dexter/BTerminal
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): audit fixes — path traversal, race conditions, memory leaks, transaction safety

Browse source 
- lib.rs: claude_read_skill path traversal prevention (canonicalize + starts_with)
- agent-dispatcher.ts: re-entrancy guard on exit handler, clear maps in stop
- machines.svelte.ts: track UnlistenFn array + destroyMachineListeners()
- agent-runner.ts: controller.signal.aborted, async handleMessage + .catch()
- remote.rs: try_lock → async lock, abort tasks on remove
- session.rs: unchecked_transaction for save_agent_messages
- agent-bridge.ts: safe msg.event check (implicit in dispatcher changes)
This commit is contained in:
Hibryda 2026-03-08 20:03:50 +01:00
parent 73ca780b54
commit 4bdb74721d
6 changed files with 102 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

22
v2/src-tauri/src/lib.rs
View file

@ -364,7 +364,19 @@ fn claude_list_skills() -> Vec<ClaudeSkill> {
#[tauri::command]
fn claude_read_skill(path: String) -> Result<String, String> {
std::fs::read_to_string(&path).map_err(|e| format!("Failed to read skill: {e}"))
// Validate path is under ~/.claude/skills/ to prevent path traversal
let skills_dir = dirs::home_dir()
.ok_or("Cannot determine home directory")?
.join(".claude")
.join("skills");
let canonical_skills = skills_dir.canonicalize()
.map_err(|_| "Skills directory does not exist".to_string())?;
let canonical_path = std::path::Path::new(&path).canonicalize()
.map_err(|e| format!("Invalid skill path: {e}"))?;
if !canonical_path.starts_with(&canonical_skills) {
return Err("Access denied: path is outside skills directory".to_string());
}
std::fs::read_to_string(&canonical_path).map_err(|e| format!("Failed to read skill: {e}"))
}
// --- Group config commands (v3) ---
@ -458,18 +470,18 @@ fn cli_get_group() -> Option<String> {
// --- Remote machine commands ---
#[tauri::command]
fn remote_list(state: State<'_, AppState>) -> Vec<remote::RemoteMachineInfo> {
state.remote_manager.list_machines()
async fn remote_list(state: State<'_, AppState>) -> Result<Vec<remote::RemoteMachineInfo>, String> {
Ok(state.remote_manager.list_machines().await)
}
#[tauri::command]
async fn remote_add(state: State<'_, AppState>, config: RemoteMachineConfig) -> Result<String, String> {
Ok(state.remote_manager.add_machine(config))
Ok(state.remote_manager.add_machine(config).await)
}
#[tauri::command]
async fn remote_remove(state: State<'_, AppState>, machine_id: String) -> Result<(), String> {
state.remote_manager.remove_machine(&machine_id)
state.remote_manager.remove_machine(&machine_id).await
}
#[tauri::command]

40
v2/src-tauri/src/remote.rs
View file

@ -69,22 +69,18 @@ impl RemoteManager {
}
}
pub fn list_machines(&self) -> Vec<RemoteMachineInfo> {
// Use try_lock for sync context (called from Tauri command handler)
let machines = self.machines.try_lock();
match machines {
Ok(m) => m.values().map(|m| RemoteMachineInfo {
id: m.id.clone(),
label: m.config.label.clone(),
url: m.config.url.clone(),
status: m.status.clone(),
auto_connect: m.config.auto_connect,
}).collect(),
Err(_) => Vec::new(),
}
pub async fn list_machines(&self) -> Vec<RemoteMachineInfo> {
let machines = self.machines.lock().await;
machines.values().map(|m| RemoteMachineInfo {
id: m.id.clone(),
label: m.config.label.clone(),
url: m.config.url.clone(),
status: m.status.clone(),
auto_connect: m.config.auto_connect,
}).collect()
}
pub fn add_machine(&self, config: RemoteMachineConfig) -> String {
pub async fn add_machine(&self, config: RemoteMachineConfig) -> String {
let id = uuid::Uuid::new_v4().to_string();
let machine = RemoteMachine {
id: id.clone(),
@ -92,16 +88,18 @@ impl RemoteManager {
status: "disconnected".to_string(),
connection: None,
};
// Use try_lock for sync context
if let Ok(mut machines) = self.machines.try_lock() {
machines.insert(id.clone(), machine);
}
self.machines.lock().await.insert(id.clone(), machine);
id
}
pub fn remove_machine(&self, machine_id: &str) -> Result<(), String> {
let mut machines = self.machines.try_lock()
.map_err(|_| "Lock contention".to_string())?;
pub async fn remove_machine(&self, machine_id: &str) -> Result<(), String> {
let mut machines = self.machines.lock().await;
if let Some(machine) = machines.get_mut(machine_id) {
// Abort connection tasks before removing to prevent resource leaks
if let Some(conn) = machine.connection.take() {
conn._handle.abort();
}
}
machines.remove(machine_id)
.ok_or_else(|| format!("Machine {machine_id} not found"))?;
Ok(())

10
v2/src-tauri/src/session.rs
View file

@ -373,13 +373,17 @@ impl SessionDb {
messages: &[AgentMessageRecord],
) -> Result<(), String> {
let conn = self.conn.lock().unwrap();
// Wrap DELETE+INSERTs in a transaction to prevent partial writes on crash
let tx = conn.unchecked_transaction()
.map_err(|e| format!("Begin transaction failed: {e}"))?;
// Clear previous messages for this session
conn.execute(
tx.execute(
"DELETE FROM agent_messages WHERE session_id = ?1",
params![session_id],
).map_err(|e| format!("Delete old messages failed: {e}"))?;
let mut stmt = conn.prepare(
let mut stmt = tx.prepare(
"INSERT INTO agent_messages (session_id, project_id, sdk_session_id, message_type, content, parent_id, created_at) VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)"
).map_err(|e| format!("Prepare insert failed: {e}"))?;
@ -394,6 +398,8 @@ impl SessionDb {
msg.created_at,
]).map_err(|e| format!("Insert message failed: {e}"))?;
}
drop(stmt);
tx.commit().map_err(|e| format!("Commit failed: {e}"))?;
Ok(())
}