mirror of
https://github.com/siteboon/claudecodeui.git
synced 2026-07-07 06:02:43 +08:00
fix: address code review findings
- validate chat image attachments server-side: only files inside the ~/.cloudcli/assets upload store may reach provider file reads - harden asset serving with nosniff and attachment disposition for SVGs to prevent stored XSS - show the timestamp on image-only user messages - serialize git stage/unstage calls and defer the status re-sync so rapid toggles can't interleave or flicker - use a literal hex fallback for commit ref badges (alpha suffix on a var() string produced invalid CSS) - stop binding a URL session to a guening project instead - add the missing attentionRequiredIndicator key to all sidebar locales - clean up dangling conjunctions left the de/ru/tr/ja/zh-CN/zh-TW READMEs
This commit is contained in:
@@ -79,7 +79,17 @@ router.get('/images/:filename', async (req, res) => {
|
||||
return res.status(404).json({ error: 'Asset not found' });
|
||||
}
|
||||
|
||||
res.setHeader('Content-Type', mime.lookup(resolved) || 'application/octet-stream');
|
||||
const contentType = mime.lookup(resolved) || 'application/octet-stream';
|
||||
res.setHeader('Content-Type', contentType);
|
||||
// Stored-XSS hardening: never let the browser sniff a different type, and
|
||||
// force SVGs (which can carry scripts when rendered as a document) to
|
||||
// download instead of rendering inline. The chat UI is unaffected — it
|
||||
// fetches assets as blobs and shows them through <img>, where SVG scripts
|
||||
// never execute.
|
||||
res.setHeader('X-Content-Type-Options', 'nosniff');
|
||||
if (contentType === 'image/svg+xml') {
|
||||
res.setHeader('Content-Disposition', 'attachment');
|
||||
}
|
||||
const fileStream = fsSync.createReadStream(resolved);
|
||||
fileStream.pipe(res);
|
||||
fileStream.on('error', (error) => {
|
||||
|
||||
@@ -1,8 +1,11 @@
|
||||
import path from 'node:path';
|
||||
|
||||
import type { WebSocket } from 'ws';
|
||||
|
||||
import { sessionsDb } from '@/modules/database/index.js';
|
||||
import { chatRunRegistry } from '@/modules/websocket/services/chat-run-registry.service.js';
|
||||
import { connectedClients, WS_OPEN_STATE } from '@/modules/websocket/services/websocket-state.service.js';
|
||||
import { getGlobalImageAssetsDir, normalizeImageDescriptors } from '@/shared/image-attachments.js';
|
||||
import type {
|
||||
AnyRecord,
|
||||
AuthenticatedWebSocketRequest,
|
||||
@@ -10,6 +13,37 @@ import type {
|
||||
} from '@/shared/types.js';
|
||||
import { parseIncomingJsonObject } from '@/shared/utils.js';
|
||||
|
||||
/**
|
||||
* Trust boundary for client-supplied image attachments: chat.send options come
|
||||
* straight from the browser, and the provider runtimes read the referenced
|
||||
* files off disk (Claude base64-encodes them into the prompt). Only images
|
||||
* that live directly inside the global upload store (`~/.cloudcli/assets`,
|
||||
* where POST /api/assets/images puts them) are allowed through — anything
|
||||
* else (absolute paths elsewhere, traversal, subdirectories) is dropped.
|
||||
*
|
||||
* Exported for tests; `assetsRootOverride` exists only for them.
|
||||
*/
|
||||
export function filterImagesToUploadStore(images: unknown, assetsRootOverride?: string): AnyRecord[] {
|
||||
const assetsRoot = path.resolve(assetsRootOverride ?? getGlobalImageAssetsDir());
|
||||
|
||||
return normalizeImageDescriptors(images).filter((descriptor) => {
|
||||
// Relative paths are anchored in the store; absolute ones must already be in it.
|
||||
const resolved = path.resolve(assetsRoot, descriptor.path);
|
||||
const relative = path.relative(assetsRoot, resolved);
|
||||
const isDirectChild =
|
||||
relative.length > 0 &&
|
||||
!relative.startsWith('..') &&
|
||||
!path.isAbsolute(relative) &&
|
||||
!relative.includes(path.sep) &&
|
||||
!relative.includes('/');
|
||||
|
||||
if (!isDirectChild) {
|
||||
console.warn(`[Chat] Dropping image outside the upload store: ${descriptor.path}`);
|
||||
}
|
||||
return isDirectChild;
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* One provider runtime entry point. All five runtimes share this signature,
|
||||
* which lets the chat handler dispatch through a provider-keyed map instead
|
||||
@@ -161,6 +195,9 @@ async function handleChatSend(
|
||||
// gateway writer captures and maps back to the app session id.
|
||||
const runtimeOptions: AnyRecord = {
|
||||
...clientOptions,
|
||||
// Image attachments are re-validated server-side: only files inside the
|
||||
// global upload store may reach the provider runtimes' file reads.
|
||||
images: filterImagesToUploadStore(clientOptions.images),
|
||||
sessionId: session.provider_session_id ?? undefined,
|
||||
resume: Boolean(session.provider_session_id),
|
||||
cwd: clientOptions.cwd ?? session.project_path ?? undefined,
|
||||
|
||||
44
server/modules/websocket/tests/chat-image-filter.test.ts
Normal file
44
server/modules/websocket/tests/chat-image-filter.test.ts
Normal file
@@ -0,0 +1,44 @@
|
||||
import assert from 'node:assert/strict';
|
||||
import os from 'node:os';
|
||||
import path from 'node:path';
|
||||
import test from 'node:test';
|
||||
|
||||
import { filterImagesToUploadStore } from '@/modules/websocket/services/chat-websocket.service.js';
|
||||
|
||||
const STORE = path.join(os.tmpdir(), 'cloudcli-assets-store');
|
||||
|
||||
test('images inside the upload store pass through', () => {
|
||||
const inside = path.join(STORE, 'shot.png');
|
||||
const result = filterImagesToUploadStore(
|
||||
[{ path: inside, name: 'shot.png', mimeType: 'image/png' }],
|
||||
STORE,
|
||||
);
|
||||
assert.equal(result.length, 1);
|
||||
assert.equal(result[0].path, inside);
|
||||
});
|
||||
|
||||
test('bare filenames are anchored inside the store', () => {
|
||||
const result = filterImagesToUploadStore(['shot.png'], STORE);
|
||||
assert.equal(result.length, 1);
|
||||
});
|
||||
|
||||
test('paths outside the store, traversal, and subdirs are dropped', () => {
|
||||
const result = filterImagesToUploadStore(
|
||||
[
|
||||
{ path: 'C:/Users/victim/.ssh/id_rsa' },
|
||||
{ path: '/etc/passwd' },
|
||||
{ path: '../outside.png' },
|
||||
{ path: path.join(STORE, '..', 'escaped.png') },
|
||||
{ path: path.join(STORE, 'nested', 'deep.png') },
|
||||
{ path: STORE }, // the store folder itself is not a file
|
||||
],
|
||||
STORE,
|
||||
);
|
||||
assert.deepEqual(result, []);
|
||||
});
|
||||
|
||||
test('malformed payloads yield no images', () => {
|
||||
assert.deepEqual(filterImagesToUploadStore(undefined, STORE), []);
|
||||
assert.deepEqual(filterImagesToUploadStore('nope', STORE), []);
|
||||
assert.deepEqual(filterImagesToUploadStore([{ name: 'no-path' }, 42], STORE), []);
|
||||
});
|
||||
Reference in New Issue
Block a user