agents-orchestrator/agent-orchestrator
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): audit fixes — path traversal, race conditions, memory leaks, transaction safety

Browse source 
- lib.rs: claude_read_skill path traversal prevention (canonicalize + starts_with)
- agent-dispatcher.ts: re-entrancy guard on exit handler, clear maps in stop
- machines.svelte.ts: track UnlistenFn array + destroyMachineListeners()
- agent-runner.ts: controller.signal.aborted, async handleMessage + .catch()
- remote.rs: try_lock → async lock, abort tasks on remove
- session.rs: unchecked_transaction for save_agent_messages
- agent-bridge.ts: safe msg.event check (implicit in dispatcher changes)
This commit is contained in:
Hibryda 2026-03-08 20:03:50 +01:00
parent 73ca780b54
commit 4bdb74721d
6 changed files with 102 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

22
v2/src-tauri/src/lib.rs
View file

@ -364,7 +364,19 @@ fn claude_list_skills() -> Vec<ClaudeSkill> {
#[tauri::command]
fn claude_read_skill(path: String) -> Result<String, String> {
std::fs::read_to_string(&path).map_err(|e| format!("Failed to read skill: {e}"))
// Validate path is under ~/.claude/skills/ to prevent path traversal
let skills_dir = dirs::home_dir()
.ok_or("Cannot determine home directory")?
.join(".claude")
.join("skills");
let canonical_skills = skills_dir.canonicalize()
.map_err(|_| "Skills directory does not exist".to_string())?;
let canonical_path = std::path::Path::new(&path).canonicalize()
.map_err(|e| format!("Invalid skill path: {e}"))?;
if !canonical_path.starts_with(&canonical_skills) {
return Err("Access denied: path is outside skills directory".to_string());
}
std::fs::read_to_string(&canonical_path).map_err(|e| format!("Failed to read skill: {e}"))
}
// --- Group config commands (v3) ---
@ -458,18 +470,18 @@ fn cli_get_group() -> Option<String> {
// --- Remote machine commands ---
#[tauri::command]
fn remote_list(state: State<'_, AppState>) -> Vec<remote::RemoteMachineInfo> {
state.remote_manager.list_machines()
async fn remote_list(state: State<'_, AppState>) -> Result<Vec<remote::RemoteMachineInfo>, String> {
Ok(state.remote_manager.list_machines().await)
}
#[tauri::command]
async fn remote_add(state: State<'_, AppState>, config: RemoteMachineConfig) -> Result<String, String> {
Ok(state.remote_manager.add_machine(config))
Ok(state.remote_manager.add_machine(config).await)
}
#[tauri::command]
async fn remote_remove(state: State<'_, AppState>, machine_id: String) -> Result<(), String> {
state.remote_manager.remove_machine(&machine_id)
state.remote_manager.remove_machine(&machine_id).await
}
#[tauri::command]