Security: - stash_page: reject path-traversal / percent-encoded srcs before the authed loopback fetch (resolveInternalFilePath), closing an SSRF/exfiltration hole where a crafted node.attrs.src could read an arbitrary internal GET endpoint into the anonymous sandbox. Stability: - stash_page: revert + recount mirrors FIFO-evicted by a later put in the same stash (no dangling sandbox refs, honest images.mirrored/failed); free image blobs if the final document put throws. - Reject/clamp non-positive SANDBOX_TTL_MS to the 1h default (warn once). - Log mirror failures unconditionally (console.warn, no blob bodies). Cleanup / architecture: - Remove dead expiresAt from SandboxPutResult. - Centralize the /api/sb route in SANDBOX_ROUTE_SEGMENT/SANDBOX_API_PATH and move URL composition into SandboxStore.putAndLink; drop the duplicated sink closures and the now-unused EnvironmentService injection from McpService and AiChatToolsService. - Un-export isInternalFileUrl; document the process-local (instance-bound) sandbox limitation in the tool description and .env.example. Docs/tests: - README/README.ru: 38 -> 39 tools + stash_page entry. - Add traversal/normalize/recursion unit tests, stash self-eviction + doc-put-throw + empty/octet-stream mock tests, controller If-None-Match (wildcard/weak/list) + Cache-Control tests, and SANDBOX_TTL_MS validation tests. Regenerate packages/mcp/build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
claude_code
@@ -0,0 +1,6 @@
|
||||
// Single source of truth for the anonymous blob-sandbox route. The controller
|
||||
// is mounted under the global `/api` prefix, so its decorator uses the bare
|
||||
// segment while the public URL and the workspace-gate exclusion need the full
|
||||
// path — derive the latter from the former so the two never drift.
|
||||
export const SANDBOX_ROUTE_SEGMENT = 'sb';
|
||||
export const SANDBOX_API_PATH = `/api/${SANDBOX_ROUTE_SEGMENT}`;
|
||||
@@ -121,4 +121,70 @@ describe('SandboxController', () => {
|
||||
|
||||
expect(res._sent.status).toBe(200);
|
||||
});
|
||||
|
||||
it('returns 304 for a wildcard "*" If-None-Match', async () => {
|
||||
const sha = 'e'.repeat(64);
|
||||
const store = {
|
||||
get: jest.fn().mockReturnValue(entry(Buffer.from('x'), 'application/json', sha)),
|
||||
};
|
||||
const controller = new SandboxController(store as any);
|
||||
const res = makeRes();
|
||||
|
||||
await controller.get(VALID_ID, makeReq({ 'if-none-match': '*' }), res);
|
||||
|
||||
expect(res._sent.status).toBe(304);
|
||||
});
|
||||
|
||||
it('returns 304 for a weak validator W/"<sha>"', async () => {
|
||||
const sha = 'f'.repeat(64);
|
||||
const store = {
|
||||
get: jest.fn().mockReturnValue(entry(Buffer.from('x'), 'application/json', sha)),
|
||||
};
|
||||
const controller = new SandboxController(store as any);
|
||||
const res = makeRes();
|
||||
|
||||
await controller.get(VALID_ID, makeReq({ 'if-none-match': `W/"${sha}"` }), res);
|
||||
|
||||
expect(res._sent.status).toBe(304);
|
||||
});
|
||||
|
||||
it('returns 304 when a comma-separated If-None-Match list contains the sha', async () => {
|
||||
const sha = '1'.repeat(64);
|
||||
const store = {
|
||||
get: jest.fn().mockReturnValue(entry(Buffer.from('x'), 'application/json', sha)),
|
||||
};
|
||||
const controller = new SandboxController(store as any);
|
||||
const res = makeRes();
|
||||
|
||||
await controller.get(
|
||||
VALID_ID,
|
||||
makeReq({ 'if-none-match': `"other", "${sha}"` }),
|
||||
res,
|
||||
);
|
||||
|
||||
expect(res._sent.status).toBe(304);
|
||||
});
|
||||
|
||||
it('sets a private, immutable Cache-Control with a max-age within the TTL on 200', async () => {
|
||||
const sha = '2'.repeat(64);
|
||||
// Known TTL: ~30s out, so the floored max-age must land within [0, 60].
|
||||
const e: SandboxEntry = {
|
||||
buf: Buffer.from('x'),
|
||||
mime: 'application/json',
|
||||
sha256: sha,
|
||||
expiresAt: Date.now() + 30_000,
|
||||
};
|
||||
const store = { get: jest.fn().mockReturnValue(e) };
|
||||
const controller = new SandboxController(store as any);
|
||||
const res = makeRes();
|
||||
|
||||
await controller.get(VALID_ID, makeReq(), res);
|
||||
|
||||
expect(res._sent.status).toBe(200);
|
||||
const cc = res._sent.headers['cache-control'] as string;
|
||||
expect(cc).toMatch(/^private, max-age=\d+, immutable$/);
|
||||
const maxAge = Number(cc.match(/max-age=(\d+)/)![1]);
|
||||
expect(maxAge).toBeGreaterThanOrEqual(0);
|
||||
expect(maxAge).toBeLessThanOrEqual(60);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { Controller, Get, Param, Req, Res } from '@nestjs/common';
|
||||
import { FastifyReply, FastifyRequest } from 'fastify';
|
||||
import { SandboxStore } from './sandbox.store';
|
||||
import { SANDBOX_ROUTE_SEGMENT } from './sandbox.constants';
|
||||
|
||||
// Strict UUID v-agnostic shape. This is anti-traversal / input hygiene (so `:id`
|
||||
// can never be a path like `../...`), NOT authorization — the capability is the
|
||||
@@ -22,7 +23,7 @@ const UUID_RE =
|
||||
* UUID; `:id` is never used as a filesystem path, so there is no traversal
|
||||
* surface. Never returns tokens, never 401s.
|
||||
*/
|
||||
@Controller('sb')
|
||||
@Controller(SANDBOX_ROUTE_SEGMENT)
|
||||
export class SandboxController {
|
||||
constructor(private readonly store: SandboxStore) {}
|
||||
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { Injectable, Logger, OnModuleDestroy } from '@nestjs/common';
|
||||
import { createHash, randomUUID } from 'node:crypto';
|
||||
import { EnvironmentService } from '../environment/environment.service';
|
||||
import { SANDBOX_API_PATH } from './sandbox.constants';
|
||||
|
||||
// In-RAM, process-local blob store. No disk, no DB. Ephemeral by design: a
|
||||
// restart empties it. A blob is addressed by an unguessable randomUUID() which
|
||||
@@ -17,7 +18,6 @@ export interface SandboxPutResult {
|
||||
id: string;
|
||||
sha256: string;
|
||||
size: number;
|
||||
expiresAt: number;
|
||||
}
|
||||
|
||||
@Injectable()
|
||||
@@ -86,7 +86,36 @@ export class SandboxStore implements OnModuleDestroy {
|
||||
const expiresAt = Date.now() + this.environmentService.getSandboxTtlMs();
|
||||
this.map.set(id, { buf, mime, sha256, expiresAt });
|
||||
this.totalBytes += buf.length;
|
||||
return { id, sha256, size: buf.length, expiresAt };
|
||||
return { id, sha256, size: buf.length };
|
||||
}
|
||||
|
||||
/**
|
||||
* Store a blob and return its anonymous read URL plus integrity metadata.
|
||||
* Owns the single sandbox-URL composition (`${publicBase}${SANDBOX_API_PATH}/
|
||||
* <id>`) so callers never hand-build the route; the raw put() stays public for
|
||||
* tests/low-level callers. sha256 is also the blob's strong ETag.
|
||||
*/
|
||||
putAndLink(
|
||||
buf: Buffer,
|
||||
mime: string,
|
||||
): { uri: string; sha256: string; size: number } {
|
||||
const stored = this.put(buf, mime);
|
||||
const base = this.environmentService.getSandboxPublicUrl();
|
||||
return {
|
||||
uri: `${base}${SANDBOX_API_PATH}/${stored.id}`,
|
||||
sha256: stored.sha256,
|
||||
size: stored.size,
|
||||
};
|
||||
}
|
||||
|
||||
/** True if the blob is still live (not evicted/expired). */
|
||||
has(id: string): boolean {
|
||||
return this.get(id) !== undefined;
|
||||
}
|
||||
|
||||
/** Drop a blob by id (public wrapper over the private FIFO evict). */
|
||||
remove(id: string): void {
|
||||
this.evict(id);
|
||||
}
|
||||
|
||||
/** Returns the entry, or undefined if missing OR expired (lazy expiry). */
|
||||
|
||||
Reference in New Issue
Block a user