fix(security): CSS injection guard, timeout clamping, session validation, tests (#806)

Community PR #806 by @mr-k-man (security audit round 2, new parts only). - CSS value validation (DANGEROUS_CSS) in cdp-inspector, write-commands, extension inspector - Queue file permissions (0o700/0o600) in cli, server, sidebar-agent - escapeRegExp for frame --url ReDoS fix - Responsive screenshot path validation with validateOutputPath - State load cookie filtering (reject localhost/.internal/metadata cookies) - Session ID format validation in loadSession - /health endpoint: remove currentUrl and currentMessage fields - QueueEntry interface + isValidQueueEntry validator for sidebar-agent - SIGTERM->SIGKILL escalation in timeout handler - Viewport dimension clamping (1-16384), wait timeout clamping (1s-300s) - Cookie domain validation in cookie-import and cookie-import-browser - DocumentFragment-based tab switching (XSS fix in sidepanel) - pollInProgress reentrancy guard for pollChat - toggleClass/injectCSS input validation in extension inspector - Snapshot annotated path validation with realpathSync - 714-line security-audit-r2.test.ts + 33-line learnings-injection.test.ts Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-07 05:56:41 +02:00 · 2026-04-05 23:26:35 -07:00
parent c151fabfca
commit dfe946fe64
14 changed files with 967 additions and 57 deletions
@@ -826,11 +826,11 @@ export class BrowserManager {
        // a tampered URL could navigate to cloud metadata endpoints or file:// URIs.
        try {
          await validateNavigationUrl(saved.url);
-          await page.goto(saved.url, { waitUntil: 'domcontentloaded', timeout: 15000 }).catch(() => {});
-        } catch {
-          // Invalid URL in saved state — skip navigation, leave blank page
-          console.log(`[browse] restoreState: skipping unsafe URL: ${saved.url}`);
+        } catch (err: any) {
+          console.warn(`[browse] Skipping invalid URL in state file: ${saved.url} — ${err.message}`);
+          continue;
        }
+        await page.goto(saved.url, { waitUntil: 'domcontentloaded', timeout: 15000 }).catch(() => {});
      }

      if (saved.storage) {
@@ -472,6 +472,12 @@ export async function modifyStyle(
    throw new Error(`Invalid CSS property name: ${property}. Only letters and hyphens allowed.`);
  }

+  // Validate CSS value — block data exfiltration patterns
+  const DANGEROUS_CSS = /url\s*\(|expression\s*\(|@import|javascript:|data:/i;
+  if (DANGEROUS_CSS.test(value)) {
+    throw new Error('CSS value rejected: contains potentially dangerous pattern.');
+  }
+
  let oldValue = '';
  let source = 'inline';
  let sourceLine = 0;
@@ -588,7 +588,10 @@ Refs:           After 'snapshot', use @e1, @e2... as selectors:
        }
        // Clear old agent queue
        const agentQueue = path.join(process.env.HOME || '/tmp', '.gstack', 'sidebar-agent-queue.jsonl');
-        try { fs.writeFileSync(agentQueue, ''); } catch {}
+        try {
+          fs.mkdirSync(path.dirname(agentQueue), { recursive: true, mode: 0o700 });
+          fs.writeFileSync(agentQueue, '', { mode: 0o600 });
+        } catch {}

        // Resolve browse binary path the same way — execPath-relative
        let browseBin = path.resolve(__dirname, '..', 'dist', 'browse');
@@ -44,6 +44,11 @@ export function validateOutputPath(filePath: string): void {
  }
 }

+/** Escape special regex metacharacters in a user-supplied string to prevent ReDoS. */
+export function escapeRegExp(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /** Tokenize a pipe segment respecting double-quoted strings. */
 function tokenizePipeSegment(segment: string): string[] {
  const tokens: string[] = [];
@@ -214,9 +219,10 @@ export async function handleMetaCommand(

      for (const vp of viewports) {
        await page.setViewportSize({ width: vp.width, height: vp.height });
-        const path = `${prefix}-${vp.name}.png`;
-        await page.screenshot({ path, fullPage: true });
-        results.push(`${vp.name} (${vp.width}x${vp.height}): ${path}`);
+        const screenshotPath = `${prefix}-${vp.name}.png`;
+        validateOutputPath(screenshotPath);
+        await page.screenshot({ path: screenshotPath, fullPage: true });
+        results.push(`${vp.name} (${vp.width}x${vp.height}): ${screenshotPath}`);
      }

      // Restore original viewport
@@ -257,7 +263,11 @@ export async function handleMetaCommand(
        try {
          let result: string;
          if (WRITE_COMMANDS.has(name)) {
-            result = await handleWriteCommand(name, cmdArgs, bm);
+            if (bm.isWatching()) {
+              result = 'BLOCKED: write commands disabled in watch mode';
+            } else {
+              result = await handleWriteCommand(name, cmdArgs, bm);
+            }
            lastWasWrite = true;
          } else if (READ_COMMANDS.has(name)) {
            result = await handleReadCommand(name, cmdArgs, bm);
@@ -462,8 +472,8 @@ export async function handleMetaCommand(

      for (const msg of messages) {
        const ts = msg.timestamp ? `[${msg.timestamp}]` : '[unknown]';
-        lines.push(`${ts} ${msg.url}`);
-        lines.push(`  "${msg.userMessage}"`);
+        lines.push(`${ts} ${wrapUntrustedContent(msg.url, 'inbox-url')}`);
+        lines.push(`  "${wrapUntrustedContent(msg.userMessage, 'inbox-message')}"`);
        lines.push('');
      }

@@ -514,6 +524,18 @@ export async function handleMetaCommand(
        if (!Array.isArray(data.cookies) || !Array.isArray(data.pages)) {
          throw new Error('Invalid state file: expected cookies and pages arrays');
        }
+        // Validate and filter cookies — reject malformed or internal-network cookies
+        const validatedCookies = data.cookies.filter((c: any) => {
+          if (typeof c !== 'object' || !c) return false;
+          if (typeof c.name !== 'string' || typeof c.value !== 'string') return false;
+          if (typeof c.domain !== 'string' || !c.domain) return false;
+          const d = c.domain.startsWith('.') ? c.domain.slice(1) : c.domain;
+          if (d === 'localhost' || d.endsWith('.internal') || d === '169.254.169.254') return false;
+          return true;
+        });
+        if (validatedCookies.length < data.cookies.length) {
+          console.warn(`[browse] Filtered ${data.cookies.length - validatedCookies.length} invalid cookies from state file`);
+        }
        // Warn on state files older than 7 days
        if (data.savedAt) {
          const ageMs = Date.now() - new Date(data.savedAt).getTime();
@@ -526,7 +548,7 @@ export async function handleMetaCommand(
        bm.setFrame(null);
        await bm.closeAllPages();
        await bm.restoreState({
-          cookies: data.cookies,
+          cookies: validatedCookies,
          pages: data.pages.map((p: any) => ({ ...p, storage: null })),
        });
        return `State loaded: ${data.cookies.length} cookies, ${data.pages.length} pages`;
@@ -554,7 +576,7 @@ export async function handleMetaCommand(
        frame = page.frame({ name: args[1] });
      } else if (target === '--url') {
        if (!args[1]) throw new Error('Usage: frame --url <pattern>');
-        frame = page.frame({ url: new RegExp(args[1]) });
+        frame = page.frame({ url: new RegExp(escapeRegExp(args[1])) });
      } else {
        // CSS selector or @ref for the iframe element
        const resolved = await bm.resolveRef(target);
@@ -282,6 +282,10 @@ function loadSession(): SidebarSession | null {
  try {
    const activeFile = path.join(SESSIONS_DIR, 'active.json');
    const activeData = JSON.parse(fs.readFileSync(activeFile, 'utf-8'));
+    if (typeof activeData.id !== 'string' || !/^[a-zA-Z0-9_-]+$/.test(activeData.id)) {
+      console.warn('[browse] Invalid session ID in active.json — ignoring');
+      return null;
+    }
    const sessionFile = path.join(SESSIONS_DIR, activeData.id, 'session.json');
    const session = JSON.parse(fs.readFileSync(sessionFile, 'utf-8')) as SidebarSession;
    // Validate worktree still exists — crash may have left stale path
@@ -560,6 +564,7 @@ function spawnClaude(userMessage: string, extensionUrl?: string | null, forTabId
  try {
    fs.mkdirSync(gstackDir, { recursive: true, mode: 0o700 });
    fs.appendFileSync(agentQueue, entry + '\n');
+    try { fs.chmodSync(agentQueue, 0o600); } catch {}
  } catch (err: any) {
    addChatEntry({ ts: new Date().toISOString(), role: 'agent', type: 'agent_error', error: `Failed to queue: ${err.message}` });
    agentStatus = 'idle';
@@ -1117,7 +1122,6 @@ async function start() {
          mode: browserManager.getConnectionMode(),
          uptime: Math.floor((Date.now() - startTime) / 1000),
          tabs: browserManager.getTabCount(),
-          currentUrl: browserManager.getCurrentUrl(),
          // Auth token for extension bootstrap. Safe: /health is localhost-only.
          // Previously served unconditionally, but that leaks the token if the
          // server is tunneled to the internet (ngrok, SSH tunnel).
@@ -1130,7 +1134,6 @@ async function start() {
          agent: {
            status: agentStatus,
            runningFor: agentStartTime ? Date.now() - agentStartTime : null,
-            currentMessage,
            queueLength: messageQueue.length,
          },
          session: sidebarSession ? { id: sidebarSession.id, name: sidebarSession.name } : null,
@@ -1251,9 +1254,10 @@ async function start() {
        }
        try {
          // Sync active tab from Chrome extension — detects manual tab switches
-          const activeUrl = url.searchParams.get('activeUrl');
-          if (activeUrl) {
-            browserManager.syncActiveTabByUrl(activeUrl);
+          const rawActiveUrl = url.searchParams.get('activeUrl');
+          const sanitizedActiveUrl = sanitizeExtensionUrl(rawActiveUrl);
+          if (sanitizedActiveUrl) {
+            browserManager.syncActiveTabByUrl(sanitizedActiveUrl);
          }
          const tabs = await browserManager.getTabListWithTitles();
          return new Response(JSON.stringify({ tabs }), {
@@ -1322,11 +1326,12 @@ async function start() {
        // The Chrome extension sends the active tab's URL — prefer it over
        // Playwright's page.url() which can be stale in headed mode when
        // the user navigates manually.
-        const extensionUrl = body.activeTabUrl || null;
+        const rawExtensionUrl = body.activeTabUrl || null;
+        const sanitizedExtUrl = sanitizeExtensionUrl(rawExtensionUrl);
        // Sync active tab BEFORE reading the ID — the user may have switched
        // tabs manually and the server's activeTabId is stale.
-        if (extensionUrl) {
-          browserManager.syncActiveTabByUrl(extensionUrl);
+        if (sanitizedExtUrl) {
+          browserManager.syncActiveTabByUrl(sanitizedExtUrl);
        }
        const msgTabId = browserManager?.getActiveTabId?.() ?? 0;
        const ts = new Date().toISOString();
@@ -1336,12 +1341,12 @@ async function start() {
        // Per-tab agent: each tab can run its own agent concurrently
        const tabState = getTabAgent(msgTabId);
        if (tabState.status === 'idle') {
-          spawnClaude(msg, extensionUrl, msgTabId);
+          spawnClaude(msg, sanitizedExtUrl, msgTabId);
          return new Response(JSON.stringify({ ok: true, processing: true }), {
            status: 200, headers: { 'Content-Type': 'application/json' },
          });
        } else if (tabState.queue.length < MAX_QUEUE) {
-          tabState.queue.push({ message: msg, ts, extensionUrl });
+          tabState.queue.push({ message: msg, ts, extensionUrl: sanitizedExtUrl });
          return new Response(JSON.stringify({ ok: true, queued: true, position: tabState.queue.length }), {
            status: 200, headers: { 'Content-Type': 'application/json' },
          });
@@ -25,6 +25,38 @@ function cancelFileForTab(tabId: number): string {
  return path.join(CANCEL_DIR, `sidebar-agent-cancel-${tabId}`);
 }

+interface QueueEntry {
+  prompt: string;
+  args?: string[];
+  stateFile?: string;
+  cwd?: string;
+  tabId?: number | null;
+  message?: string | null;
+  pageUrl?: string | null;
+  sessionId?: string | null;
+  ts?: string;
+}
+
+function isValidQueueEntry(e: unknown): e is QueueEntry {
+  if (typeof e !== 'object' || e === null) return false;
+  const obj = e as Record<string, unknown>;
+  if (typeof obj.prompt !== 'string' || obj.prompt.length === 0) return false;
+  if (obj.args !== undefined && (!Array.isArray(obj.args) || !obj.args.every(a => typeof a === 'string'))) return false;
+  if (obj.stateFile !== undefined) {
+    if (typeof obj.stateFile !== 'string') return false;
+    if (obj.stateFile.includes('..')) return false;
+  }
+  if (obj.cwd !== undefined) {
+    if (typeof obj.cwd !== 'string') return false;
+    if (obj.cwd.includes('..')) return false;
+  }
+  if (obj.tabId !== undefined && obj.tabId !== null && typeof obj.tabId !== 'number') return false;
+  if (obj.message !== undefined && obj.message !== null && typeof obj.message !== 'string') return false;
+  if (obj.pageUrl !== undefined && obj.pageUrl !== null && typeof obj.pageUrl !== 'string') return false;
+  if (obj.sessionId !== undefined && obj.sessionId !== null && typeof obj.sessionId !== 'string') return false;
+  return true;
+}
+
 let lastLine = 0;
 let authToken: string | null = null;
 // Per-tab processing — each tab can run its own agent concurrently
@@ -234,7 +266,7 @@ async function handleStreamEvent(event: any, tabId?: number): Promise<void> {
  }
 }

-async function askClaude(queueEntry: any): Promise<void> {
+async function askClaude(queueEntry: QueueEntry): Promise<void> {
  const { prompt, args, stateFile, cwd, tabId } = queueEntry;
  const tid = tabId ?? 0;

@@ -350,9 +382,10 @@ async function askClaude(queueEntry: any): Promise<void> {
    // Timeout (default 300s / 5 min — multi-page tasks need time)
    const timeoutMs = parseInt(process.env.SIDEBAR_AGENT_TIMEOUT || '300000', 10);
    setTimeout(() => {
-      try { proc.kill(); } catch (killErr: any) {
+      try { proc.kill('SIGTERM'); } catch (killErr: any) {
        console.warn(`[sidebar-agent] Tab ${tid}: Failed to kill timed-out process:`, killErr.message);
      }
+      setTimeout(() => { try { proc.kill('SIGKILL'); } catch {} }, 3000);
      const timeoutMsg = stderrBuffer.trim()
        ? `Timed out after ${timeoutMs / 1000}s\nstderr: ${stderrBuffer.trim().slice(-500)}`
        : `Timed out after ${timeoutMs / 1000}s`;
@@ -394,12 +427,16 @@ async function poll() {
    const line = readLine(lastLine);
    if (!line) continue;

-    let entry: any;
-    try { entry = JSON.parse(line); } catch (err: any) {
+    let parsed: unknown;
+    try { parsed = JSON.parse(line); } catch (err: any) {
      console.warn(`[sidebar-agent] Skipping malformed queue entry at line ${lastLine}:`, line.slice(0, 80), err.message);
      continue;
    }
-    if (!entry.message && !entry.prompt) continue;
+    if (!isValidQueueEntry(parsed)) {
+      console.warn(`[sidebar-agent] Skipping invalid queue entry at line ${lastLine}: failed schema validation`);
+      continue;
+    }
+    const entry = parsed;

    const tid = entry.tabId ?? 0;
    // Skip if this tab already has an agent running — server queues per-tab
@@ -443,6 +480,7 @@ async function main() {
  const dir = path.dirname(QUEUE);
  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
  if (!fs.existsSync(QUEUE)) fs.writeFileSync(QUEUE, '', { mode: 0o600 });
+  try { fs.chmodSync(QUEUE, 0o600); } catch {}

  lastLine = countLines();
  await refreshToken();
@@ -313,11 +313,32 @@ export async function handleSnapshot(
  // ─── Annotated screenshot (-a) ────────────────────────────
  if (opts.annotate) {
    const screenshotPath = opts.outputPath || `${TEMP_DIR}/browse-annotated.png`;
-    // Validate output path (consistent with screenshot/pdf/responsive)
-    const resolvedPath = require('path').resolve(screenshotPath);
-    const safeDirs = [TEMP_DIR, process.cwd()];
-    if (!safeDirs.some((dir: string) => isPathWithin(resolvedPath, dir))) {
-      throw new Error(`Path must be within: ${safeDirs.join(', ')}`);
+    // Validate output path — resolve symlinks to prevent symlink traversal attacks
+    {
+      const nodePath = require('path') as typeof import('path');
+      const nodeFs = require('fs') as typeof import('fs');
+      const absolute = nodePath.resolve(screenshotPath);
+      const safeDirs = [TEMP_DIR, process.cwd()].map((d: string) => {
+        try { return nodeFs.realpathSync(d); } catch { return d; }
+      });
+      let realPath: string;
+      try {
+        realPath = nodeFs.realpathSync(absolute);
+      } catch (err: any) {
+        if (err.code === 'ENOENT') {
+          try {
+            const dir = nodeFs.realpathSync(nodePath.dirname(absolute));
+            realPath = nodePath.join(dir, nodePath.basename(absolute));
+          } catch {
+            realPath = absolute;
+          }
+        } else {
+          throw new Error(`Cannot resolve real path: ${screenshotPath} (${err.code})`);
+        }
+      }
+      if (!safeDirs.some((dir: string) => isPathWithin(realPath, dir))) {
+        throw new Error(`Path must be within: ${safeDirs.join(', ')}`);
+      }
    }
    try {
      // Inject overlay divs at each ref's bounding box
@@ -14,7 +14,10 @@ import { TEMP_DIR, isPathWithin } from './platform';
 import { modifyStyle, undoModification, resetModifications, getModificationHistory } from './cdp-inspector';

 // Security: Path validation for screenshot output
-const SAFE_DIRECTORIES = [TEMP_DIR, process.cwd()];
+// Resolve safe directories through realpathSync to handle symlinks (e.g., macOS /tmp -> /private/tmp)
+const SAFE_DIRECTORIES = [TEMP_DIR, process.cwd()].map(d => {
+  try { return fs.realpathSync(d); } catch { return d; }
+});

 function validateOutputPath(filePath: string): void {
  const resolved = path.resolve(filePath);
@@ -326,7 +329,9 @@ export async function handleWriteCommand(
      const selector = args[0];
      if (!selector) throw new Error('Usage: browse wait <selector|--networkidle|--load|--domcontentloaded>');
      if (selector === '--networkidle') {
-        const timeout = args[1] ? parseInt(args[1], 10) : 15000;
+        const MAX_WAIT_MS = 300_000;
+        const MIN_WAIT_MS = 1_000;
+        const timeout = Math.min(Math.max(args[1] ? parseInt(args[1], 10) || MIN_WAIT_MS : 15000, MIN_WAIT_MS), MAX_WAIT_MS);
        await page.waitForLoadState('networkidle', { timeout });
        return 'Network idle';
      }
@@ -338,7 +343,9 @@ export async function handleWriteCommand(
        await page.waitForLoadState('domcontentloaded');
        return 'DOM content loaded';
      }
-      const timeout = args[1] ? parseInt(args[1], 10) : 15000;
+      const MAX_WAIT_MS = 300_000;
+      const MIN_WAIT_MS = 1_000;
+      const timeout = Math.min(Math.max(args[1] ? parseInt(args[1], 10) || MIN_WAIT_MS : 15000, MIN_WAIT_MS), MAX_WAIT_MS);
      const resolved = await bm.resolveRef(selector);
      if ('locator' in resolved) {
        await resolved.locator.waitFor({ state: 'visible', timeout });
@@ -351,7 +358,9 @@ export async function handleWriteCommand(
    case 'viewport': {
      const size = args[0];
      if (!size || !size.includes('x')) throw new Error('Usage: browse viewport <WxH> (e.g., 375x812)');
-      const [w, h] = size.split('x').map(Number);
+      const [rawW, rawH] = size.split('x').map(Number);
+      const w = Math.min(Math.max(Math.round(rawW) || 1280, 1), 16384);
+      const h = Math.min(Math.max(Math.round(rawH) || 720, 1), 16384);
      await bm.setViewport(w, h);
      return `Viewport set to ${w}x${h}`;
    }
@@ -403,7 +412,8 @@ export async function handleWriteCommand(
      for (const fp of filePaths) {
        if (!fs.existsSync(fp)) throw new Error(`File not found: ${fp}`);
        if (path.isAbsolute(fp)) {
-          const resolvedFp = path.resolve(fp);
+          let resolvedFp: string;
+          try { resolvedFp = fs.realpathSync(path.resolve(fp)); } catch { resolvedFp = path.resolve(fp); }
          if (!SAFE_DIRECTORIES.some(dir => isPathWithin(resolvedFp, dir))) {
            throw new Error(`Path must be within: ${SAFE_DIRECTORIES.join(', ')}`);
          }
@@ -468,7 +478,14 @@ export async function handleWriteCommand(

      for (const c of cookies) {
        if (!c.name || c.value === undefined) throw new Error('Each cookie must have "name" and "value" fields');
-        if (!c.domain) c.domain = defaultDomain;
+        if (!c.domain) {
+          c.domain = defaultDomain;
+        } else {
+          const cookieDomain = c.domain.startsWith('.') ? c.domain.slice(1) : c.domain;
+          if (cookieDomain !== defaultDomain && !defaultDomain.endsWith('.' + cookieDomain)) {
+            throw new Error(`Cookie domain "${c.domain}" does not match current page domain "${defaultDomain}". Use the target site first.`);
+          }
+        }
        if (!c.path) c.path = '/';
      }

@@ -488,6 +505,12 @@ export async function handleWriteCommand(
      if (domainIdx !== -1 && domainIdx + 1 < args.length) {
        // Direct import mode — no UI
        const domain = args[domainIdx + 1];
+        // Validate --domain against current page hostname to prevent cross-site cookie injection
+        const pageHostname = new URL(page.url()).hostname;
+        const normalizedDomain = domain.startsWith('.') ? domain.slice(1) : domain;
+        if (normalizedDomain !== pageHostname && !pageHostname.endsWith('.' + normalizedDomain)) {
+          throw new Error(`--domain "${domain}" does not match current page domain "${pageHostname}". Navigate to the target site first.`);
+        }
        const browser = browserArg || 'comet';
        const result = await importCookies(browser, [domain], profile);
        if (result.cookies.length > 0) {
@@ -537,6 +560,12 @@ export async function handleWriteCommand(
        throw new Error(`Invalid CSS property name: ${property}. Only letters and hyphens allowed.`);
      }

+      // Validate CSS value — block data exfiltration patterns
+      const DANGEROUS_CSS = /url\s*\(|expression\s*\(|@import|javascript:|data:/i;
+      if (DANGEROUS_CSS.test(value)) {
+        throw new Error('CSS value rejected: contains potentially dangerous pattern.');
+      }
+
      const mod = await modifyStyle(page, selector, property, value);
      return `Style modified: ${selector} { ${property}: ${mod.oldValue || '(none)'} → ${value} } (${mod.method})`;
    }