Merge pull request #112 from SakuraByteCore/fix/harden-remote-hooks

fix: harden remote endpoints, SSRF, and DoS limits

Author: ymkiux

cli.js

@@ -674,6 +674,41 @@ function createBuiltinProxyRuntimeController(deps = {}) {
                 return;
             }
 
+            const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
+            const isLoopback = !remoteAddr
+                || remoteAddr === '127.0.0.1'
+                || remoteAddr === '::1'
+                || remoteAddr === '::ffff:127.0.0.1';
+            if (!isLoopback) {
+                const expected = typeof process.env.CODEXMATE_HTTP_TOKEN === 'string'
+                    ? process.env.CODEXMATE_HTTP_TOKEN.trim()
+                    : '';
+                if (!expected) {
+                    const body = JSON.stringify({ error: 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)' });
+                    res.writeHead(403, {
+                        'Content-Type': 'application/json; charset=utf-8',
+                        'Content-Length': Buffer.byteLength(body, 'utf-8')
+                    });
+                    res.end(body, 'utf-8');
+                    return;
+                }
+                const headers = req && req.headers && typeof req.headers === 'object' ? req.headers : {};
+                const rawAuth = typeof headers.authorization === 'string' ? headers.authorization.trim() : '';
+                const match = rawAuth ? rawAuth.match(/^bearer\s+(.+)$/i) : null;
+                const actual = match && match[1]
+                    ? match[1].trim()
+                    : (rawAuth ? rawAuth : (typeof headers['x-codexmate-token'] === 'string' ? String(headers['x-codexmate-token']).trim() : ''));
+                if (!actual || actual !== expected) {
+                    const body = JSON.stringify({ error: 'Unauthorized' });
+                    res.writeHead(401, {
+                        'Content-Type': 'application/json; charset=utf-8',
+                        'Content-Length': Buffer.byteLength(body, 'utf-8')
+                    });
+                    res.end(body, 'utf-8');
+                    return;
+                }
+            }
+
             const incomingPath = parsedIncoming.pathname || '/';
             if (incomingPath === '/health' || incomingPath === '/status') {
                 const body = JSON.stringify({

cli/builtin-proxy.js

@@ -864,6 +864,30 @@ function createBuiltinClaudeProxyRuntimeController(deps = {}) {
     function createBuiltinClaudeProxyServer(settings, upstream) {
         const connections = new Set();
         const server = http.createServer((req, res) => {
+            const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
+            const isLoopback = !remoteAddr
+                || remoteAddr === '127.0.0.1'
+                || remoteAddr === '::1'
+                || remoteAddr === '::ffff:127.0.0.1';
+            if (!isLoopback) {
+                const expected = typeof process.env.CODEXMATE_HTTP_TOKEN === 'string'
+                    ? process.env.CODEXMATE_HTTP_TOKEN.trim()
+                    : '';
+                if (!expected) {
+                    writeAnthropicProxyError(res, 403, 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)', 'authentication_error');
+                    return;
+                }
+                const headers = req && req.headers && typeof req.headers === 'object' ? req.headers : {};
+                const rawAuth = typeof headers.authorization === 'string' ? headers.authorization.trim() : '';
+                const match = rawAuth ? rawAuth.match(/^bearer\s+(.+)$/i) : null;
+                const actual = match && match[1]
+                    ? match[1].trim()
+                    : (rawAuth ? rawAuth : (typeof headers['x-codexmate-token'] === 'string' ? String(headers['x-codexmate-token']).trim() : ''));
+                if (!actual || actual !== expected) {
+                    writeAnthropicProxyError(res, 401, 'Unauthorized', 'authentication_error');
+                    return;
+                }
+            }
             handleBuiltinClaudeProxyRequest(req, res, settings, upstream).catch((err) => {
                 if (res.headersSent) {
                     try { res.destroy(err); } catch (_) {}

cli/claude-proxy.js

@@ -97,6 +97,17 @@ function extractHttpStatusFromError(err) {
     return Number.isFinite(value) ? value : 0;
 }
 
+function isAllowedSkillsRedirectHost(originHost, nextHost) {
+    const origin = typeof originHost === 'string' ? originHost.trim().toLowerCase() : '';
+    const next = typeof nextHost === 'string' ? nextHost.trim().toLowerCase() : '';
+    if (!origin || !next) return false;
+    if (origin === next) return true;
+    if (process.env.CODEXMATE_ALLOW_SKILLS_REDIRECT === '1') return true;
+    if (origin === 'github.com' && next === 'codeload.github.com') return true;
+    if (origin === 'github.com' && next.endsWith('.githubusercontent.com')) return true;
+    return false;
+}
+
 function downloadUrlToFile(targetUrl, filePath, options = {}) {
     const maxBytes = Number.isFinite(options.maxBytes) && options.maxBytes > 0
         ? Math.floor(options.maxBytes)
@@ -141,8 +152,19 @@ function downloadUrlToFile(targetUrl, filePath, options = {}) {
                 const nextUrl = redirectLocation.startsWith('http')
                     ? redirectLocation
                     : `${parsed.origin}${redirectLocation}`;
+                let originHost = typeof options.originHost === 'string' && options.originHost.trim()
+                    ? options.originHost.trim()
+                    : parsed.host;
+                try {
+                    const nextParsed = new URL(nextUrl);
+                    if (!isAllowedSkillsRedirectHost(originHost, nextParsed.host)) {
+                        res.resume();
+                        reject(new Error('Cross-origin redirect is not allowed'));
+                        return;
+                    }
+                } catch (_) {}
                 res.resume();
-                downloadUrlToFile(nextUrl, filePath, { maxBytes, timeoutMs, maxRedirects: maxRedirects - 1 })
+                downloadUrlToFile(nextUrl, filePath, { maxBytes, timeoutMs, maxRedirects: maxRedirects - 1, originHost })
                     .then(resolve)
                     .catch(reject);
                 return;

cli/import-skills-url.js

@@ -238,6 +238,10 @@ function normalizeResponsesInputToChatMessages(input) {
                 out.push({ type: 'text', text: block.text });
                 continue;
             }
+            if ((type === 'reasoning' || type === 'reasoning_text' || type === 'reasoning_content') && typeof block.text === 'string') {
+                out.push({ type: 'text', text: block.text });
+                continue;
+            }
             if (type === 'input_image') {
                 const raw = block.image_url != null ? block.image_url : block.imageUrl;
                 const url = typeof raw === 'string'
@@ -255,7 +259,21 @@ function normalizeResponsesInputToChatMessages(input) {
             }
             if (type === 'image_url' && block.image_url) {
                 out.push({ type: 'image_url', image_url: block.image_url });
+                continue;
+            }
+            const text = typeof block.text === 'string'
+                ? block.text
+                : (typeof block.content === 'string' ? block.content : '');
+            if (text) {
+                out.push({ type: 'text', text });
+                continue;
             }
+            try {
+                const raw = JSON.stringify(block);
+                if (raw) {
+                    out.push({ type: 'text', text: raw.slice(0, 4000) });
+                }
+            } catch (_) {}
         }
         if (out.length === 0) return '';
         return out;
@@ -635,6 +653,9 @@ async function proxyRequestJson(targetUrl, options = {}) {
     const parsed = new URL(targetUrl);
     const transport = parsed.protocol === 'https:' ? https : http;
     const bodyText = options.body ? JSON.stringify(options.body) : '';
+    const maxBytes = Number.isFinite(options.maxBytes) && options.maxBytes > 0
+        ? Math.floor(options.maxBytes)
+        : 0;
     const headers = {
         'Accept': 'application/json',
         ...(options.body ? { 'Content-Type': 'application/json' } : {}),
@@ -664,7 +685,21 @@ async function proxyRequestJson(targetUrl, options = {}) {
             agent: parsed.protocol === 'https:' ? options.httpsAgent : options.httpAgent
         }, (upstreamRes) => {
             const chunks = [];
-            upstreamRes.on('data', (chunk) => chunk && chunks.push(chunk));
+            let size = 0;
+            upstreamRes.on('data', (chunk) => {
+                if (!chunk) return;
+                if (maxBytes > 0) {
+                    size += chunk.length;
+                    if (size > maxBytes) {
+                        chunks.length = 0;
+                        try { upstreamRes.destroy(new Error('response too large')); } catch (_) {}
+                        try { req.destroy(new Error('response too large')); } catch (_) {}
+                        finish({ ok: false, error: 'response too large' });
+                        return;
+                    }
+                }
+                chunks.push(chunk);
+            });
             upstreamRes.on('end', () => {
                 const text = chunks.length ? Buffer.concat(chunks).toString('utf-8') : '';
                 finish({
@@ -689,12 +724,16 @@ async function proxyRequestJson(targetUrl, options = {}) {
 
 function createOpenaiBridgeHttpHandler(options = {}) {
     const settingsFile = options.settingsFile;
-    const expectedToken = typeof options.expectedToken === 'string' && options.expectedToken.trim()
-        ? options.expectedToken.trim()
-        : DEFAULT_BRIDGE_TOKEN;
+    const expectedTokenRaw = typeof options.expectedToken === 'string' ? options.expectedToken.trim() : '';
+    const expectedToken = Object.prototype.hasOwnProperty.call(options, 'expectedToken')
+        ? expectedTokenRaw
+        : (expectedTokenRaw || DEFAULT_BRIDGE_TOKEN);
     const maxBodySize = Number.isFinite(options.maxBodySize) ? options.maxBodySize : 0;
     const httpAgent = options.httpAgent;
     const httpsAgent = options.httpsAgent;
+    const maxUpstreamBytes = Number.isFinite(options.maxUpstreamBytes) && options.maxUpstreamBytes > 0
+        ? Math.floor(options.maxUpstreamBytes)
+        : Math.max(16 * 1024 * 1024, maxBodySize > 0 ? maxBodySize * 4 : 0);
 
     if (!settingsFile) {
         throw new Error('createOpenaiBridgeHttpHandler 缺少 settingsFile');
@@ -730,6 +769,11 @@ function createOpenaiBridgeHttpHandler(options = {}) {
             // 为避免在 LAN 暴露无鉴权的代理，这里仅允许 loopback 连接缺省 token。
             const remoteAddr = req && req.socket ? req.socket.remoteAddress : '';
             const isLoopback = isLoopbackAddress(remoteAddr);
+            if (!isLoopback && !expectedToken) {
+                res.writeHead(403, { 'Content-Type': 'application/json; charset=utf-8' });
+                res.end(JSON.stringify({ error: 'Remote access is disabled (set CODEXMATE_HTTP_TOKEN)' }));
+                return;
+            }
             if (!token && !isLoopback) {
                 res.writeHead(401, { 'Content-Type': 'application/json; charset=utf-8' });
                 res.end(JSON.stringify({ error: 'Unauthorized' }));
@@ -774,6 +818,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                         ...(authHeader ? { Authorization: authHeader } : {}),
                         ...upstreamHeaders
                     },
+                    maxBytes: maxUpstreamBytes,
                     httpAgent,
                     httpsAgent
                 });
@@ -827,6 +872,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                     ...(authHeader ? { Authorization: authHeader } : {}),
                     ...upstreamHeaders
                 },
+                maxBytes: maxUpstreamBytes,
                 httpAgent,
                 httpsAgent
             });
@@ -887,6 +933,7 @@ function createOpenaiBridgeHttpHandler(options = {}) {
                     ...(authHeader ? { Authorization: authHeader } : {}),
                     ...upstreamHeaders
                 },
+                maxBytes: maxUpstreamBytes,
                 httpAgent,
                 httpsAgent
             });

cli/openai-bridge.js

@@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const http = require('http');
 const https = require('https');
+const net = require('net');
 
 function isPlainObject(value) {
     return !!value && typeof value === 'object' && !Array.isArray(value);
@@ -43,6 +44,32 @@ function expandEnvTemplate(value, env = process.env) {
     });
 }
 
+function isPrivateNetworkHost(hostname) {
+    const host = typeof hostname === 'string' ? hostname.trim().toLowerCase() : '';
+    if (!host) return true;
+    if (host === 'localhost') return true;
+    const ipVer = net.isIP(host);
+    if (!ipVer) return false;
+    if (ipVer === 4) {
+        const parts = host.split('.').map((x) => parseInt(x, 10));
+        if (parts.length !== 4 || parts.some((x) => !Number.isFinite(x))) return true;
+        const [a, b] = parts;
+        if (a === 10) return true;
+        if (a === 127) return true;
+        if (a === 169 && b === 254) return true;
+        if (a === 192 && b === 168) return true;
+        if (a === 172 && b >= 16 && b <= 31) return true;
+        return false;
+    }
+    if (ipVer === 6) {
+        if (host === '::1') return true;
+        if (host.startsWith('fe80:')) return true;
+        if (host.startsWith('fc') || host.startsWith('fd')) return true;
+        return false;
+    }
+    return false;
+}
+
 function readAutomationConfig(configPath, options = {}) {
     const filePath = typeof configPath === 'string' ? configPath.trim() : '';
     if (!filePath) {
@@ -187,6 +214,13 @@ function httpPostJson(url, payload, headers = {}, options = {}) {
     } catch (_) {
         return Promise.resolve({ ok: false, error: 'invalid url' });
     }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        return Promise.resolve({ ok: false, error: 'invalid url protocol' });
+    }
+    const allowPrivate = process.env.CODEXMATE_ALLOW_AUTOMATION_PRIVATE_NETWORK === '1';
+    if (!allowPrivate && isPrivateNetworkHost(parsed.hostname || '')) {
+        return Promise.resolve({ ok: false, error: 'refusing to post to private network url' });
+    }
     const transport = parsed.protocol === 'http:' ? http : https;
     const data = Buffer.from(JSON.stringify(payload || {}), 'utf-8');
     const timeoutMs = Number.isFinite(options.timeoutMs) ? Math.max(200, Math.floor(options.timeoutMs)) : 4000;

lib/automation.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { execSync } = require('child_process');
+const { spawnSync } = require('child_process');
 
 function normalizePathForCompare(targetPath, options = {}) {
     const ignoreCase = !!options.ignoreCase;
@@ -52,10 +52,27 @@ function resolveCopyTargetRoot(targetDir) {
 }
 
 function commandExists(command, args = '') {
+    const cmd = typeof command === 'string' ? command.trim() : '';
+    const argText = typeof args === 'string' ? args.trim() : '';
+    if (!cmd || cmd.includes('\0') || /[\r\n]/.test(cmd)) {
+        return false;
+    }
+    const argv = argText ? argText.split(/\s+/g).filter(Boolean) : [];
+    const hasSeparators = cmd.includes('/') || cmd.includes('\\');
+    const useShell = process.platform === 'win32' && !hasSeparators;
+    if (useShell) {
+        if (!/^[A-Za-z0-9._-]+$/.test(cmd)) return false;
+        if (argText && /[\r\n;&|<>`$]/.test(argText)) return false;
+    }
     try {
-        execSync(`${command} ${args}`, { stdio: 'ignore', shell: process.platform === 'win32' });
-        return true;
-    } catch (e) {
+        const probe = spawnSync(cmd, argv, {
+            stdio: 'ignore',
+            windowsHide: true,
+            timeout: 5000,
+            shell: useShell
+        });
+        return probe.status === 0;
+    } catch (_) {
         return false;
     }
 }
@@ -66,4 +83,3 @@ module.exports = {
     resolveCopyTargetRoot,
     commandExists
 };
-

lib/cli-path-utils.js

@@ -38,7 +38,25 @@ function isBootstrapLikeText(text) {
         return false;
     }
 
-    return BOOTSTRAP_TEXT_MARKERS.some(marker => normalized.includes(marker));
+    if (normalized.length < 80) {
+        return false;
+    }
+    let hits = 0;
+    for (const marker of BOOTSTRAP_TEXT_MARKERS) {
+        if (normalized.includes(marker)) {
+            hits += 1;
+        }
+    }
+    if (hits >= 2) {
+        return true;
+    }
+    if (normalized.includes('<environment_context>')) {
+        return true;
+    }
+    if (normalized.includes('agents.md instructions')) {
+        return true;
+    }
+    return false;
 }
 
 function removeLeadingSystemMessage(messages) {
@@ -300,6 +318,7 @@ function extractSessionDetailPreviewFromTailText(text, source, messageLimit) {
         });
     }
 
+    state.messages = removeLeadingSystemMessage(state.messages);
     return state;
 }