Skip to content

Pre-launch security: entity image-page host-allowlist (F-1) + prototype-path guard (F-2)#66

Merged
keyxmakerx merged 1 commit into
mainfrom
claude/gallant-johnson-kd574n
Jun 21, 2026
Merged

Pre-launch security: entity image-page host-allowlist (F-1) + prototype-path guard (F-2)#66
keyxmakerx merged 1 commit into
mainfrom
claude/gallant-johnson-kd574n

Conversation

@keyxmakerx

Copy link
Copy Markdown
Owner

Cites: 2026-05-21-core-tenets §T-B1 (security first)
Security implication: closes F-1 — the entity image-page src bypassed the image host-allowlist (same IP/referer exfil class as #56), + F-2 prototype-path guard.

What this changes

  • F-1 (security): journal-sync.mjs now routes the entity Image journal-page src through the same host-allowlist (_isAllowedImageHost + apiUrl prefixing) that map-sync already uses — a tampered entity.image_path can no longer make a player fetch from an attacker host. + a CI pin so a new image sink can't silently regress it.
  • F-2: actor-sync._setNestedValue rejects __proto__/prototype/constructor path segments (prototype-pollution guard on the manifest-driven adapter).
  • Doc banners: PLAN.md + API.md marked superseded.

Why

Pre-launch Foundry-module security audit — F-1 was the one real gap (the host-allowlist #56 established everywhere else, missed on the entity-journal path).

Test plan

  • node --test tools/test-url-validation.mjs — 32/32 (20 existing + 12 new)
  • CI confirms

🤖 Generated with Claude Code

https://claude.ai/code/session_01Y14Y6VXb7iB2xcNrYNDJa5


Generated by Claude Code

…rd (F-2)

F-1: Route entity.image_path through _resolveEntityImageSrc in
journal-sync.mjs, mirroring the validated path map-sync._mapImageSrc
already uses. Full http(s) URLs are gated on _isAllowedImageHost
(scheme+hostname must match apiUrl); mismatches drop to empty src +
_describeRejection warn. Relative /media/ paths are prefixed with apiUrl.
Closes the entity-journal IP/referer exfil class identical to PR #56.

F-2: Add PROTO_BLOCKED guard to _setNestedValue in actor-sync.mjs,
rejecting __proto__, prototype, and constructor path segments before
any object traversal.

CI pins: extend tools/test-url-validation.mjs with static-source
assertions for journal-sync.mjs (import + no bare entity.image_path
sink + _resolveEntityImageSrc body check) and behavioral unit tests
for the F-2 prototype guard. All 32 node --test checks green.

Docs: mark PLAN.md superseded by current JournalEntry/MapViewerSheet
architecture; mark API.md superseded by API-CONTRACT.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Y14Y6VXb7iB2xcNrYNDJa5
@keyxmakerx keyxmakerx merged commit d7fa2cb into main Jun 21, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants