feat(security): security hardening, proxy support, and GL045 HTTP include warning
Security fixes: - Path traversal guard in include: local: — paths with ../ that escape the repo root are rejected instead of reading arbitrary host files - HTTP timeout (30 s) on all fetcher requests to prevent indefinite hangs - Response size cap (10 MiB) via io.LimitReader to prevent memory exhaustion - Cache directory and file permissions tightened to 0700/0600 - LSP Content-Length cap (64 MiB) to guard against DoS from a malicious client New feature: - --proxy flag on check, graph, and lsp subcommands; also proxy: key in .glint.yml; overrides system HTTP_PROXY / HTTPS_PROXY env vars when set; cmdGraph and cmdLSP now also load .glint.yml for proxy/token/url fallbacks New lint rule: - GL045 (Warning): include: remote: using plain http:// instead of https:// Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -66,6 +66,11 @@ func (s *Server) Run() error {
|
||||
}
|
||||
}
|
||||
|
||||
// maxLSPMessageBytes caps the body size accepted from an LSP client.
|
||||
// A legitimate editor message is never this large; enforcing the cap prevents
|
||||
// a crafted Content-Length from triggering a multi-gigabyte allocation.
|
||||
const maxLSPMessageBytes = 64 << 20 // 64 MiB
|
||||
|
||||
// readMessage reads one Content-Length–framed JSON-RPC message from the stream.
|
||||
func (s *Server) readMessage() (*Message, error) {
|
||||
var contentLength int
|
||||
@@ -92,6 +97,9 @@ func (s *Server) readMessage() (*Message, error) {
|
||||
if contentLength == 0 {
|
||||
return nil, fmt.Errorf("missing or zero Content-Length header")
|
||||
}
|
||||
if contentLength > maxLSPMessageBytes {
|
||||
return nil, fmt.Errorf("Content-Length %d exceeds maximum %d", contentLength, maxLSPMessageBytes)
|
||||
}
|
||||
|
||||
body := make([]byte, contentLength)
|
||||
if _, err := io.ReadFull(s.in, body); err != nil {
|
||||
|
||||
@@ -364,6 +364,20 @@ func TestServer_DidClose_ClearsdiAgnostics(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestServer_ContentLengthTooLarge(t *testing.T) {
|
||||
// Craft a header with a content-length that exceeds the cap.
|
||||
// The server must reject it before allocating a giant buffer.
|
||||
header := fmt.Sprintf("Content-Length: %d\r\n\r\n", maxLSPMessageBytes+1)
|
||||
srv, _, _ := newTestServer([]byte(header))
|
||||
err := srv.Run()
|
||||
if err == nil {
|
||||
t.Fatal("expected error for oversized Content-Length, got nil")
|
||||
}
|
||||
if !strings.Contains(err.Error(), "exceeds maximum") {
|
||||
t.Errorf("unexpected error: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestServer_UriToPath(t *testing.T) {
|
||||
tests := []struct {
|
||||
uri string
|
||||
|
||||
Reference in New Issue
Block a user