mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-05 21:25:27 +02:00
Garry Tan
c6e6a21d1a
* refactor: add error-handling utility module with selective catches safeUnlink (ignores ENOENT), safeKill (ignores ESRCH), isProcessAlive (extracted from cli.ts with Windows support), and json() Response helper. All catches check err.code and rethrow unexpected errors instead of swallowing silently. Unit tests cover happy path + error code paths. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: replace defensive try/catches in server.ts with utilities Replace ~12 try/catch sites with safeUnlink/safeKill calls in shutdown, emergencyCleanup, killAgent, and log cleanup. Convert empty catches to selective catches with error code checks. Remove needless welcome page try/catches (fs.existsSync doesn't need wrapping). Reduces slop-scan empty-catch locations from 11 to 8 and error-swallowing from 24 to 18. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: extract isProcessAlive and replace try/catches in cli.ts Move isProcessAlive to shared error-handling module. Replace ~20 try/catch sites with safeUnlink/safeKill in killServer, connect, disconnect, and cleanup flows. Convert empty catches to selective catches. Reduces slop-scan empty-catch from 22 to 2 locations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: remove unnecessary return await in content-security and read-commands Remove 6 redundant return-await patterns where there's no enclosing try block. Eliminates all defensive.async-noise findings from these files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: add slop-scan config to exclude vendor files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: replace empty catches with selective error handling in sidebar-agent Convert 8 empty catch blocks to selective catches that check err.code (ESRCH for process kills, ENOENT for file ops). Import safeUnlink for cancel file cleanup. Unexpected errors now propagate instead of being silently swallowed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: replace empty catches and mark pass-through wrappers in browser-manager Convert 12 empty catch blocks to selective catches: filesystem ops check ENOENT/EACCES, browser ops check for closed/Target messages, URL parsing checks TypeError. Add 'alias for active session' comments above 6 pass-through wrapper methods to document their purpose (and exempt from slop-scan pass-through-wrappers rule). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: selective catches in gstack-global-discover Convert 8 defensive catch blocks to selective error handling. Filesystem ops check ENOENT/EACCES, process ops check exit status. Unexpected errors now propagate instead of returning silent defaults. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: selective catches in write-commands, cdp-inspector, meta-commands, snapshot Convert ~27 empty/obscuring catches to selective error handling across 4 browse source files. CDP ops check for closed/Target/detached messages, DOM ops check TypeError/DOMException, filesystem ops check ENOENT/EACCES, JSON parsing checks SyntaxError. Remove dead code in cdp-inspector where try/catch wrapped synchronous no-ops. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: selective catches in Chrome extension files Convert empty catches and error-swallowing patterns across inspector.js, content.js, background.js, and sidepanel.js. DOM catches filter TypeError/DOMException, chrome API catches filter Extension context invalidated, network catches filter Failed to fetch. Unexpected errors now propagate. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: restore isProcessAlive boolean semantics, add safeUnlinkQuiet, remove unused json() isProcessAlive now catches ALL errors and returns false (pure boolean probe). Callers use it in if/while conditions without try/catch, so throwing on EPERM was a behavior change that could crash the CLI. Windows path gets its safety catch restored. safeUnlinkQuiet added for best-effort cleanup paths where throwing on non-ENOENT errors (like EPERM during shutdown) would abort cleanup. json() removed — dead code, never imported anywhere. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: use safeUnlinkQuiet in shutdown and cleanup paths Shutdown, emergency cleanup, and disconnect paths should never throw on file deletion failures. Switched from safeUnlink (throws on EPERM) to safeUnlinkQuiet (swallows all errors) in these best-effort paths. Normal operation paths (startup, lock release) keep safeUnlink. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * revert: remove brittle string-matching catches and alias comments in browser-manager Revert 6 catches that matched error messages via includes('closed'), includes('Target'), etc. back to empty catches. These fire-and-forget operations (page.close, bringToFront, dialog dismiss) genuinely don't care about any error type. String matching on error messages is brittle and will break on Playwright version bumps. Remove 6 'alias for active session' comments that existed solely to game slop-scan's pass-through-wrapper exemption rule. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * revert: remove brittle string-matching catches in extension files Revert error-swallowing fixes in background.js and sidepanel.js that matched error messages via includes('Failed to fetch'), includes( 'Extension context invalidated'), etc. In Chrome extensions, uncaught errors crash the entire extension. The original catch-and-log pattern is the correct choice for extension code where any error is non-fatal. content.js and inspector.js changes kept — their TypeError/DOMException catches are typed, not string-based. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add slop-scan usage guidelines to CLAUDE.md Instructions for using slop-scan to improve genuine code quality, not to game metrics or hide that we're AI-coded. Documents what to fix (empty catches on file/process ops, typed exception narrows, return await) and what NOT to fix (string-matching on error messages, linter gaming comments, tightening extension/cleanup catches). Includes utility function reference and baseline score tracking. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: add slop-scan as diagnostic in test suite Runs slop-scan after bun test as a non-blocking diagnostic. Prints the summary (top files, hotspots) so you see the number without it gating anything. Available standalone via bun run slop. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: slop-diff shows only NEW findings introduced on this branch Runs slop-scan on HEAD and the merge-base, diffs results with line-number-insensitive fingerprinting so shifted code doesn't create false positives. Uses git worktree for clean base comparison. Shows net new vs removed findings. Runs automatically after bun test. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: design doc for slop-scan integration in /review and /ship Deferred plan for surfacing slop-diff findings automatically during code review and shipping. Documents integration points, auto-fix vs skip heuristics, and implementation notes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: bump version and changelog (v0.16.3.0) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
348 lines
11 KiB
TypeScript
348 lines
11 KiB
TypeScript
/**
|
|
* Content security layer for pair-agent browser sharing.
|
|
*
|
|
* Four defense layers:
|
|
* 1. Datamarking — watermark text output to detect exfiltration
|
|
* 2. Hidden element stripping — remove invisible/deceptive elements from output
|
|
* 3. Content filter hooks — extensible URL/content filter pipeline
|
|
* 4. Instruction block hardening — SECURITY section in agent instructions
|
|
*
|
|
* This module handles layers 1-3. Layer 4 is in cli.ts.
|
|
*/
|
|
|
|
import { randomBytes } from 'crypto';
|
|
import type { Page, Frame } from 'playwright';
|
|
|
|
// ─── Datamarking (Layer 1) ──────────────────────────────────────
|
|
|
|
/** Session-scoped random marker for text watermarking */
|
|
let sessionMarker: string | null = null;
|
|
|
|
function ensureMarker(): string {
|
|
if (!sessionMarker) {
|
|
sessionMarker = randomBytes(3).toString('base64').slice(0, 4);
|
|
}
|
|
return sessionMarker;
|
|
}
|
|
|
|
/** Exported for tests only */
|
|
export function getSessionMarker(): string {
|
|
return ensureMarker();
|
|
}
|
|
|
|
/** Reset marker (for testing) */
|
|
export function resetSessionMarker(): void {
|
|
sessionMarker = null;
|
|
}
|
|
|
|
/**
|
|
* Insert invisible watermark into text content.
|
|
* Places the marker as zero-width characters between words.
|
|
* Only applied to `text` command output (not html, forms, or structured data).
|
|
*/
|
|
export function datamarkContent(content: string): string {
|
|
const marker = ensureMarker();
|
|
// Insert marker as a Unicode tag sequence between sentences (after periods followed by space)
|
|
// This is subtle enough to not corrupt output but detectable if exfiltrated
|
|
const zwsp = '\u200B'; // zero-width space
|
|
const taggedMarker = marker.split('').map(c => zwsp + c).join('');
|
|
// Insert after every 3rd sentence-ending period
|
|
let count = 0;
|
|
return content.replace(/(\. )/g, (match) => {
|
|
count++;
|
|
if (count % 3 === 0) {
|
|
return match + taggedMarker;
|
|
}
|
|
return match;
|
|
});
|
|
}
|
|
|
|
// ─── Hidden Element Stripping (Layer 2) ─────────────────────────
|
|
|
|
/** Injection-like patterns in ARIA labels */
|
|
const ARIA_INJECTION_PATTERNS = [
|
|
/ignore\s+(previous|above|all)\s+instructions?/i,
|
|
/you\s+are\s+(now|a)\s+/i,
|
|
/system\s*:\s*/i,
|
|
/\bdo\s+not\s+(follow|obey|listen)/i,
|
|
/\bexecute\s+(the\s+)?following/i,
|
|
/\bforget\s+(everything|all|your)/i,
|
|
/\bnew\s+instructions?\s*:/i,
|
|
];
|
|
|
|
/**
|
|
* Detect hidden elements and ARIA injection on a page.
|
|
* Marks hidden elements with data-gstack-hidden attribute.
|
|
* Returns descriptions of what was found for logging.
|
|
*
|
|
* Detection criteria:
|
|
* - opacity < 0.1
|
|
* - font-size < 1px
|
|
* - off-screen (positioned far outside viewport)
|
|
* - visibility:hidden or display:none with text content
|
|
* - same foreground/background color
|
|
* - clip/clip-path hiding
|
|
* - ARIA labels with injection patterns
|
|
*/
|
|
export async function markHiddenElements(page: Page | Frame): Promise<string[]> {
|
|
return page.evaluate((ariaPatterns: string[]) => {
|
|
const found: string[] = [];
|
|
const elements = document.querySelectorAll('body *');
|
|
|
|
for (const el of elements) {
|
|
if (el instanceof HTMLElement) {
|
|
const style = window.getComputedStyle(el);
|
|
const text = el.textContent?.trim() || '';
|
|
if (!text) continue; // skip empty elements
|
|
|
|
let isHidden = false;
|
|
let reason = '';
|
|
|
|
// Check opacity
|
|
if (parseFloat(style.opacity) < 0.1) {
|
|
isHidden = true;
|
|
reason = 'opacity < 0.1';
|
|
}
|
|
// Check font-size
|
|
else if (parseFloat(style.fontSize) < 1) {
|
|
isHidden = true;
|
|
reason = 'font-size < 1px';
|
|
}
|
|
// Check off-screen positioning
|
|
else if (style.position === 'absolute' || style.position === 'fixed') {
|
|
const rect = el.getBoundingClientRect();
|
|
if (rect.right < -100 || rect.bottom < -100 || rect.left > window.innerWidth + 100 || rect.top > window.innerHeight + 100) {
|
|
isHidden = true;
|
|
reason = 'off-screen';
|
|
}
|
|
}
|
|
// Check same fg/bg color (text hiding)
|
|
else if (style.color === style.backgroundColor && text.length > 10) {
|
|
isHidden = true;
|
|
reason = 'same fg/bg color';
|
|
}
|
|
// Check clip-path hiding
|
|
else if (style.clipPath === 'inset(100%)' || style.clip === 'rect(0px, 0px, 0px, 0px)') {
|
|
isHidden = true;
|
|
reason = 'clip hiding';
|
|
}
|
|
// Check visibility: hidden
|
|
else if (style.visibility === 'hidden') {
|
|
isHidden = true;
|
|
reason = 'visibility hidden';
|
|
}
|
|
|
|
if (isHidden) {
|
|
el.setAttribute('data-gstack-hidden', 'true');
|
|
found.push(`[${el.tagName.toLowerCase()}] ${reason}: "${text.slice(0, 60)}..."`);
|
|
}
|
|
|
|
// Check ARIA labels for injection patterns
|
|
const ariaLabel = el.getAttribute('aria-label') || '';
|
|
const ariaLabelledBy = el.getAttribute('aria-labelledby');
|
|
let labelText = ariaLabel;
|
|
if (ariaLabelledBy) {
|
|
const labelEl = document.getElementById(ariaLabelledBy);
|
|
if (labelEl) labelText += ' ' + (labelEl.textContent || '');
|
|
}
|
|
|
|
if (labelText) {
|
|
for (const pattern of ariaPatterns) {
|
|
if (new RegExp(pattern, 'i').test(labelText)) {
|
|
el.setAttribute('data-gstack-hidden', 'true');
|
|
found.push(`[${el.tagName.toLowerCase()}] ARIA injection: "${labelText.slice(0, 60)}..."`);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return found;
|
|
}, ARIA_INJECTION_PATTERNS.map(p => p.source));
|
|
}
|
|
|
|
/**
|
|
* Get clean text with hidden elements stripped (for `text` command).
|
|
* Uses clone + remove approach: clones body, removes marked elements, returns innerText.
|
|
*/
|
|
export async function getCleanTextWithStripping(page: Page | Frame): Promise<string> {
|
|
return page.evaluate(() => {
|
|
const body = document.body;
|
|
if (!body) return '';
|
|
const clone = body.cloneNode(true) as HTMLElement;
|
|
// Remove standard noise elements
|
|
clone.querySelectorAll('script, style, noscript, svg').forEach(el => el.remove());
|
|
// Remove hidden-marked elements
|
|
clone.querySelectorAll('[data-gstack-hidden]').forEach(el => el.remove());
|
|
return clone.innerText
|
|
.split('\n')
|
|
.map(line => line.trim())
|
|
.filter(line => line.length > 0)
|
|
.join('\n');
|
|
});
|
|
}
|
|
|
|
/**
|
|
* Clean up data-gstack-hidden attributes from the page.
|
|
* Should be called after extraction is complete.
|
|
*/
|
|
export async function cleanupHiddenMarkers(page: Page | Frame): Promise<void> {
|
|
await page.evaluate(() => {
|
|
document.querySelectorAll('[data-gstack-hidden]').forEach(el => {
|
|
el.removeAttribute('data-gstack-hidden');
|
|
});
|
|
});
|
|
}
|
|
|
|
// ─── Content Envelope (wrapping) ────────────────────────────────
|
|
|
|
const ENVELOPE_BEGIN = '═══ BEGIN UNTRUSTED WEB CONTENT ═══';
|
|
const ENVELOPE_END = '═══ END UNTRUSTED WEB CONTENT ═══';
|
|
|
|
/**
|
|
* Wrap page content in a trust boundary envelope for scoped tokens.
|
|
* Escapes envelope markers in content to prevent boundary escape attacks.
|
|
*/
|
|
export function wrapUntrustedPageContent(
|
|
content: string,
|
|
command: string,
|
|
filterWarnings?: string[],
|
|
): string {
|
|
// Escape envelope markers in content (zero-width space injection)
|
|
const zwsp = '\u200B';
|
|
const safeContent = content
|
|
.replace(/═══ BEGIN UNTRUSTED WEB CONTENT ═══/g, `═══ BEGIN UNTRUSTED WEB C${zwsp}ONTENT ═══`)
|
|
.replace(/═══ END UNTRUSTED WEB CONTENT ═══/g, `═══ END UNTRUSTED WEB C${zwsp}ONTENT ═══`);
|
|
|
|
const parts: string[] = [];
|
|
|
|
if (filterWarnings && filterWarnings.length > 0) {
|
|
parts.push(`⚠ CONTENT WARNINGS: ${filterWarnings.join('; ')}`);
|
|
}
|
|
|
|
parts.push(ENVELOPE_BEGIN);
|
|
parts.push(safeContent);
|
|
parts.push(ENVELOPE_END);
|
|
|
|
return parts.join('\n');
|
|
}
|
|
|
|
// ─── Content Filter Hooks (Layer 3) ─────────────────────────────
|
|
|
|
export interface ContentFilterResult {
|
|
safe: boolean;
|
|
warnings: string[];
|
|
blocked?: boolean;
|
|
message?: string;
|
|
}
|
|
|
|
export type ContentFilter = (
|
|
content: string,
|
|
url: string,
|
|
command: string,
|
|
) => ContentFilterResult;
|
|
|
|
const registeredFilters: ContentFilter[] = [];
|
|
|
|
export function registerContentFilter(filter: ContentFilter): void {
|
|
registeredFilters.push(filter);
|
|
}
|
|
|
|
export function clearContentFilters(): void {
|
|
registeredFilters.length = 0;
|
|
}
|
|
|
|
/** Get current filter mode from env */
|
|
export function getFilterMode(): 'off' | 'warn' | 'block' {
|
|
const mode = process.env.BROWSE_CONTENT_FILTER?.toLowerCase();
|
|
if (mode === 'off' || mode === 'block') return mode;
|
|
return 'warn'; // default
|
|
}
|
|
|
|
/**
|
|
* Run all registered content filters against content.
|
|
* Returns aggregated result with all warnings.
|
|
*/
|
|
export function runContentFilters(
|
|
content: string,
|
|
url: string,
|
|
command: string,
|
|
): ContentFilterResult {
|
|
const mode = getFilterMode();
|
|
if (mode === 'off') {
|
|
return { safe: true, warnings: [] };
|
|
}
|
|
|
|
const allWarnings: string[] = [];
|
|
let blocked = false;
|
|
|
|
for (const filter of registeredFilters) {
|
|
const result = filter(content, url, command);
|
|
if (!result.safe) {
|
|
allWarnings.push(...result.warnings);
|
|
if (mode === 'block') {
|
|
blocked = true;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (blocked && allWarnings.length > 0) {
|
|
return {
|
|
safe: false,
|
|
warnings: allWarnings,
|
|
blocked: true,
|
|
message: `Content blocked: ${allWarnings.join('; ')}`,
|
|
};
|
|
}
|
|
|
|
return {
|
|
safe: allWarnings.length === 0,
|
|
warnings: allWarnings,
|
|
};
|
|
}
|
|
|
|
// ─── Built-in URL Blocklist Filter ──────────────────────────────
|
|
|
|
const BLOCKLIST_DOMAINS = [
|
|
'requestbin.com',
|
|
'pipedream.com',
|
|
'webhook.site',
|
|
'hookbin.com',
|
|
'requestcatcher.com',
|
|
'burpcollaborator.net',
|
|
'interact.sh',
|
|
'canarytokens.com',
|
|
'ngrok.io',
|
|
'ngrok-free.app',
|
|
];
|
|
|
|
/** Check if URL matches any blocklisted exfiltration domain */
|
|
export function urlBlocklistFilter(content: string, url: string, _command: string): ContentFilterResult {
|
|
const warnings: string[] = [];
|
|
|
|
// Check page URL
|
|
for (const domain of BLOCKLIST_DOMAINS) {
|
|
if (url.includes(domain)) {
|
|
warnings.push(`Page URL matches blocklisted domain: ${domain}`);
|
|
}
|
|
}
|
|
|
|
// Check for blocklisted URLs in content (links, form actions)
|
|
const urlPattern = /https?:\/\/[^\s"'<>]+/g;
|
|
const contentUrls = content.match(urlPattern) || [];
|
|
for (const contentUrl of contentUrls) {
|
|
for (const domain of BLOCKLIST_DOMAINS) {
|
|
if (contentUrl.includes(domain)) {
|
|
warnings.push(`Content contains blocklisted URL: ${contentUrl.slice(0, 100)}`);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return { safe: warnings.length === 0, warnings };
|
|
}
|
|
|
|
// Register the built-in filter on module load
|
|
registerContentFilter(urlBlocklistFilter);
|