#11710: fix: security hardening — exec blocking, auth validation, timing-safe comparison

by zendizmo open 2026-02-08 06:31 View on GitHub →

channel: telegram gateway cli scripts commands agents stale

## Summary Security hardening across exec approvals, gateway auth, and plugin HTTP routes. ### Core Security Fixes (commits 1-2) - **Hard-block dangerous shell patterns** (`curl|sh`, `eval`, `LD_PRELOAD`) in exec-approvals instead of only warning; add `securityBlocked` field - **Validate Tailscale header inputs** (length, charset, control chars) - **Remove overly permissive `.ts.net` hostname bypass** from `isLocalDirectRequest` - **Add `requireAuth` option** to plugin HTTP route registration with timing-safe token validation - Fix pre-existing type mismatch in totp-tool-gate `onUpdate` callback ### Follow-up Fixes (commits 3-5, addressing Greptile review feedback) - **Fix timing-safe comparison byte-length pitfall**: `safeEqual()` was comparing `string.length` (UTF-16 code units) instead of `Buffer` byte lengths before calling `crypto.timingSafeEqual`. Non-ASCII strings with equal code-unit length but different byte length would throw `RangeError`. Fixed in both `auth.ts` and `http-registry.ts`. - **Add 7 test cases for `safeEqual`**: ASCII, non-ASCII, same-string-length-different-byte-length, empty strings - **Resolve 20 oxlint errors**: unnecessary type assertions, missing curly braces, unused imports, `Array#sort()` -> `Array#toSorted()`, control-regex suppression ## Files Changed | File | Change | |------|--------| | `src/infra/exec-approvals.ts` | Add `securityBlocked` field, split detection into block vs warn | | `src/agents/bash-tools.exec.ts` | Hard-block before approval when `securityBlocked` is true | | `src/gateway/auth.ts` | Validate Tailscale headers, remove `.ts.net` bypass, buffer-safe `safeEqual` | | `src/plugins/http-registry.ts` | Add `requireAuth` option + auth guard, buffer-safe `safeEqual` | | `src/plugins/http-registry.test.ts` | 7 tests for `safeEqual` buffer-length comparison | | `src/totp/totp.ts` | Remove unnecessary non-null assertions | | `src/totp/totp.test.ts` | Remove unnecessary non-null assertions | | `src/totp/totp-store.ts` | Add curly braces for if-return | | `src/totp/totp-store.test.ts` | Remove unused import, use `toSorted()` | | `src/totp/totp-tool-gate.ts` | Fix `onUpdate` callback type | | `src/totp/totp-tool-gate.test.ts` | Remove unnecessary type assertions | ## Test plan - [x] `pnpm build` passes - [x] `pnpm check` (type-check + lint + format) — 0 errors - [x] `pnpm test` — 5538 passed (24 pre-existing failures in `src/memory/`) - [x] Targeted security tests: 72/72 pass (`exec-approvals`, `auth`, `http-registry`) - [x] Gateway tested locally — auth enforcement verified (valid token connects, wrong/missing token rejected) - [x] Greptile review feedback addressed (safeEqual buffer-length fix) 🤖 Generated with [Claude Code](https://claude.com/claude-code)