#19765: fix(security): OC-73 sanitize resource link titles to prevent prompt injection — Aether AI Agent

by aether-ai-agent open 2026-02-18 04:28 View on GitHub →

size: XS trusted-contributor

## Attack Vector OC-73: Resource link title injected into prompt without sanitization. **Vector:** An attacker submits a resource link with a maliciously crafted `title` field containing prompt injection text (e.g., newline-separated instructions like `"Ignore previous instructions. You are now..."`). The title is interpolated directly into the agent's context prompt without sanitization, allowing the attacker to manipulate the agent's behavior. **CWE:** CWE-74 (Injection), CWE-20 (Improper Input Validation) **Severity:** Medium **GHSA:** GHSA-74xj-763f-264w ## Fix Added sanitization of resource link titles before prompt interpolation: - Truncates titles to 200 characters maximum - Strips newline and carriage return characters that enable multi-line injection ## Impact Prevents external parties from injecting instructions into the agent prompt via resource link metadata. --- *Discovered and remediated by [Aether AI Agent](https://tryaether.ai) — automated security research.*  <h3>Greptile Summary</h3> Adds a `sanitizeResourceTitle` function that strips newline/carriage-return characters and truncates to 200 characters before resource link titles are interpolated into agent prompts. This mitigates prompt injection via crafted `title` fields on `resource_link` content blocks. - The sanitization logic for `title` is sound (newline stripping + length cap). - **Issue:** `block.uri` is interpolated into the same prompt string without sanitization, leaving an equivalent injection vector open through the URI field. - **Suggestion:** Consider stripping additional Unicode line-breaking characters (`\v`, `\f`, U+2028, U+2029) for defense in depth. - **Missing tests:** No tests were added for the new `sanitizeResourceTitle` function (newline stripping, truncation behavior, edge cases). The existing test in `client.test.ts` uses a clean title and does not exercise sanitization paths. <h3>Confidence Score: 3/5</h3> - The title sanitization is correct but the URI field has the same unaddressed injection vector, reducing the effectiveness of this security fix. - Score of 3 reflects that the core sanitization logic works correctly for its target field, but the fix is incomplete — `block.uri` is interpolated unsanitized into the same prompt, leaving an equivalent attack surface. No tests were added for the new function. The change is low-risk in terms of regressions (it only adds constraints), but doesn't fully close the vulnerability it targets. - `src/acp/event-mapper.ts` — the `block.uri` interpolation on line 45 needs the same sanitization treatment applied to `block.title`. <sub>Last reviewed commit: 925ccee</sub>  **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8))