 wenjie
|
8c2a9332c6
|
fix(security): harden unauthenticated tool-exec paths (#1360)
* fix(security): harden unauthenticated tool-exec paths (GHSA-pv8c-p6jf-3fpp)
- Exec tool: channel-based access control (default deny remote)
- Cron tool: command scheduling restricted to internal channels
- Web fetch: SSRF defense-in-depth (pre-flight + dial-time + redirect checks)
- File permissions: session/state dirs 0700, files 0600
- Registry: inject __channel/__chat_id into tool args (replaces racy SetContext)
28 new security regression tests.
(cherry picked from commit 191446ae19021604d3d5b0d9376b9655ab749105)
* fix(exec): revalidate working_dir before command start
* test(web): allow local oversized payload fixture
---------
Co-authored-by: xj <gh-xj@users.noreply.github.com>
|
2026-03-11 19:22:20 +08:00 |
|
|
daming大铭
|
faec0261d0
|
Merge pull request #535 from xiaket/ci-enable-dupl-linter
ci: enable duplication linter in CI
|
2026-03-02 18:55:35 +08:00 |
|
|
Kai Xia
|
32c864c309
|
enable dupl check
Signed-off-by: Kai Xia <kaix+github@fastmail.com>
|
2026-03-01 18:17:32 +11:00 |
|
|
Petrichor
|
62bdece7f5
|
chore: resolve conflicts with upstream/main
|
2026-02-28 12:21:54 +08:00 |
|
|
Hoshina
|
b25b3c1324
|
fix: golangci-lint run --fix
|
2026-02-21 16:35:56 +08:00 |
|
|
Hoshina
|
6122ab664b
|
refactor(channels): add channel subpackages and update gateway imports
|
2026-02-20 23:25:44 +08:00 |
|