security: validate tool_use_id path component; drop --reload in network mode#50
Open
nithiink wants to merge 1 commit into
Open
security: validate tool_use_id path component; drop --reload in network mode#50nithiink wants to merge 1 commit into
nithiink wants to merge 1 commit into
Conversation
…network mode Daily security review fixes (see issue #49): - L1: tool_use_id is interpolated into decisions/<id>.json and reaches open()/os.remove()/os.replace(), but — unlike session_id/handle — it was never validated. Add safe_id() (same charset/length as _SESSION_ID_RE) in the hook helper and a matching guard on the runner's write side so a malformed id can't escape the decisions/ dir. - L2: run-network.sh (0.0.0.0 bind) no longer enables uvicorn --reload; the autoreloader's file-watcher/child-process supervisor is needless attack surface on a LAN-reachable service. The Medium DNS-rebinding finding (M1) is left for manual attention — a Host allowlist (TrustedHostMiddleware) needs care to keep legitimate LAN access working in network mode. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0186kFkxiLCUPEb8B7uSxNWs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the auto-fixable findings from the daily security review (#49).
Fixes
L1 —
tool_use_idvalidated before use as a filesystem path componenttool_use_idis interpolated intodecisions/<id>.jsonand reachesopen(),os.remove(), andos.replace(), but — unlikesession_id/handle(validated via_SESSION_ID_RE) — it had no validation, so a traversal value could escape thedecisions/dir.backend/tmux_hooks/_common.py— addsafe_id()(same charset/length bound asvalidate_session_id) and use it indecision_path().backend/tmux_runner.py— apply the matching guard on the runner's write side (os.replacepath).L2 —
--reloadremoved from the network-exposed run scriptbackend/run-network.sh— the0.0.0.0-bound mode no longer enables uvicorn--reload; the autoreloader's file-watcher/child-process supervisor is needless attack surface on a LAN-reachable service (and turns any writable-code scenario into reload-triggered RCE). The localhostrun.shis unchanged.Left for manual attention (NOT in this PR)
M1 (Medium) — DNS-rebinding can reach the command-executing API in the default tokenless mode
There is no
Host-header validation anywhere, so a DNS-rebinding attack (and any co-resident localhost web app) can satisfy both the proxy's same-origin check and the backend's loopback trust. The fix — aHostallowlist via StarletteTrustedHostMiddlewareand/or a check inblockCrossSite()— needs design care so legitimate LAN access in network mode (192.168.x.x/ hostname) keeps working (suggest aVC_ALLOWED_HOSTSenv knob). Deliberately left out so it can be reviewed deliberately.Verification
python -m py_compilepasses on both edited Python files.bash -npasses onrun-network.sh.Fixes #49 (L1, L2). M1 tracked in #49 for manual follow-up.
Generated by Claude Code