fix: address code review findings

- validate chat image attachments server-side: only files inside the
  ~/.cloudcli/assets upload store may reach provider file reads
- harden asset serving with nosniff and attachment disposition for
  SVGs to prevent stored XSS
- show the timestamp on image-only user messages
- serialize git stage/unstage calls and defer the status re-sync so
  rapid toggles can't interleave or flicker
- use a literal hex fallback for commit ref badges (alpha suffix on a
  var() string produced invalid CSS)
- stop binding a URL session to a guening
  project instead
- add the missing attentionRequiredIndicator key to all sidebar locales
- clean up dangling conjunctions left the
  de/ru/tr/ja/zh-CN/zh-TW READMEs
This commit is contained in:
Haileyesus
2026-07-06 21:08:22 +03:00
parent 4e423f5fa2
commit 138371525a
23 changed files with 197 additions and 70 deletions

View File

@@ -1,8 +1,11 @@
import path from 'node:path';
import type { WebSocket } from 'ws';
import { sessionsDb } from '@/modules/database/index.js';
import { chatRunRegistry } from '@/modules/websocket/services/chat-run-registry.service.js';
import { connectedClients, WS_OPEN_STATE } from '@/modules/websocket/services/websocket-state.service.js';
import { getGlobalImageAssetsDir, normalizeImageDescriptors } from '@/shared/image-attachments.js';
import type {
AnyRecord,
AuthenticatedWebSocketRequest,
@@ -10,6 +13,37 @@ import type {
} from '@/shared/types.js';
import { parseIncomingJsonObject } from '@/shared/utils.js';
/**
* Trust boundary for client-supplied image attachments: chat.send options come
* straight from the browser, and the provider runtimes read the referenced
* files off disk (Claude base64-encodes them into the prompt). Only images
* that live directly inside the global upload store (`~/.cloudcli/assets`,
* where POST /api/assets/images puts them) are allowed through — anything
* else (absolute paths elsewhere, traversal, subdirectories) is dropped.
*
* Exported for tests; `assetsRootOverride` exists only for them.
*/
export function filterImagesToUploadStore(images: unknown, assetsRootOverride?: string): AnyRecord[] {
const assetsRoot = path.resolve(assetsRootOverride ?? getGlobalImageAssetsDir());
return normalizeImageDescriptors(images).filter((descriptor) => {
// Relative paths are anchored in the store; absolute ones must already be in it.
const resolved = path.resolve(assetsRoot, descriptor.path);
const relative = path.relative(assetsRoot, resolved);
const isDirectChild =
relative.length > 0 &&
!relative.startsWith('..') &&
!path.isAbsolute(relative) &&
!relative.includes(path.sep) &&
!relative.includes('/');
if (!isDirectChild) {
console.warn(`[Chat] Dropping image outside the upload store: ${descriptor.path}`);
}
return isDirectChild;
});
}
/**
* One provider runtime entry point. All five runtimes share this signature,
* which lets the chat handler dispatch through a provider-keyed map instead
@@ -161,6 +195,9 @@ async function handleChatSend(
// gateway writer captures and maps back to the app session id.
const runtimeOptions: AnyRecord = {
...clientOptions,
// Image attachments are re-validated server-side: only files inside the
// global upload store may reach the provider runtimes' file reads.
images: filterImagesToUploadStore(clientOptions.images),
sessionId: session.provider_session_id ?? undefined,
resume: Boolean(session.provider_session_id),
cwd: clientOptions.cwd ?? session.project_path ?? undefined,