrap page-content commands (text, html, links, forms, accessibility, console, dialog, snapshot) with --- BEGIN/END UNTRUSTED EXTERNAL CONTENT --- markers. Covers direct commands (server.ts), chain sub-commands, and snapshot output (meta-commands.ts). Adds PAGE_CONTENT_COMMANDS set and wrapUntrustedContent() helper in commands.ts (single source of truth, DRY). Expands the SKILL.md trust warning with explicit processing rules for agents. Clears Snyk W011 (third-party content exposure). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Sanitize URLs in markers (remove newlines, cap at 200 chars) to prevent marker injection via history.pushState - Escape marker strings in content (zero-width space) so malicious pages can't forge the END marker to break out of the untrusted block - Wrap resume command snapshot with trust boundary markers - Wrap diff command output with trust boundary markers - Wrap watch stop last snapshot with trust boundary markers Found by cross-model adversarial review (Claude + Codex).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Main landed v0.13.5.0 (Factory Droid support) while this branch removes Factory Droid. Bumped to v0.13.6.0, preserved both 0.13.5.0 and 0.13.4.0 CHANGELOG entries from main history. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
E2E Evals: ✅ PASS37/37 tests passed | $3.79 total cost | 12 parallel runners
12x ubicloud-standard-2 (Docker: pre-baked toolchain + deps) | wall clock ≈ slowest suite |
Factory Droid support was removed in this branch. The .factory/ directory was re-added by merging main (which had v0.13.5.0 Factory support). Gitignore it so it stays out. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Main landed v0.13.5.1 (gitignore .factory) while this branch had v0.13.6.0. Kept v0.13.6.0 (higher), added 0.13.5.1 CHANGELOG entry from main. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Main landed v0.13.6.0 (GStack Learns) using the same version number as this branch. Bumped to v0.13.7.0, kept both CHANGELOG entries in order. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Main landed v0.13.7.0 (Community Wave) using the same version as this branch. Bumped to v0.13.8.0, kept both CHANGELOG entries in order. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security Hardening (Round 2)
text,html,links,forms,accessibility,console,dialog,snapshot,diff,resume,watch stop) now wrap output in--- BEGIN/END UNTRUSTED EXTERNAL CONTENT ---markersbin/chrome-cdppasses--remote-debugging-address=127.0.0.1and--remote-allow-originsCleanup
--host factory,.factory/skills, Factory CI checks)Test Coverage
All new code paths have test coverage (100%). Tests:
test/audit-compliance.test.tsverifies all 4 security fixes +browse/test/commands.test.tstests trust boundary wrapping in chain commands.Pre-Landing Review
No issues found.
Adversarial Review
Large-tier (3 passes: Claude structured, Claude adversarial, Codex structured). 5 FIXABLE findings addressed:
resumecommand returned unwrapped snapshotdiffcommand returned unwrapped page contentwatch stopreturned unwrapped last snapshotTODOS
No TODO items completed in this PR. ML Prompt Injection Classifier remains P0 for next PR.
Test plan
🤖 Generated with Claude Code