mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-02 03:35:09 +02:00
Garry Tan
03973c2fab
* fix(bin): pass search params via env vars (RCE fix) (#819) Replace shell string interpolation with process.env in gstack-learnings-search to prevent arbitrary code execution via crafted learnings entries. Also fixes the CROSS_PROJECT interpolation that the original PR missed. Adds 3 regression tests verifying no shell interpolation remains in the bun -e block. Co-authored-by: garagon <garagon@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): add path validation to upload command (#821) Add isPathWithin() and path traversal checks to the upload command, blocking file exfiltration via crafted upload paths. Uses existing SAFE_DIRECTORIES constant instead of a local copy. Adds 3 regression tests. Co-authored-by: garagon <garagon@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): symlink resolution in meta-commands validateOutputPath (#820) Add realpathSync to validateOutputPath in meta-commands.ts to catch symlink-based directory escapes in screenshot, pdf, and responsive commands. Resolves SAFE_DIRECTORIES through realpathSync to handle macOS /tmp -> /private/tmp symlinks. Existing path validation tests pass with the hardened implementation. Co-authored-by: garagon <garagon@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add uninstall instructions to README (#812) Community PR #812 by @0531Kim. Adds two uninstall paths: the gstack-uninstall script (handles everything) and manual removal steps for when the repo isn't cloned. Includes CLAUDE.md cleanup note and Playwright cache guidance. Co-Authored-By: 0531Kim <0531Kim@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): Windows launcher extraEnv + headed-mode token (#822) Community PR #822 by @pieterklue. Three fixes: 1. Windows launcher now merges extraEnv into spawned server env (was only passing BROWSE_STATE_FILE, dropping all other env vars) 2. Welcome page fallback serves inline HTML instead of about:blank redirect (avoids ERR_UNSAFE_REDIRECT on Windows) 3. /health returns auth token in headed mode even without Origin header (fixes Playwright Chromium extensions that don't send it) Also adds HOME/USERPROFILE fallback for cross-platform compatibility. Co-Authored-By: pieterklue <pieterklue@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(browse): terminate orphan server when parent process exits (#808) Community PR #808 by @mmporong. Passes BROWSE_PARENT_PID to the spawned server process. The server polls every 15s with signal 0 and calls shutdown() if the parent is gone. Prevents orphaned chrome-headless-shell processes when Claude Code sessions exit abnormally. Co-Authored-By: mmporong <mmporong@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(security): IPv6 ULA blocking, cookie redaction, per-tab cancel, targeted token (#664) Community PR #664 by @mr-k-man (security audit round 1, new parts only). - IPv6 ULA prefix blocking (fc00::/7) in url-validation.ts with false-positive guard for hostnames like fd.example.com - Cookie value redaction for tokens, API keys, JWTs in browse cookies command - Per-tab cancel files in killAgent() replacing broken global kill-signal - design/serve.ts: realpathSync upgrade prevents symlink bypass in /api/reload - extension: targeted getToken handler replaces token-in-health-broadcast - Supabase migration 003: column-level GRANT restricts anon UPDATE scope - Telemetry sync: upsert error logging - 10 new tests for IPv6, cookie redaction, DNS rebinding, path traversal Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(security): CSS injection guard, timeout clamping, session validation, tests (#806) Community PR #806 by @mr-k-man (security audit round 2, new parts only). - CSS value validation (DANGEROUS_CSS) in cdp-inspector, write-commands, extension inspector - Queue file permissions (0o700/0o600) in cli, server, sidebar-agent - escapeRegExp for frame --url ReDoS fix - Responsive screenshot path validation with validateOutputPath - State load cookie filtering (reject localhost/.internal/metadata cookies) - Session ID format validation in loadSession - /health endpoint: remove currentUrl and currentMessage fields - QueueEntry interface + isValidQueueEntry validator for sidebar-agent - SIGTERM->SIGKILL escalation in timeout handler - Viewport dimension clamping (1-16384), wait timeout clamping (1s-300s) - Cookie domain validation in cookie-import and cookie-import-browser - DocumentFragment-based tab switching (XSS fix in sidepanel) - pollInProgress reentrancy guard for pollChat - toggleClass/injectCSS input validation in extension inspector - Snapshot annotated path validation with realpathSync - 714-line security-audit-r2.test.ts + 33-line learnings-injection.test.ts Co-Authored-By: mr-k-man <mr-k-man@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: bump version and changelog (v0.15.13.0) Community security wave: 8 PRs from 4 contributors (@garagon, @mr-k-man, @mmporong, @0531Kim, @pieterklue). IPv6 ULA blocking, cookie redaction, per-tab cancel signaling, CSS injection guards, timeout clamping, session validation, DocumentFragment XSS fix, parent process watchdog, uninstall docs, Windows fixes, and 750+ lines of security regression tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: garagon <garagon@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 0531Kim <0531Kim@users.noreply.github.com> Co-authored-by: pieterklue <pieterklue@users.noreply.github.com> Co-authored-by: mmporong <mmporong@users.noreply.github.com> Co-authored-by: mr-k-man <mr-k-man@users.noreply.github.com>
195 lines
7.6 KiB
TypeScript
195 lines
7.6 KiB
TypeScript
import { describe, it, expect } from 'bun:test';
|
|
import { validateOutputPath } from '../src/meta-commands';
|
|
import { validateReadPath, SENSITIVE_COOKIE_NAME, SENSITIVE_COOKIE_VALUE } from '../src/read-commands';
|
|
import { BLOCKED_METADATA_HOSTS } from '../src/url-validation';
|
|
import { readFileSync, symlinkSync, unlinkSync, writeFileSync, realpathSync } from 'fs';
|
|
import { tmpdir } from 'os';
|
|
import { join } from 'path';
|
|
|
|
describe('validateOutputPath', () => {
|
|
it('allows paths within /tmp', () => {
|
|
expect(() => validateOutputPath('/tmp/screenshot.png')).not.toThrow();
|
|
});
|
|
|
|
it('allows paths in subdirectories of /tmp', () => {
|
|
expect(() => validateOutputPath('/tmp/browse/output.png')).not.toThrow();
|
|
});
|
|
|
|
it('allows paths within cwd', () => {
|
|
expect(() => validateOutputPath(`${process.cwd()}/output.png`)).not.toThrow();
|
|
});
|
|
|
|
it('blocks paths outside safe directories', () => {
|
|
expect(() => validateOutputPath('/etc/cron.d/backdoor.png')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks /tmpevil prefix collision', () => {
|
|
expect(() => validateOutputPath('/tmpevil/file.png')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks home directory paths', () => {
|
|
expect(() => validateOutputPath('/Users/someone/file.png')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks path traversal via ..', () => {
|
|
expect(() => validateOutputPath('/tmp/../etc/passwd')).toThrow(/Path must be within/);
|
|
});
|
|
});
|
|
|
|
describe('upload command path validation', () => {
|
|
const src = readFileSync(join(__dirname, '..', 'src', 'write-commands.ts'), 'utf-8');
|
|
|
|
it('validates upload paths with isPathWithin', () => {
|
|
const uploadBlock = src.slice(src.indexOf("case 'upload'"), src.indexOf("case 'dialog-accept'"));
|
|
expect(uploadBlock).toContain('isPathWithin');
|
|
});
|
|
|
|
it('blocks path traversal in upload', () => {
|
|
const uploadBlock = src.slice(src.indexOf("case 'upload'"), src.indexOf("case 'dialog-accept'"));
|
|
expect(uploadBlock).toContain("'..'");
|
|
});
|
|
|
|
it('checks absolute paths against safe directories', () => {
|
|
const uploadBlock = src.slice(src.indexOf("case 'upload'"), src.indexOf("case 'dialog-accept'"));
|
|
expect(uploadBlock).toContain('path.isAbsolute');
|
|
expect(uploadBlock).toContain('SAFE_DIRECTORIES');
|
|
});
|
|
});
|
|
|
|
describe('validateReadPath', () => {
|
|
it('allows absolute paths within /tmp', () => {
|
|
expect(() => validateReadPath('/tmp/script.js')).not.toThrow();
|
|
});
|
|
|
|
it('allows absolute paths within cwd', () => {
|
|
expect(() => validateReadPath(`${process.cwd()}/test.js`)).not.toThrow();
|
|
});
|
|
|
|
it('allows relative paths without traversal', () => {
|
|
expect(() => validateReadPath('src/index.js')).not.toThrow();
|
|
});
|
|
|
|
it('blocks absolute paths outside safe directories', () => {
|
|
expect(() => validateReadPath('/etc/passwd')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks /tmpevil prefix collision', () => {
|
|
expect(() => validateReadPath('/tmpevil/file.js')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks path traversal sequences', () => {
|
|
expect(() => validateReadPath('../../../etc/passwd')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks nested path traversal', () => {
|
|
expect(() => validateReadPath('src/../../etc/passwd')).toThrow(/Path must be within/);
|
|
});
|
|
|
|
it('blocks symlink inside safe dir pointing outside', () => {
|
|
const linkPath = join(tmpdir(), 'test-symlink-bypass-' + Date.now());
|
|
try {
|
|
symlinkSync('/etc/passwd', linkPath);
|
|
expect(() => validateReadPath(linkPath)).toThrow(/Path must be within/);
|
|
} finally {
|
|
try { unlinkSync(linkPath); } catch {}
|
|
}
|
|
});
|
|
|
|
it('throws clear error on non-ENOENT realpathSync failure', () => {
|
|
// Attempting to resolve a path through a non-directory should throw
|
|
// a descriptive error (ENOTDIR), not silently pass through.
|
|
// Create a regular file, then try to resolve a path through it as if it were a directory.
|
|
const filePath = join(tmpdir(), 'test-notdir-' + Date.now());
|
|
try {
|
|
writeFileSync(filePath, 'not a directory');
|
|
// filePath is a file, so filePath + '/subpath' triggers ENOTDIR
|
|
const invalidPath = join(filePath, 'subpath');
|
|
expect(() => validateReadPath(invalidPath)).toThrow(/Cannot resolve real path|Path must be within/);
|
|
} finally {
|
|
try { unlinkSync(filePath); } catch {}
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('validateOutputPath — symlink resolution', () => {
|
|
it('blocks symlink inside /tmp pointing outside safe dirs', () => {
|
|
const linkPath = join(tmpdir(), 'test-output-symlink-' + Date.now() + '.png');
|
|
try {
|
|
symlinkSync('/etc/crontab', linkPath);
|
|
expect(() => validateOutputPath(linkPath)).toThrow(/Path must be within/);
|
|
} finally {
|
|
try { unlinkSync(linkPath); } catch {}
|
|
}
|
|
});
|
|
|
|
it('allows symlink inside /tmp pointing to another /tmp path', () => {
|
|
// Use /tmp (TEMP_DIR on macOS/Linux), not os.tmpdir() which may be a different path
|
|
const realTmp = realpathSync('/tmp');
|
|
const targetPath = join(realTmp, 'test-output-real-' + Date.now() + '.png');
|
|
const linkPath = join(realTmp, 'test-output-link-' + Date.now() + '.png');
|
|
try {
|
|
writeFileSync(targetPath, '');
|
|
symlinkSync(targetPath, linkPath);
|
|
expect(() => validateOutputPath(linkPath)).not.toThrow();
|
|
} finally {
|
|
try { unlinkSync(linkPath); } catch {}
|
|
try { unlinkSync(targetPath); } catch {}
|
|
}
|
|
});
|
|
|
|
it('blocks new file in symlinked directory pointing outside', () => {
|
|
const linkDir = join(tmpdir(), 'test-dirlink-' + Date.now());
|
|
try {
|
|
symlinkSync('/etc', linkDir);
|
|
expect(() => validateOutputPath(join(linkDir, 'evil.png'))).toThrow(/Path must be within/);
|
|
} finally {
|
|
try { unlinkSync(linkDir); } catch {}
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('cookie redaction — production patterns', () => {
|
|
it('detects sensitive cookie names', () => {
|
|
expect(SENSITIVE_COOKIE_NAME.test('session_id')).toBe(true);
|
|
expect(SENSITIVE_COOKIE_NAME.test('auth_token')).toBe(true);
|
|
expect(SENSITIVE_COOKIE_NAME.test('csrf-token')).toBe(true);
|
|
expect(SENSITIVE_COOKIE_NAME.test('api_key')).toBe(true);
|
|
expect(SENSITIVE_COOKIE_NAME.test('jwt.payload')).toBe(true);
|
|
});
|
|
|
|
it('ignores non-sensitive cookie names', () => {
|
|
expect(SENSITIVE_COOKIE_NAME.test('theme')).toBe(false);
|
|
expect(SENSITIVE_COOKIE_NAME.test('locale')).toBe(false);
|
|
expect(SENSITIVE_COOKIE_NAME.test('_ga')).toBe(false);
|
|
});
|
|
|
|
it('detects sensitive cookie value prefixes', () => {
|
|
expect(SENSITIVE_COOKIE_VALUE.test('eyJhbGciOiJIUzI1NiJ9')).toBe(true); // JWT
|
|
expect(SENSITIVE_COOKIE_VALUE.test('sk-ant-abc123')).toBe(true); // Anthropic
|
|
expect(SENSITIVE_COOKIE_VALUE.test('ghp_xxxxxxxxxxxx')).toBe(true); // GitHub PAT
|
|
expect(SENSITIVE_COOKIE_VALUE.test('xoxb-token')).toBe(true); // Slack
|
|
});
|
|
|
|
it('ignores non-sensitive values', () => {
|
|
expect(SENSITIVE_COOKIE_VALUE.test('dark')).toBe(false);
|
|
expect(SENSITIVE_COOKIE_VALUE.test('en-US')).toBe(false);
|
|
expect(SENSITIVE_COOKIE_VALUE.test('1234567890')).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('DNS rebinding — production blocklist', () => {
|
|
it('blocks fd00:: IPv6 metadata address via validateNavigationUrl', async () => {
|
|
const { validateNavigationUrl } = await import('../src/url-validation');
|
|
await expect(validateNavigationUrl('http://[fd00::]/')).rejects.toThrow(/cloud metadata/i);
|
|
});
|
|
|
|
it('blocks AWS/GCP IPv4 metadata address', () => {
|
|
expect(BLOCKED_METADATA_HOSTS.has('169.254.169.254')).toBe(true);
|
|
});
|
|
|
|
it('does not block normal addresses', () => {
|
|
expect(BLOCKED_METADATA_HOSTS.has('8.8.8.8')).toBe(false);
|
|
expect(BLOCKED_METADATA_HOSTS.has('2001:4860:4860::8888')).toBe(false);
|
|
});
|
|
});
|