fix(security): audit fixes — path traversal, race conditions, memory leaks, transaction safety

- lib.rs: claude_read_skill path traversal prevention (canonicalize + starts_with) - agent-dispatcher.ts: re-entrancy guard on exit handler, clear maps in stop - machines.svelte.ts: track UnlistenFn array + destroyMachineListeners() - agent-runner.ts: controller.signal.aborted, async handleMessage + .catch() - remote.rs: try_lock → async lock, abort tasks on remove - session.rs: unchecked_transaction for save_agent_messages - agent-bridge.ts: safe msg.event check (implicit in dispatcher changes)
2026-03-08 20:03:50 +01:00 · 2026-03-08 20:03:50 +01:00 · 4bdb74721d
commit 4bdb74721d
parent 73ca780b54
6 changed files with 102 additions and 57 deletions
--- a/v2/src-tauri/src/remote.rs
+++ b/v2/src-tauri/src/remote.rs
@ -69,22 +69,18 @@ impl RemoteManager {
        }
    }

-    pub fn list_machines(&self) -> Vec<RemoteMachineInfo> {
-        // Use try_lock for sync context (called from Tauri command handler)
-        let machines = self.machines.try_lock();
-        match machines {
-            Ok(m) => m.values().map(|m| RemoteMachineInfo {
-                id: m.id.clone(),
-                label: m.config.label.clone(),
-                url: m.config.url.clone(),
-                status: m.status.clone(),
-                auto_connect: m.config.auto_connect,
-            }).collect(),
-            Err(_) => Vec::new(),
-        }
+    pub async fn list_machines(&self) -> Vec<RemoteMachineInfo> {
+        let machines = self.machines.lock().await;
+        machines.values().map(|m| RemoteMachineInfo {
+            id: m.id.clone(),
+            label: m.config.label.clone(),
+            url: m.config.url.clone(),
+            status: m.status.clone(),
+            auto_connect: m.config.auto_connect,
+        }).collect()
    }

-    pub fn add_machine(&self, config: RemoteMachineConfig) -> String {
+    pub async fn add_machine(&self, config: RemoteMachineConfig) -> String {
        let id = uuid::Uuid::new_v4().to_string();
        let machine = RemoteMachine {
            id: id.clone(),
@ -92,16 +88,18 @@ impl RemoteManager {
            status: "disconnected".to_string(),
            connection: None,
        };
-        // Use try_lock for sync context
-        if let Ok(mut machines) = self.machines.try_lock() {
-            machines.insert(id.clone(), machine);
-        }
+        self.machines.lock().await.insert(id.clone(), machine);
        id
    }

-    pub fn remove_machine(&self, machine_id: &str) -> Result<(), String> {
-        let mut machines = self.machines.try_lock()
-            .map_err(|_| "Lock contention".to_string())?;
+    pub async fn remove_machine(&self, machine_id: &str) -> Result<(), String> {
+        let mut machines = self.machines.lock().await;
+        if let Some(machine) = machines.get_mut(machine_id) {
+            // Abort connection tasks before removing to prevent resource leaks
+            if let Some(conn) = machine.connection.take() {
+                conn._handle.abort();
+            }
+        }
        machines.remove(machine_id)
            .ok_or_else(|| format!("Machine {machine_id} not found"))?;
        Ok(())