Commit 754c848
committed
Phase A: Critical security fixes for PR #426
Security hardening for terraphim_rlm crate:
1. Created validation.rs module with:
- validate_snapshot_name(): Prevents path traversal attacks
- validate_code_input(): Enforces MAX_CODE_SIZE (1MB) limit
- validate_session_id(): Validates UUID format
- validate_recursion_depth(): Prevents stack overflow
- Security constants: MAX_CODE_SIZE, MAX_INPUT_SIZE, MAX_RECURSION_DEPTH
2. Fixed race condition in firecracker.rs:
- Changed snapshot counter from read-then-write to atomic write lock
- Added validate_snapshot_name() call before snapshot creation
- Prevents TOCTOU vulnerability where concurrent snapshots could exceed limit
3. Enhanced mcp_tools.rs:
- Added MAX_CODE_SIZE validation for rlm_code tool
- Added MAX_CODE_SIZE validation for rlm_bash tool
- Returns proper MCP error format for validation failures
Refs #4261 parent 56cbd04 commit 754c848
File tree
4 files changed
+405
-4
lines changed- crates/terraphim_rlm/src
- executor
4 files changed
+405
-4
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
447 | 447 | | |
448 | 448 | | |
449 | 449 | | |
450 | | - | |
451 | | - | |
| 450 | + | |
| 451 | + | |
| 452 | + | |
| 453 | + | |
| 454 | + | |
| 455 | + | |
| 456 | + | |
452 | 457 | | |
453 | 458 | | |
454 | 459 | | |
| |||
498 | 503 | | |
499 | 504 | | |
500 | 505 | | |
501 | | - | |
502 | | - | |
| 506 | + | |
| 507 | + | |
| 508 | + | |
| 509 | + | |
503 | 510 | | |
504 | 511 | | |
505 | 512 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
70 | 70 | | |
71 | 71 | | |
72 | 72 | | |
| 73 | + | |
73 | 74 | | |
74 | 75 | | |
75 | 76 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
328 | 328 | | |
329 | 329 | | |
330 | 330 | | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
331 | 339 | | |
332 | 340 | | |
333 | 341 | | |
| |||
371 | 379 | | |
372 | 380 | | |
373 | 381 | | |
| 382 | + | |
| 383 | + | |
| 384 | + | |
| 385 | + | |
| 386 | + | |
| 387 | + | |
| 388 | + | |
| 389 | + | |
374 | 390 | | |
375 | 391 | | |
376 | 392 | | |
| |||
0 commit comments