fix(security): add host/origin allowlist + validate git refs + quote workflow input (#2185)

Three defense-in-depth fixes around untrusted input flowing to subprocess execution: 1. **Control-pane HTTP server (scripts/lib/control-pane/server.js)** The local control-pane API binds to 127.0.0.1 but had no Host or Origin validation, so a DNS-rebinding attack from a malicious website could pivot into the loopback endpoints — including POST /api/actions/:id, which spawns 'cargo run -- graph ...' with caller-supplied query strings. Add a hostname allowlist (loopback variants plus the explicitly configured --host) and reject mismatched Host (421) or non-loopback Origin (403) before any route handler runs. 2. **OpenCode git-summary tool (.opencode/tools/git-summary.ts)** The tool was building 'git diff ${baseBranch}...HEAD --stat' with execSync and a raw model-supplied baseBranch string. Switch run() to execFileSync with an args array (no shell), validate baseBranch against a conservative git-ref allowlist (rejects shell metacharacters, leading -, embedded ..), and clamp the depth arg to a small positive integer before interpolating into 'git log --oneline -<N>'. 3. **Reusable test workflow (.github/workflows/reusable-test.yml)** The 'Install dependencies' step interpolated ${{ inputs.package-manager }} directly into a bash 'case' and into an echo, so a downstream caller that forwarded attacker-controllable input could inject into the runner. Move the input into a PACKAGE_MANAGER env var and reference $PACKAGE_MANAGER inside the script per the GitHub script-injection guidance. Detected by Aeon + semgrep p/security-audit (host check via threat-model manual-review axis; git-summary via detect-child-process; workflow via run-shell-injection). Verification: node tests/run-all.js — 2686/2687 pre-existing tests pass; the one failure (observe.sh legacy output fallback) reproduces on main without this branch applied. Added 2 new control-pane tests covering the allowlist classifier and the DNS-rebinding-gate behavior end-to-end. --- Filed by [Aeon](https://github.com/aaronjmars/aeon-aaron). Co-authored-by: aeonframework <aeon@aaronjmars.com>
2026-06-24 00:51:27 +08:00 · 2026-06-15 13:49:40 -04:00
parent 41065bc0b2
commit 1c3280dc0d
4 changed files with 172 additions and 11 deletions
@@ -5,7 +5,24 @@
 */

 import { tool, type ToolDefinition } from "@opencode-ai/plugin/tool"
-import { execSync } from "child_process"
+import { execFileSync } from "child_process"
+
+// Conservative subset of git's allowed ref-name characters. Rejects shell
+// metacharacters and option-like leading `-` so a model-supplied baseBranch
+// cannot inject into the shell command line built below.
+const SAFE_GIT_REF = /^[A-Za-z0-9._/-]+$/
+
+function isSafeRef(ref: string): boolean {
+  if (typeof ref !== "string" || ref.length === 0 || ref.length > 200) return false
+  if (!SAFE_GIT_REF.test(ref)) return false
+  if (ref.startsWith("-") || ref.startsWith(".") || ref.startsWith("/")) return false
+  if (ref.includes("..") || ref.includes("//")) return false
+  return true
+}
+
+function isSafeDepth(value: unknown): value is number {
+  return typeof value === "number" && Number.isInteger(value) && value > 0 && value <= 1000
+}

 const gitSummaryTool: ToolDefinition = tool({
  description:
@@ -26,19 +43,22 @@ const gitSummaryTool: ToolDefinition = tool({
  },
  async execute(args, context) {
    const cwd = context.worktree || context.directory
-    const depth = args.depth ?? 5
+    const depth = isSafeDepth(args.depth) ? args.depth : 5
    const includeDiff = args.includeDiff ?? true
    const baseBranch = args.baseBranch ?? "main"

    const result: Record<string, string> = {
-      branch: run("git branch --show-current", cwd) || "unknown",
-      status: run("git status --short", cwd) || "clean",
-      log: run(`git log --oneline -${depth}`, cwd) || "no commits found",
+      branch: runArgs(["branch", "--show-current"], cwd) || "unknown",
+      status: runArgs(["status", "--short"], cwd) || "clean",
+      log: runArgs(["log", "--oneline", `-${depth}`], cwd) || "no commits found",
    }

    if (includeDiff) {
-      result.stagedDiff = run("git diff --cached --stat", cwd) || ""
-      result.branchDiff = run(`git diff ${baseBranch}...HEAD --stat`, cwd) || `unable to diff against ${baseBranch}`
+      result.stagedDiff = runArgs(["diff", "--cached", "--stat"], cwd) || ""
+      result.branchDiff = isSafeRef(baseBranch)
+        ? runArgs(["diff", `${baseBranch}...HEAD`, "--stat"], cwd) ||
+          `unable to diff against ${baseBranch}`
+        : `unable to diff against ${baseBranch} (invalid ref)`
    }

    return JSON.stringify(result)
@@ -47,9 +67,9 @@ const gitSummaryTool: ToolDefinition = tool({

 export default gitSummaryTool

-function run(command: string, cwd: string): string {
+function runArgs(args: string[], cwd: string): string {
  try {
-    return execSync(command, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).trim()
+    return execFileSync("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).trim()
  } catch {
    return ""
  }