fix(security): block Hermes FS traversal and revoked token reuse#329
Closed
cursor[bot] wants to merge 1 commit into
Closed
fix(security): block Hermes FS traversal and revoked token reuse#329cursor[bot] wants to merge 1 commit into
cursor[bot] wants to merge 1 commit into
Conversation
- Reject ParentDir (..) in Hermes file manager paths and validate via canonical ancestors instead of non-canonical starts_with prefix checks - Rotate operator tokens when revokedAtMs is set instead of silently re-issuing the same revoked token during auto-pair normalization Fixes path traversal allowing reads/writes outside ~/.hermes and revocation bypass introduced in the v0.18.1 pairing upgrade path. Co-authored-by: 晴天 <1186258278@users.noreply.github.com>
Contributor
|
已在 main 通过我们自己的提交吸收并发布:0a65ea7 / v0.18.5。\n\n覆盖内容:\n- Hermes 文件管理路径拒绝 .. 并通过 canonical path 校验\n- 已撤销 operator token 自动配对时不再复用,会旋转新 token\n- 增加对应 Rust 回归测试\n\nCI 与 release workflow 均已通过,发布页:https://github.com/qingchencloud/clawpanel/releases/tag/v0.18.5\n\n这个 draft PR 保留会造成重复,先关闭。 |
Contributor
|
已由 main 的 0a65ea7 / v0.18.5 吸收并发布,关闭重复 draft PR。 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Daily critical-bug scan found two high-severity issues and applies minimal fixes.
1. Hermes file manager path traversal (security)
Impact:
hermes_fs_read/hermes_fs_write/hermes_fs_listcould access files outside~/.hermesvia paths like../outside.txt.Root cause:
validate_hermes_fs_pathfell back to non-canonical joined paths whencanonicalize()failed. RustPath::starts_withtreats/.hermes/../outsideas starting with/.hermesbecause it compares path components literally before..is resolved.Fix: Reject
ParentDir(..) components, require canonical root, and validate via canonical ancestors (matching the existinghermes_logs_downloadpattern).2. Revoked operator token reuse (security)
Impact: After an operator token was revoked (
revokedAtMsset inpaired.json),auto_pair_device/normalize_control_ui_pairingwould rewrite the entry with the same token string but droprevokedAtMs, effectively un-revoking it.Root cause: Introduced in the v0.18.1 pairing upgrade path (
ensure_operator_tokenreused existing token wheneveroperator_token_is_usablereturned false).Fix: Generate a fresh token when
revokedAtMsis present; continue reusing tokens only for non-revocation upgrade cases (missing scopes, etc.).Validation
normalize_existing_pairing_rotates_revoked_operator_tokenrejects_parent_dir_segments/allows_new_file_under_rootnode --test tests/patch-gateway-origins.test.jspasses (recent config-merge regressions still green)cargo testnot run in this environment (missing GTK/pkg-config deps)Checklist