dexter/BTerminal
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): audit fixes — path traversal, race conditions, memory leaks, transaction safety

Browse source 
- lib.rs: claude_read_skill path traversal prevention (canonicalize + starts_with)
- agent-dispatcher.ts: re-entrancy guard on exit handler, clear maps in stop
- machines.svelte.ts: track UnlistenFn array + destroyMachineListeners()
- agent-runner.ts: controller.signal.aborted, async handleMessage + .catch()
- remote.rs: try_lock → async lock, abort tasks on remove
- session.rs: unchecked_transaction for save_agent_messages
- agent-bridge.ts: safe msg.event check (implicit in dispatcher changes)
This commit is contained in:
Hibryda 2026-03-08 20:03:50 +01:00
parent 73ca780b54
commit 4bdb74721d
6 changed files with 102 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

43
v2/src/lib/agent-dispatcher.ts
View file

@ -39,6 +39,7 @@ let sidecarAlive = true;
// Sidecar crash recovery state
const MAX_RESTART_ATTEMPTS = 3;
let restartAttempts = 0;
let restarting = false;
export function isSidecarAlive(): boolean {
return sidecarAlive;
}
@ -68,7 +69,7 @@ export async function startAgentDispatcher(): Promise<void> {
break;
case 'agent_event':
handleAgentEvent(sessionId, msg.event!);
if (msg.event) handleAgentEvent(sessionId, msg.event);
break;
case 'agent_stopped':
@ -88,6 +89,11 @@ export async function startAgentDispatcher(): Promise<void> {
unlistenExit = await onSidecarExited(async () => {
sidecarAlive = false;
// Guard against re-entrant exit handler (double-restart race)
if (restarting) return;
restarting = true;
// Mark all running sessions as errored
for (const session of getAgentSessions()) {
if (session.status === 'running' || session.status === 'starting') {
@ -96,22 +102,26 @@ export async function startAgentDispatcher(): Promise<void> {
}
// Attempt auto-restart with exponential backoff
if (restartAttempts < MAX_RESTART_ATTEMPTS) {
restartAttempts++;
const delayMs = 1000 * Math.pow(2, restartAttempts - 1); // 1s, 2s, 4s
notify('warning', `Sidecar crashed, restarting (attempt ${restartAttempts}/${MAX_RESTART_ATTEMPTS})...`);
await new Promise((resolve) => setTimeout(resolve, delayMs));
try {
await restartAgent();
sidecarAlive = true;
// Note: restartAttempts is reset when next sidecar message arrives
} catch {
if (restartAttempts >= MAX_RESTART_ATTEMPTS) {
notify('error', `Sidecar restart failed after ${MAX_RESTART_ATTEMPTS} attempts`);
try {
if (restartAttempts < MAX_RESTART_ATTEMPTS) {
restartAttempts++;
const delayMs = 1000 * Math.pow(2, restartAttempts - 1); // 1s, 2s, 4s
notify('warning', `Sidecar crashed, restarting (attempt ${restartAttempts}/${MAX_RESTART_ATTEMPTS})...`);
await new Promise((resolve) => setTimeout(resolve, delayMs));
try {
await restartAgent();
sidecarAlive = true;
// Note: restartAttempts is reset when next sidecar message arrives
} catch {
if (restartAttempts >= MAX_RESTART_ATTEMPTS) {
notify('error', `Sidecar restart failed after ${MAX_RESTART_ATTEMPTS} attempts`);
}
}
} else {
notify('error', `Sidecar restart failed after ${MAX_RESTART_ATTEMPTS} attempts`);
}
} else {
notify('error', `Sidecar restart failed after ${MAX_RESTART_ATTEMPTS} attempts`);
} finally {
restarting = false;
}
});
}
@ -300,4 +310,7 @@ export function stopAgentDispatcher(): void {
unlistenExit();
unlistenExit = null;
}
// Clear routing maps to prevent unbounded memory growth
toolUseToChildPane.clear();
sessionProjectMap.clear();
}

34
v2/src/lib/stores/machines.svelte.ts
View file

@ -71,41 +71,47 @@ export async function disconnectMachine(id: string): Promise<void> {
if (machine) machine.status = 'disconnected';
}
// Stored unlisten functions for cleanup
let unlistenFns: (() => void)[] = [];
// Initialize event listeners for machine status updates
export async function initMachineListeners(): Promise<void> {
await onRemoteMachineReady((msg) => {
// Clean up any existing listeners first
destroyMachineListeners();
unlistenFns.push(await onRemoteMachineReady((msg) => {
const machine = machines.find(m => m.id === msg.machineId);
if (machine) {
machine.status = 'connected';
notify('success', `Connected to ${machine.label}`);
}
});
}));
await onRemoteMachineDisconnected((msg) => {
unlistenFns.push(await onRemoteMachineDisconnected((msg) => {
const machine = machines.find(m => m.id === msg.machineId);
if (machine) {
machine.status = 'disconnected';
notify('warning', `Disconnected from ${machine.label}`);
}
});
}));
await onRemoteError((msg) => {
unlistenFns.push(await onRemoteError((msg) => {
const machine = machines.find(m => m.id === msg.machineId);
if (machine) {
machine.status = 'error';
notify('error', `Error from ${machine.label}: ${msg.error}`);
}
});
}));
await onRemoteMachineReconnecting((msg) => {
unlistenFns.push(await onRemoteMachineReconnecting((msg) => {
const machine = machines.find(m => m.id === msg.machineId);
if (machine) {
machine.status = 'reconnecting';
notify('info', `Reconnecting to ${machine.label} in ${msg.backoffSecs}s…`);
}
});
}));
await onRemoteMachineReconnectReady((msg) => {
unlistenFns.push(await onRemoteMachineReconnectReady((msg) => {
const machine = machines.find(m => m.id === msg.machineId);
if (machine) {
notify('info', `${machine.label} reachable — reconnecting…`);
@ -113,5 +119,13 @@ export async function initMachineListeners(): Promise<void> {
notify('error', `Auto-reconnect failed for ${machine.label}: ${e}`);
});
}
});
}));
}
/** Remove all event listeners to prevent leaks */
export function destroyMachineListeners(): void {
for (const unlisten of unlistenFns) {
unlisten();
}
unlistenFns = [];
}