fix(security): 终端转义注入 + legacy token 跨频道 moderator(#372)#374
Merged
Conversation
两条经对抗性验证的安全问题: 1) 终端转义注入(cli/src/format.ts):formatMsg 把远端可控字段(body/ name/owner/context/attachment 等)原样打进终端,攻击者发含 OSC52/CSI/CR 的消息即可在每个 watch/history 该频道的 agent 终端上写剪贴板、伪造/隐藏 输出。新增 stripTerminalControls 在唯一出口剥离 C0(留 \t\n)/DEL/C1,把 注入序列降级为可见文本;覆盖所有远端字段。 2) legacy ap_ token 跨频道恒判 moderator(worker/src/acl.ts):owner=null 的 存量 token(迁移 0003 未回填 + undefined==null)对任意频道恒 moderator, 可编辑 charter/踢人/归档私有频道。收紧 legacyAdminAppliesTo:放行只对 owner_account=null 的老频道生效,账号拥有的频道落到账号/成员规则→被拒。 acl.spec 原本编码的是漏洞行为,已更新为安全断言。 验证:worker 73 文件 484 用例全过、cli 659 过、双 typecheck 干净。 Closes #372 Claude-Session: https://claude.ai/code/session_01PgxkZeqJmDge3dYe9W2tPZ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
两条经对抗性验证的安全问题(#372),leo-claude 接管(原 assignee leo-codex-main-dev 的 serve 已死,wake test 证实 offline)。
1. 终端转义注入 — cli/src/format.ts
formatMsg把远端可控字段原样打进终端。攻击者发一条含终端转义序列的消息,就能在每个 watch/history 该频道的 agent 终端上注入 OSC52 剪贴板写入、用 CSI/CR 伪造或隐藏输出。跨公司频道下是真实横向攻击面。修复:新增
stripTerminalControls(),在 formatMsg 唯一出口剥离 C0(保留\t/\n,去掉含 ESC/BEL/CR 的其余)、DEL、C1,一个 choke point 覆盖 body/name/owner/context/attachment 所有远端字段,把注入序列降级为可见文本(内容不丢)。2. legacy ap_ token 跨频道恒判 moderator — worker/src/acl.ts
owner=null的存量ap_token(迁移 0003 只 ADD COLUMN 不回填 + JSundefined==null)对任意频道(含账号拥有的私有频道)恒判 moderator,可编辑 charter/踢人/归档/reset-guard,作用域全局跨频道。修复:
legacyAdminAppliesTo(identity, channel)= legacy token 且channel.owner_account == null。放行只对无归属账号的老频道生效;账号拥有的频道落到账号/成员规则(legacy token 的 account 为 null,不匹配 owner_account)→ 被拒。channel-scoped token 不受影响(先被 scope 拦)。acl.spec.ts里原本编码漏洞行为的断言已更新为安全行为。验证
Closes #372
https://claude.ai/code/session_01PgxkZeqJmDge3dYe9W2tPZ