fix: Address remaining HIGH and MEDIUM security findings

- HIGH-01: Validate tmux socket path (reject traversal, non-absolute, oversized)
- MED-01: Add 2s connect timeout to stale socket cleanup (prevents hanging)
- MED-02: Validate socket path from env var (reject traversal, non-absolute)
- MED-03: Replace raw &str status with SessionStatus enum in end_session()

Co-Authored-By: claude-flow <ruv@ruv.net>

Author: Robert E. Lee

src/bridge.rs

@@ -5,7 +5,7 @@ use crate::formatting;
 use crate::injector::InputInjector;
 use crate::session::SessionManager;
 use crate::socket::SocketServer;
-use crate::types::{BridgeMessage, InlineButton, MessageType, SendOptions};
+use crate::types::{BridgeMessage, InlineButton, MessageType, SendOptions, SessionStatus};
 use std::collections::{HashMap, HashSet};
 use std::sync::Arc;
 use tokio::sync::{broadcast, Mutex, RwLock};
@@ -387,7 +387,7 @@ impl BridgeShared {
                 .remove(&msg.session_id);
 
             let sessions = self.sessions.lock().await;
-            sessions.end_session(&msg.session_id, "ended");
+            sessions.end_session(&msg.session_id, SessionStatus::Ended);
         }
 
         Ok(())
@@ -865,7 +865,7 @@ impl BridgeShared {
                     sessions.resolve_approval(id, status);
 
                     if action == "abort" {
-                        sessions.end_session(&approval.session_id, "aborted");
+                        sessions.end_session(&approval.session_id, SessionStatus::Aborted);
                     }
                 }
 
@@ -1084,7 +1084,7 @@ impl BridgeShared {
         self.session_tmux_targets.write().await.remove(&session.id);
 
         let sessions = self.sessions.lock().await;
-        sessions.end_session(&session.id, "ended");
+        sessions.end_session(&session.id, SessionStatus::Ended);
     }
 }
 

src/config.rs

@@ -177,10 +177,22 @@ pub fn load_config(require_auth: bool) -> Result<Config> {
         }
     }
 
+    // MED-02: Validate socket path from env var to prevent path traversal
     let socket_path = env::var("TELEGRAM_BRIDGE_SOCKET")
         .ok()
-        .map(PathBuf::from)
-        .or_else(|| file.socket_path.map(PathBuf::from))
+        .or(file.socket_path)
+        .map(|s| {
+            if s.contains("..") {
+                tracing::warn!(path = %s, "Socket path contains '..', using default");
+                return default_socket.clone();
+            }
+            let p = PathBuf::from(&s);
+            if !p.is_absolute() {
+                tracing::warn!(path = %s, "Socket path is not absolute, using default");
+                return default_socket.clone();
+            }
+            p
+        })
         .unwrap_or(default_socket);
 
     Ok(Config {

src/injector.rs

@@ -21,9 +21,28 @@ impl InputInjector {
     }
 
     /// Set the tmux target and optional socket path
+    /// HIGH-01: Validate socket path to prevent arbitrary socket targeting
     pub fn set_target(&mut self, target: &str, socket: Option<&str>) {
         self.tmux_target = Some(target.to_string());
-        self.tmux_socket = socket.map(|s| s.to_string());
+        self.tmux_socket = socket.and_then(|s| {
+            let path = std::path::Path::new(s);
+            // Reject paths with traversal components
+            if s.contains("..") {
+                tracing::warn!(path = %s, "Rejecting tmux socket path with '..' traversal");
+                return None;
+            }
+            // Must be an absolute path
+            if !path.is_absolute() {
+                tracing::warn!(path = %s, "Rejecting non-absolute tmux socket path");
+                return None;
+            }
+            // Reasonable length limit
+            if s.len() > 256 {
+                tracing::warn!(len = s.len(), "Rejecting oversized tmux socket path");
+                return None;
+            }
+            Some(s.to_string())
+        });
     }
 
     /// Get current tmux target

src/session.rs

@@ -227,17 +227,19 @@ impl SessionManager {
         );
     }
 
-    pub fn end_session(&self, session_id: &str, status: &str) {
+    /// MED-03: Accept SessionStatus enum instead of raw &str to prevent invalid states
+    pub fn end_session(&self, session_id: &str, status: SessionStatus) {
         let now = Utc::now().to_rfc3339();
+        let status_str = status.as_str();
         let _ = self.db.execute(
             "UPDATE sessions SET status = ?1, last_activity = ?2 WHERE id = ?3",
-            params![status, now, session_id],
+            params![status_str, now, session_id],
         );
         let _ = self.db.execute(
             "UPDATE pending_approvals SET status = 'expired' WHERE session_id = ?1 AND status = 'pending'",
             params![session_id],
         );
-        tracing::info!(%session_id, %status, "Session ended");
+        tracing::info!(%session_id, %status_str, "Session ended");
     }
 
     pub fn reactivate_session(&self, session_id: &str) {
@@ -440,7 +442,7 @@ mod tests {
             .create_session(None, 12345, None, None, None, None)
             .unwrap();
 
-        mgr.end_session(&id, "ended");
+        mgr.end_session(&id, SessionStatus::Ended);
         let session = mgr.get_session(&id).unwrap();
         assert_eq!(session.status, SessionStatus::Ended);
 

src/socket.rs

@@ -86,21 +86,28 @@ impl SocketServer {
     }
 
     /// Clean up stale socket file if no daemon is listening
+    /// MED-01: Add connect timeout to prevent hanging on unresponsive sockets
     async fn cleanup_stale_socket(&self) -> Result<()> {
         if !self.socket_path.exists() {
             return Ok(());
         }
 
-        // Try connecting to check if socket is active
-        match UnixStream::connect(&self.socket_path).await {
-            Ok(_) => {
+        // Try connecting with a timeout to check if socket is active
+        let connect_result = tokio::time::timeout(
+            std::time::Duration::from_secs(2),
+            UnixStream::connect(&self.socket_path),
+        )
+        .await;
+
+        match connect_result {
+            Ok(Ok(_)) => {
                 return Err(AppError::Socket(format!(
                     "Socket {} is already in use by another process",
                     self.socket_path.display()
                 )));
             }
-            Err(_) => {
-                // Connection failed = stale socket
+            Ok(Err(_)) | Err(_) => {
+                // Connection failed or timed out = stale socket
                 fs::remove_file(&self.socket_path)?;
                 tracing::info!(path = %self.socket_path.display(), "Removed stale socket file");
             }