LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-03-30 01:06:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden canonical auth matching for plugin channel routes

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 12:55:23 +01:00
parent 0231cac957
commit 0ed675b1df
3 changed files with 90 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/gateway/server-http.ts
View File

@@ -88,17 +88,50 @@ function isCanvasPath(pathname: string): boolean {
);
}
function decodePathnameOnce(pathname: string): string {
try {
return decodeURIComponent(pathname);
} catch {
return pathname;
function normalizeSecurityPath(pathname: string): string {
const collapsed = pathname.replace(/\/{2,}/g, "/");
if (collapsed.length <= 1) {
return collapsed;
}
return collapsed.replace(/\/+$/, "");
}
function canonicalizePathForSecurity(pathname: string): {
path: string;
malformedEncoding: boolean;
} {
let decoded = pathname;
let malformedEncoding = false;
try {
decoded = decodeURIComponent(pathname);
} catch {
malformedEncoding = true;
}
return {
path: normalizeSecurityPath(decoded.toLowerCase()) || "/",
malformedEncoding,
};
}
function hasProtectedPluginChannelPrefix(pathname: string): boolean {
return (
pathname === "/api/channels" ||
pathname.startsWith("/api/channels/") ||
pathname.startsWith("/api/channels%")
);
}
function isProtectedPluginChannelPath(pathname: string): boolean {
const normalized = decodePathnameOnce(pathname).toLowerCase();
return normalized === "/api/channels" || normalized.startsWith("/api/channels/");
const canonicalPath = canonicalizePathForSecurity(pathname);
if (hasProtectedPluginChannelPrefix(canonicalPath.path)) {
return true;
}
if (!canonicalPath.malformedEncoding) {
return false;
}
// Fail closed on bad %-encoding. Keep channel-prefix paths protected even
// when URL decoding fails.
return hasProtectedPluginChannelPrefix(normalizeSecurityPath(pathname.toLowerCase()));
}
function isNodeWsClient(client: GatewayWsClient): boolean {

80
src/gateway/server.plugin-http-auth.test.ts
View File

@@ -86,6 +86,20 @@ function createHooksConfig(): HooksConfigResolved {
};
}
function canonicalizePluginPath(pathname: string): string {
let decoded = pathname;
try {
decoded = decodeURIComponent(pathname);
} catch {
decoded = pathname;
}
const collapsed = decoded.toLowerCase().replace(/\/{2,}/g, "/");
if (collapsed.length <= 1) {
return collapsed;
}
return collapsed.replace(/\/+$/, "");
}
describe("gateway plugin HTTP auth boundary", () => {
test("applies default security headers and optional strict transport security", async () => {
const resolvedAuth: ResolvedGatewayAuth = {
@@ -256,7 +270,7 @@ describe("gateway plugin HTTP auth boundary", () => {
run: async () => {
const handlePluginRequest = vi.fn(async (req: IncomingMessage, res: ServerResponse) => {
const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
const canonicalPath = decodeURIComponent(pathname).toLowerCase();
const canonicalPath = canonicalizePluginPath(pathname);
if (canonicalPath === "/api/channels/nostr/default/profile") {
res.statusCode = 200;
res.setHeader("Content-Type", "application/json; charset=utf-8");
@@ -278,38 +292,42 @@ describe("gateway plugin HTTP auth boundary", () => {
resolvedAuth,
});
const unauthenticatedCaseVariant = createResponse();
await dispatchRequest(
server,
createRequest({ path: "/API/channels/nostr/default/profile" }),
unauthenticatedCaseVariant.res,
);
expect(unauthenticatedCaseVariant.res.statusCode).toBe(401);
expect(unauthenticatedCaseVariant.getBody()).toContain("Unauthorized");
const unauthenticatedVariants = [
"/API/channels/nostr/default/profile",
"/api/channels%2Fnostr%2Fdefault%2Fprofile",
"/api/%63hannels/nostr/default/profile",
"/api/channels//nostr/default/profile",
"/api/channels/nostr/default/profile/",
"/api/channels%2",
"/api//channels%2",
];
for (const path of unauthenticatedVariants) {
const response = createResponse();
await dispatchRequest(server, createRequest({ path }), response.res);
expect(response.res.statusCode).toBe(401);
expect(response.getBody()).toContain("Unauthorized");
}
expect(handlePluginRequest).not.toHaveBeenCalled();
const unauthenticatedEncodedSlash = createResponse();
await dispatchRequest(
server,
createRequest({ path: "/api/channels%2Fnostr%2Fdefault%2Fprofile" }),
unauthenticatedEncodedSlash.res,
);
expect(unauthenticatedEncodedSlash.res.statusCode).toBe(401);
expect(unauthenticatedEncodedSlash.getBody()).toContain("Unauthorized");
expect(handlePluginRequest).not.toHaveBeenCalled();
const authenticatedCaseVariant = createResponse();
await dispatchRequest(
server,
createRequest({
path: "/API/channels/nostr/default/profile",
authorization: "Bearer test-token",
}),
authenticatedCaseVariant.res,
);
expect(authenticatedCaseVariant.res.statusCode).toBe(200);
expect(authenticatedCaseVariant.getBody()).toContain('"route":"channel-canonicalized"');
expect(handlePluginRequest).toHaveBeenCalledTimes(1);
const authenticatedVariants = [
"/API/channels/nostr/default/profile",
"/api/%63hannels/nostr/default/profile",
"/api/channels//nostr/default/profile/",
];
for (const path of authenticatedVariants) {
const response = createResponse();
await dispatchRequest(
server,
createRequest({
path,
authorization: "Bearer test-token",
}),
response.res,
);
expect(response.res.statusCode).toBe(200);
expect(response.getBody()).toContain('"route":"channel-canonicalized"');
}
expect(handlePluginRequest).toHaveBeenCalledTimes(authenticatedVariants.length);
},
});
});