fix: consolidated security and robustness improvements #82
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR consolidates the following fixes: - #74: Prevent shell injection in restore_script via path escaping - #76: Replace unsafe unwrap() with expect() in init_client - #78: Use secure random temp files in external editor to prevent symlink attacks - #79: Add per-chunk streaming timeout to prevent indefinite hangs Key changes: - Added shell escaping for paths in shell-snapshot restore scripts - Replaced unwrap() with expect() for better error context in exec runner - Use secure random temp files instead of predictable names - Added streaming chunk timeout to prevent hangs during LLM responses
This was referenced Feb 4, 2026
Greptile OverviewGreptile SummaryThis PR consolidates four well-implemented security and robustness improvements into a single cohesive change. Key improvements:
All changes are well-documented, include appropriate tests, and follow Rust security best practices. Confidence Score: 5/5
|
| Filename | Overview |
|---|---|
| src/cortex-shell-snapshot/src/snapshot.rs | added shell_escape_path function to prevent shell injection in restore scripts, with comprehensive test coverage |
| src/cortex-exec/src/runner.rs | replaced unwrap with expect for better error context, added per-chunk streaming timeout to prevent indefinite hangs |
| src/cortex-tui/src/external_editor.rs | replaced predictable temp filenames with secure random temp files using tempfile crate to prevent symlink attacks |
| src/cortex-tui/Cargo.toml | added tempfile dependency for secure temp file creation |
Sequence Diagram
sequenceDiagram
participant User
participant TUI as Cortex TUI
participant ExecRunner
participant ShellSnapshot
participant LLMProvider
participant TempFile as Temp File System
Note over User,TempFile: Security Improvements in Action
User->>TUI: Press Ctrl+G for external editor
TUI->>TempFile: Create secure temp file<br/>(random 16-byte suffix)
TempFile-->>TUI: Secure file handle with O_EXCL
Note over TUI,TempFile: Prevents symlink attacks
TUI->>TUI: Open editor with temp file
User->>TUI: Edit and save content
TUI->>TempFile: Read edited content
TUI->>TempFile: Delete temp file securely
User->>ExecRunner: Execute LLM request
ExecRunner->>ExecRunner: init_client()
Note over ExecRunner: Uses expect() for<br/>better error context
ExecRunner->>LLMProvider: Start streaming request
loop For each chunk (30s timeout)
LLMProvider->>ExecRunner: Stream response chunk
Note over ExecRunner,LLMProvider: Per-chunk timeout<br/>prevents indefinite hangs
ExecRunner->>ExecRunner: Process chunk
end
LLMProvider->>ExecRunner: Complete response
ExecRunner->>ShellSnapshot: Generate restore script
ShellSnapshot->>ShellSnapshot: shell_escape_path()
Note over ShellSnapshot: Escapes single quotes<br/>using '"'"' technique
ShellSnapshot-->>ExecRunner: Safe shell script
ExecRunner-->>User: Return result
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
Author
|
Closing this PR to consolidate into a single mega-PR combining all bug fixes. The changes will be included in a new consolidated PR. |
echobt
added a commit
that referenced
this pull request
Feb 4, 2026
This PR consolidates all bug fixes and security improvements from PRs #69-88 into a single cohesive change. ## Categories ### Security Fixes - Path traversal prevention in MCP and session storage - Shell injection prevention in restore scripts - Secure random temp files for external editor - TOCTOU race condition fixes ### TUI Improvements - Overflow prevention for u16 conversions - Cursor positioning fixes in selection lists - Unicode width handling for popups - Empty section handling in help browser ### Error Handling - Graceful semaphore and init failure handling - Improved error propagation in middleware - Better client access error handling - SystemTime operation safety ### Memory and Storage - Cache size limits to prevent unbounded growth - File lock cleanup for memory leak prevention - fsync after critical writes for durability - Bounded ToolResponseStore with automatic cleanup ### Protocol Robustness - Buffer size limits for StreamProcessor - ToolState transition validation - State machine documentation ### Numeric Safety - Saturating operations to prevent overflow/underflow - Safe UTF-8 string slicing throughout codebase ### Tools - Parameter alias support for backward compatibility - Handler name consistency fixes ## Files Modified Multiple files across cortex-tui, cortex-engine, cortex-exec, cortex-common, cortex-protocol, cortex-storage, cortex-mcp-server, and other crates. Closes #69, #70, #71, #73, #75, #80, #82, #87, #88
echobt
added a commit
that referenced
this pull request
Feb 4, 2026
This PR consolidates all bug fixes and security improvements from PRs #69-88 into a single cohesive change. ## Categories ### Security Fixes - Path traversal prevention in MCP and session storage - Shell injection prevention in restore scripts - Secure random temp files for external editor - TOCTOU race condition fixes ### TUI Improvements - Overflow prevention for u16 conversions - Cursor positioning fixes in selection lists - Unicode width handling for popups - Empty section handling in help browser ### Error Handling - Graceful semaphore and init failure handling - Improved error propagation in middleware - Better client access error handling - SystemTime operation safety ### Memory and Storage - Cache size limits to prevent unbounded growth - File lock cleanup for memory leak prevention - fsync after critical writes for durability - Bounded ToolResponseStore with automatic cleanup ### Protocol Robustness - Buffer size limits for StreamProcessor - ToolState transition validation - State machine documentation ### Numeric Safety - Saturating operations to prevent overflow/underflow - Safe UTF-8 string slicing throughout codebase ### Tools - Parameter alias support for backward compatibility - Handler name consistency fixes ## Files Modified Multiple files across cortex-tui, cortex-engine, cortex-exec, cortex-common, cortex-protocol, cortex-storage, cortex-mcp-server, and other crates. Closes #69, #70, #71, #73, #75, #80, #82, #87, #88
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR consolidates 4 security and robustness fixes into a single, cohesive change.
Included PRs:
Key Changes:
unwrap()withexpect()for better error context in exec runnerFiles Modified:
src/cortex-shell-snapshot/src/snapshot.rssrc/cortex-exec/src/runner.rssrc/cortex-tui/Cargo.tomlsrc/cortex-tui/src/external_editor.rsCloses #74, #76, #78, #79