CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-06 05:35:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): IPv6 ULA blocking, cookie redaction, per-tab cancel, targeted token (#664)

Browse Source 
Community PR #664 by @mr-k-man (security audit round 1, new parts only).

- IPv6 ULA prefix blocking (fc00::/7) in url-validation.ts with false-positive
  guard for hostnames like fd.example.com
- Cookie value redaction for tokens, API keys, JWTs in browse cookies command
- Per-tab cancel files in killAgent() replacing broken global kill-signal
- design/serve.ts: realpathSync upgrade prevents symlink bypass in /api/reload
- extension: targeted getToken handler replaces token-in-health-broadcast
- Supabase migration 003: column-level GRANT restricts anon UPDATE scope
- Telemetry sync: upsert error logging
- 10 new tests for IPv6, cookie redaction, DNS rebinding, path traversal

Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-05 22:58:06 -07:00
parent 5bd05c9e0f
commit c151fabfca
12 changed files with 363 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
design/src/serve.ts
+11 -7
View File
@@ -55,6 +55,10 @@ export async function serve(options: ServeOptions): Promise<void> {
process.exit(1);
}
// Security: anchor all file reads to the initial HTML's directory.
// Prevents /api/reload from reading arbitrary files via path traversal.
const allowedDir = fs.realpathSync(path.dirname(path.resolve(html)));
let htmlContent = fs.readFileSync(html, "utf-8");
let state: ServerState = "serving";
let timeoutTimer: ReturnType<typeof setTimeout> | null = null;
@@ -185,19 +189,19 @@ export async function serve(options: ServeOptions): Promise<void> {
);
}
// Validate path is within cwd or temp directory
const resolved = path.resolve(newHtmlPath);
const safeDirs = [process.cwd(), os.tmpdir()];
const isSafe = safeDirs.some(dir => resolved.startsWith(dir + path.sep) || resolved === dir);
if (!isSafe) {
// Security: resolve symlinks and validate the reload path is within the
// allowed directory (anchored to the initial HTML file's parent).
// Prevents path traversal via /api/reload reading arbitrary files.
const resolvedReload = fs.realpathSync(path.resolve(newHtmlPath));
if (!resolvedReload.startsWith(allowedDir + path.sep) && resolvedReload !== allowedDir) {
return Response.json(
{ error: `Path must be within working directory or temp` },
{ error: `Path must be within: ${allowedDir}` },
{ status: 403 }
);
}
// Swap the HTML content
htmlContent = fs.readFileSync(newHtmlPath, "utf-8");
htmlContent = fs.readFileSync(resolvedReload, "utf-8");
state = "serving";
console.error(`SERVE_RELOADED: html=${newHtmlPath}`);
design/test/serve.test.ts
+97
View File
@@ -274,6 +274,103 @@ describe('Serve HTTP endpoints', () => {
});
});
// ─── Path traversal protection in /api/reload ─────────────────────
describe('Serve /api/reload — path traversal protection', () => {
let server: ReturnType<typeof Bun.serve>;
let baseUrl: string;
let htmlContent: string;
let allowedDir: string;
beforeAll(() => {
// Production-equivalent allowedDir anchored to tmpDir
allowedDir = fs.realpathSync(tmpDir);
htmlContent = fs.readFileSync(boardHtml, 'utf-8');
// This server mirrors the production serve() with the path validation fix
server = Bun.serve({
port: 0,
fetch(req) {
const url = new URL(req.url);
if (req.method === 'GET' && url.pathname === '/') {
return new Response(htmlContent, {
headers: { 'Content-Type': 'text/html; charset=utf-8' },
});
}
if (req.method === 'POST' && url.pathname === '/api/reload') {
return (async () => {
let body: any;
try { body = await req.json(); } catch { return Response.json({ error: 'Invalid JSON' }, { status: 400 }); }
if (!body.html || !fs.existsSync(body.html)) {
return Response.json({ error: `HTML file not found: ${body.html}` }, { status: 400 });
}
// Production path validation — same as design/src/serve.ts
const resolvedReload = fs.realpathSync(path.resolve(body.html));
if (!resolvedReload.startsWith(allowedDir + path.sep) && resolvedReload !== allowedDir) {
return Response.json({ error: `Path must be within: ${allowedDir}` }, { status: 403 });
}
htmlContent = fs.readFileSync(resolvedReload, 'utf-8');
return Response.json({ reloaded: true });
})();
}
return new Response('Not found', { status: 404 });
},
});
baseUrl = `http://localhost:${server.port}`;
});
afterAll(() => {
server.stop();
});
test('blocks reload with path outside allowed directory', async () => {
const res = await fetch(`${baseUrl}/api/reload`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ html: '/etc/passwd' }),
});
expect(res.status).toBe(403);
const data = await res.json();
expect(data.error).toContain('Path must be within');
});
test('blocks reload with symlink pointing outside allowed directory', async () => {
const linkPath = path.join(tmpDir, 'evil-link.html');
try {
fs.symlinkSync('/etc/passwd', linkPath);
const res = await fetch(`${baseUrl}/api/reload`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ html: linkPath }),
});
expect(res.status).toBe(403);
} finally {
try { fs.unlinkSync(linkPath); } catch {}
}
});
test('allows reload with file inside allowed directory', async () => {
const goodPath = path.join(tmpDir, 'safe-board.html');
fs.writeFileSync(goodPath, '<html><body>Safe reload</body></html>');
const res = await fetch(`${baseUrl}/api/reload`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ html: goodPath }),
});
expect(res.status).toBe(200);
const data = await res.json();
expect(data.reloaded).toBe(true);
// Verify the new content is served
const page = await fetch(baseUrl);
expect(await page.text()).toContain('Safe reload');
});
});
// ─── Full lifecycle: regeneration round-trip ──────────────────────
describe('Full regeneration lifecycle', () => {