fix(security): address vulnerabilities from security audit

packages/console/app/src/routes/stripe/webhook.ts

@@ -17,7 +17,7 @@ export async function POST(input: APIEvent) {
     input.request.headers.get("stripe-signature")!,
     Resource.STRIPE_WEBHOOK_SECRET.value,
   )
-  console.log(body.type, JSON.stringify(body, null, 2))
+  console.log("stripe webhook:", body.type, body.id)
 
   return (async () => {
     if (body.type === "customer.updated") {
@@ -285,7 +285,6 @@ export async function POST(input: APIEvent) {
         if (!invoiceID) throw new Error("Invoice ID not found")
 
         const paymentIntent = await Billing.stripe().paymentIntents.retrieve(invoiceID)
-        console.log(JSON.stringify(paymentIntent))
         const errorMessage =
           typeof paymentIntent === "object" && paymentIntent !== null
             ? paymentIntent.last_payment_error?.message

packages/enterprise/src/routes/share/[shareID].tsx

@@ -126,14 +126,10 @@ export default function () {
           return <NotFound />
         }
         console.error(error)
-        const details = error instanceof Error ? (error.stack ?? error.message) : String(error)
         return (
           <div class="min-h-screen w-full bg-background-base text-text-base flex flex-col items-center justify-center gap-4 p-6 text-center">
             <p class="text-16-medium">Unable to render this share.</p>
-            <p class="text-14-regular text-text-weaker">Check the console for more details.</p>
-            <pre class="text-12-mono text-left whitespace-pre-wrap break-words w-full max-w-200 bg-background-stronger rounded-md p-4">
-              {details}
-            </pre>
+            <p class="text-14-regular text-text-weaker">An unexpected error occurred. Please try again later.</p>
           </div>
         )
       }}

packages/function/src/api.ts

@@ -18,6 +18,10 @@ export class SyncServer extends DurableObject<Env> {
     super(ctx, env)
   }
   async fetch() {
+    const secret = await this.getSecret()
+    if (!secret) {
+      return new Response("Not found", { status: 404 })
+    }
     console.log("SyncServer subscribe")
 
     const webSocketPair = new WebSocketPair()
@@ -77,6 +81,8 @@ export class SyncServer extends DurableObject<Env> {
   }
 
   public async getData() {
+    const secret = await this.getSecret()
+    if (!secret) return []
     const data = (await this.ctx.storage.list()) as Map<string, any>
     return Array.from(data.entries())
       .filter(([key, _]) => key.startsWith("session/"))
@@ -116,6 +122,10 @@ export class SyncServer extends DurableObject<Env> {
 export default new Hono<{ Bindings: Env }>()
   .get("/", (c) => c.text("Hello, world!"))
   .post("/share_create", async (c) => {
+    const authHeader = c.req.header("authorization")
+    if (!authHeader || authHeader !== `Bearer ${Resource.ADMIN_SECRET.value}`) {
+      return c.text("Unauthorized", 401)
+    }
     const body = await c.req.json<{ sessionID: string }>()
     const sessionID = body.sessionID
     const short = SyncServer.shortName(sessionID)
@@ -202,7 +212,9 @@ export default new Hono<{ Bindings: Env }>()
     return c.json({ info, messages })
   })
   .post("/feishu", async (c) => {
-    const body = (await c.req.json()) as {
+    const rawBody = await c.req.text()
+
+    let body: {
       challenge?: string
       event?: {
         message?: {
@@ -214,9 +226,41 @@ export default new Hono<{ Bindings: Env }>()
         }
       }
     }
-    console.log(JSON.stringify(body, null, 2))
-    const challenge = body.challenge
-    if (challenge) return c.json({ challenge })
+    try {
+      body = JSON.parse(rawBody)
+    } catch {
+      return c.text("Invalid JSON body", 400)
+    }
+
+    // Challenge requests during setup don't require signature verification
+    if (body.challenge) return c.json({ challenge: body.challenge })
+
+    // All non-challenge requests must have a valid signature
+    const signature = c.req.header("x-lark-signature")
+    const timestamp = c.req.header("x-lark-request-timestamp")
+    const nonce = c.req.header("x-lark-request-nonce")
+    if (!signature || !timestamp || !nonce) {
+      return c.text("Missing signature headers", 403)
+    }
+
+    // Reject stale timestamps (±5 min window)
+    const ts = parseInt(timestamp, 10)
+    const now = Math.floor(Date.now() / 1000)
+    if (isNaN(ts) || Math.abs(now - ts) > 300) {
+      return c.text("Timestamp expired", 403)
+    }
+
+    const encryptKey = Resource.FEISHU_APP_SECRET.value
+    const payload = timestamp + nonce + encryptKey + rawBody
+    const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(payload))
+    const expected = Array.from(new Uint8Array(hash))
+      .map((b) => b.toString(16).padStart(2, "0"))
+      .join("")
+    if (expected !== signature) {
+      return c.text("Invalid signature", 403)
+    }
+
+    console.log("feishu webhook:", body.event?.message?.message_id ?? "unknown")
 
     const content = body.event?.message?.content
     const parsed =

packages/opencode/src/mcp/index.ts

@@ -14,10 +14,11 @@
 import { Log } from "../util"
 import { NamedError } from "@mimo-ai/shared/util/error"
 import z from "zod/v4"
 import { Installation } from "../installation"
 import { InstallationVersion } from "../installation/version"
 import { withTimeout } from "@/util/timeout"
 import { AppFileSystem } from "@mimo-ai/shared/filesystem"
+import { assertSafeUrl } from "@/util/ssrf"
 import { McpOAuthProvider } from "./oauth-provider"
 import { McpOAuthCallback } from "./oauth-callback"
 import { McpAuth } from "./auth"
@@ -287,6 +288,11 @@
       key: string,
       mcp: ConfigMCP.Info & { type: "remote" },
     ) {
+      yield* Effect.tryPromise({
+        try: () => assertSafeUrl(mcp.url),
+        catch: (e) => new Error(e instanceof Error ? e.message : String(e)),
+      }).pipe(Effect.orDie)
+
       const oauthDisabled = mcp.oauth === false
       const oauthConfig = typeof mcp.oauth === "object" ? mcp.oauth : undefined
       let authProvider: McpOAuthProvider | undefined
@@ -745,6 +751,11 @@
       if (mcpConfig.type !== "remote") throw new Error(`MCP server ${mcpName} is not a remote server`)
       if (mcpConfig.oauth === false) throw new Error(`MCP server ${mcpName} has OAuth explicitly disabled`)
 
+      yield* Effect.tryPromise({
+        try: () => assertSafeUrl(mcpConfig.url),
+        catch: (e) => new Error(e instanceof Error ? e.message : String(e)),
+      }).pipe(Effect.orDie)
+
       // OAuth config is optional - if not provided, we'll use auto-discovery
       const oauthConfig = typeof mcpConfig.oauth === "object" ? mcpConfig.oauth : undefined
 

packages/opencode/src/mcp/oauth-callback.ts

@@ -9,6 +9,10 @@ const log = Log.create({ service: "mcp.oauth-callback" })
 let currentPort = OAUTH_CALLBACK_PORT
 let currentPath = OAUTH_CALLBACK_PATH
 
+function escapeHtml(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;")
+}
+
 const HTML_SUCCESS = `<!DOCTYPE html>
 <html>
 <head>
@@ -45,7 +49,7 @@ const HTML_ERROR = (error: string) => `<!DOCTYPE html>
   <div class="container">
     <h1>Authorization Failed</h1>
     <p>An error occurred during authorization.</p>
-    <div class="error">${error}</div>
+    <div class="error">${escapeHtml(error)}</div>
   </div>
 </body>
 </html>`

packages/opencode/src/plugin/codex.ts

@@ -186,6 +186,10 @@ const HTML_SUCCESS = `<!doctype html>
   </body>
 </html>`
 
+function escapeHtml(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;")
+}
+
 const HTML_ERROR = (error: string) => `<!doctype html>
 <html>
   <head>
@@ -229,7 +233,7 @@ const HTML_ERROR = (error: string) => `<!doctype html>
     <div class="container">
       <h1>Authorization Failed</h1>
       <p>An error occurred during authorization.</p>
-      <div class="error">${error}</div>
+      <div class="error">${escapeHtml(error)}</div>
     </div>
   </body>
 </html>`

packages/opencode/src/server/middleware.ts

@@ -31,7 +31,7 @@ export const ErrorMiddleware: ErrorHandler = (err, c) => {
     return c.json(new NamedError.Unknown({ message: err.message }).toObject(), { status: 409 })
   }
   if (err instanceof HTTPException) return err.getResponse()
-  const message = err instanceof Error && err.stack ? err.stack : err.toString()
+  const message = err instanceof Error ? err.message : "Internal Server Error"
   return c.json(new NamedError.Unknown({ message }).toObject(), {
     status: 500,
   })
@@ -48,8 +48,6 @@ export const AuthMiddleware: MiddlewareHandler = (c, next) => {
 
   const username = Flag.MIMOCODE_SERVER_USERNAME ?? "mimocode"
 
-  if (c.req.query("auth_token")) c.req.raw.headers.set("authorization", `Basic ${c.req.query("auth_token")}`)
-
   return basicAuth({ username, password })(c, next)
 }
 

packages/opencode/src/server/rate-limit.ts

@@ -0,0 +1,38 @@
+import type { MiddlewareHandler } from "hono"
+
+const windows = new Map<string, { count: number; resetAt: number }>()
+
+let lastSweep = Date.now()
+const SWEEP_INTERVAL = 60_000
+
+function sweep() {
+  const now = Date.now()
+  if (now - lastSweep < SWEEP_INTERVAL) return
+  lastSweep = now
+  for (const [key, entry] of windows) {
+    if (now >= entry.resetAt) windows.delete(key)
+  }
+}
+
+export function RateLimitMiddleware(opts: {
+  windowMs: number
+  max: number
+  keyPrefix?: string
+}): MiddlewareHandler {
+  return async (c, next) => {
+    sweep()
+    const key = (opts.keyPrefix ?? c.req.path) + ":" + (c.req.header("x-forwarded-for") ?? "local")
+    const now = Date.now()
+    let entry = windows.get(key)
+    if (!entry || now >= entry.resetAt) {
+      entry = { count: 0, resetAt: now + opts.windowMs }
+      windows.set(key, entry)
+    }
+    entry.count++
+    if (entry.count > opts.max) {
+      c.header("Retry-After", String(Math.ceil((entry.resetAt - now) / 1000)))
+      return c.json({ error: "Too many requests" }, 429)
+    }
+    return next()
+  }
+}

packages/opencode/src/server/routes/instance/session.ts

@@ -24,12 +24,13 @@
 import { Permission } from "@/permission"
 import { PermissionID } from "@/permission/schema"
 import { ModelID, ProviderID } from "@/provider/schema"
 import { Provider } from "@/provider"
 import { errors } from "../../error"
 import { lazy } from "@/util/lazy"
 import { Bus } from "@/bus"
 import { NamedError } from "@mimo-ai/shared/util/error"
 import { jsonRequest, runRequest } from "./trace"
+import { RateLimitMiddleware } from "../../rate-limit"
 
 const log = Log.create({ service: "server" })
 
@@ -698,8 +699,9 @@
               .number()
               .int()
               .min(0)
+              .max(1000)
               .optional()
-              .meta({ description: "Maximum number of messages to return" }),
+              .meta({ description: "Maximum number of messages to return (max 1000)" }),
             before: z
               .string()
               .optional()
@@ -744,7 +746,7 @@
             Effect.gen(function* () {
               const session = yield* Session.Service
               yield* session.get(sessionID)
-              return yield* session.messages({ sessionID, agentID })
+              return yield* session.messages({ sessionID, agentID, limit: 1000 })
             }),
           )
           return c.json(messages)
@@ -1008,6 +1010,7 @@
     )
     .post(
       "/:sessionID/prompt_async",
+      RateLimitMiddleware({ windowMs: 60_000, max: 20, keyPrefix: "prompt_async" }),
       describeRoute({
         summary: "Send async message",
         description:
@@ -1122,6 +1125,7 @@
     )
     .post(
       "/:sessionID/shell",
+      RateLimitMiddleware({ windowMs: 60_000, max: 20, keyPrefix: "shell" }),
       describeRoute({
         summary: "Run shell command",
         description: "Execute a shell command within the session context and return the AI's response.",

packages/opencode/src/server/server.ts

@@ -97,7 +97,17 @@ export async function listen(opts: {
   mdns?: boolean
   mdnsDomain?: string
   cors?: string[]
+  noAuth?: boolean
 }): Promise<Listener> {
+  const isLoopback =
+    opts.hostname === "127.0.0.1" || opts.hostname === "localhost" || opts.hostname === "::1"
+  if (!isLoopback && !Flag.MIMOCODE_SERVER_PASSWORD && !opts.noAuth) {
+    throw new Error(
+      "Refusing to bind to non-loopback address without MIMOCODE_SERVER_PASSWORD. " +
+        "Set the environment variable or pass noAuth to explicitly allow unauthenticated access.",
+    )
+  }
+
   const built = create(opts)
   const server = await built.runtime.listen(opts)
 

packages/opencode/src/tool/webfetch.ts

@@ -5,6 +5,7 @@ import * as Tool from "./tool"
 import TurndownService from "turndown"
 import DESCRIPTION from "./webfetch.txt"
 import { isImageAttachment } from "@/util/media"
+import { assertSafeUrl } from "@/util/ssrf"
 
 const MAX_RESPONSE_SIZE = 5 * 1024 * 1024 // 5MB
 const DEFAULT_TIMEOUT = 30 * 1000 // 30 seconds
@@ -34,6 +35,8 @@ export const WebFetchTool = Tool.define(
             throw new Error("URL must start with http:// or https://")
           }
 
+          yield* Effect.promise(() => assertSafeUrl(params.url))
+
           yield* ctx.ask({
             permission: "webfetch",
             patterns: [params.url],
@@ -90,6 +93,12 @@ export const WebFetchTool = Tool.define(
             Effect.timeoutOrElse({ duration: timeout, orElse: () => Effect.die(new Error("Request timed out")) }),
           )
 
+          // Block SSRF via redirect: if the response was redirected, validate final URL
+          const source = (response as any).source as Response | undefined
+          if (source?.url && source.url !== params.url) {
+            yield* Effect.promise(() => assertSafeUrl(source.url))
+          }
+
           // Check content length
           const contentLength = response.headers["content-length"]
           if (contentLength && parseInt(contentLength) > MAX_RESPONSE_SIZE) {