CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-01 19:25:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): wrap snapshot output in untrusted-content envelope

Browse Source 
The sidebar system prompt pushes the agent to run \`\$B snapshot\` as its
primary read path, but snapshot was NOT in PAGE_CONTENT_COMMANDS, so its
ARIA-name output flowed to Claude unwrapped. A malicious page's
aria-label attributes became direct agent input without the trust
boundary markers that every other read path gets.

Adding 'snapshot' to the set runs the output through
wrapUntrustedContent() like text/html/links/forms already do.

Caught by codex adversarial review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-20 11:06:45 +08:00
parent d6084fa6c3
commit 808ce0de8e
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browse/src/commands.ts
+5
View File
@@ -52,6 +52,11 @@ export const PAGE_CONTENT_COMMANDS = new Set([
'console', 'dialog',
'media', 'data',
'ux-audit',
// snapshot emits aria tree with attacker-controlled aria-label strings.
// The sidebar's system prompt pushes agents to run `$B snapshot` as the
// primary read path, so unwrapped snapshot output is the biggest ingress
// for indirect prompt injection. Envelope it like every other read.
'snapshot',
]);
/** Wrap output from untrusted-content commands with trust boundary markers */