kobako 0.9.0-x86_64-linux → 0.9.2-x86_64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3200b8962a6710eeb92c4e293caf6153617334c42945589bb825b8602c72cc5
-  data.tar.gz: 5a37c3f1010128d74afadb8193bb76c73d561611bdd50d3a2f2db69b45956d24
+  metadata.gz: f2b783a758091145f58f0a8e13b84c76c5c3a1420325ca2d272b5a58d31f7d38
+  data.tar.gz: b890067d1cc6af31a9cf74c8f3116504222ab1c64921715a3a9f35d6c60a9adb
 SHA512:
-  metadata.gz: 8bb785cb47fbca434bf31c6a70116482cf87c9dae4671c24dc8872b706efe756c2b432865e95dfaa2df0fed121c5b254f7adf26d363a5e77fc1617813987aeae
-  data.tar.gz: 7327b9ea8268ac98eb3431ef0bdcc7c65a896b78ca343d8d26b8f96be8bd31fe0236a5e13a86ec42aa528d0672c032edc8eb85bcc3341b7e1712cb47387364ea
+  metadata.gz: ee3aa19299ca309a21b3ae63d3cfd38ac322c3ebd4bd0d7b8aecac2e893edfaff7cf36ec5878f0f4f42c2e1f50fa68ad5df07e38d3d27829ce442162896cf848
+  data.tar.gz: 511eeeaeeb466f7ce6b441e88cb8927de4c58da73e7596b327b5658bcffd8ccbbe6aec6877b3461d7f2de2b0eb1b544da4dedf939a37dbf340cc56cee153dd85

data/.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.9.0","wasm/kobako-core":"0.4.0","wasm/kobako":"0.4.0","wasm/kobako-io":"0.4.0","wasm/kobako-regexp":"0.4.0"}
+{".":"0.9.2","wasm/kobako-core":"0.4.1","wasm/kobako":"0.4.1","wasm/kobako-io":"0.4.1","wasm/kobako-regexp":"0.4.1"}

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.9.2](https://github.com/elct9620/kobako/compare/v0.9.1...v0.9.2) (2026-06-11)
+
+
+### Bug Fixes
+
+* **catalog:** never mint a Capability Handle for a reflective gadget ([6c2d29d](https://github.com/elct9620/kobako/commit/6c2d29d0fbcced5187df5538c2c6c437705fd6d8))
+* **ext:** cap stdin frames at 16 MiB like the run envelope ([a94099a](https://github.com/elct9620/kobako/commit/a94099a03830929c55fcb266e227073db9c5a624))
+* **ext:** deny guest ambient clock and entropy at the WASI layer ([1275b35](https://github.com/elct9620/kobako/commit/1275b35264813628a2aeb396a3546faf1f6d9d0c))
+* **transport:** reject reflective gadget methods in guest dispatch ([948fb9e](https://github.com/elct9620/kobako/commit/948fb9ea7d6c0d6bd91f6e261d3263743974388b))
+* **wasm:** mirror the reflection rejection in the guest proxy ([f6ead3b](https://github.com/elct9620/kobako/commit/f6ead3b91f1ac92c3c075397d177edb4b82cd15d))
+
+## [0.9.1](https://github.com/elct9620/kobako/compare/v0.9.0...v0.9.1) (2026-06-11)
+
+
+### Bug Fixes
+
+* **transport:** block ambient reflection in guest dispatch (GHSA-7pwq-q9jf-539h) ([dd08166](https://github.com/elct9620/kobako/commit/dd081665f368f7ba54e476c3ad045ee1aa8ed703))
+
 ## [0.9.0](https://github.com/elct9620/kobako/compare/v0.8.0...v0.9.0) (2026-06-10)
 
 

data/lib/kobako/catalog/handles.rb

@@ -30,6 +30,13 @@ module Kobako
     #     +0x7fff_ffff+ (2³¹ − 1). Allocation beyond the cap raises
     #     immediately — no silent truncation, no wrap, no ID reuse.
     class Handles
+      # Reflective gadget types that are never minted as a Capability Handle
+      # ({docs/behavior.md B-43}[link:../../../docs/behavior.md]): wrapping a
+      # +Binding+ / +Method+ / +UnboundMethod+ would hand the guest a callable
+      # proxy onto host reflection (a returned +Binding+ reaches +Binding#eval+).
+      UNWRAPPABLE_TYPES = [Binding, Method, UnboundMethod].freeze
+      private_constant :UNWRAPPABLE_TYPES
+
       # Build a fresh, empty table. +next_id+ is an internal seam that
       # sets the starting value of the monotonic counter (defaults to 1 per
       # B-15); tests pass a value near +Kobako::Handle::MAX_ID+ to exercise
@@ -53,14 +60,9 @@ module Kobako
       # is reserved for the codec's wire-decode path, where the id is
       # the only thing the bytes carry.
       def alloc(object)
+        reject_unwrappable!(object)
+        ensure_capacity!
         id = @next_id
-        cap = Kobako::Handle::MAX_ID
-        if id > cap
-          raise HandlerExhaustedError,
-                "Out of handle allocations: too many host objects were referenced " \
-                "in a single invocation (limit #{cap})"
-        end
-
         @entries[id] = object
         @next_id = id + 1
         Kobako::Handle.restore(id)
@@ -94,6 +96,27 @@ module Kobako
 
       private
 
+      # Refuse to mint a Capability Handle for a reflective gadget
+      # ({UNWRAPPABLE_TYPES}, B-43). Raising here keeps the rule at the single
+      # mint point, so it holds on both the Service-return (B-14) and the
+      # +#run+ host→guest auto-wrap (B-34) paths.
+      def reject_unwrappable!(object)
+        return unless UNWRAPPABLE_TYPES.any? { |type| object.is_a?(type) }
+
+        raise SandboxError, "a #{object.class} cannot cross as a Capability Handle"
+      end
+
+      # Guard {#alloc} against issuing an ID past the B-21 cap. Returns +nil+
+      # on success; raises +Kobako::HandlerExhaustedError+ at exhaustion.
+      def ensure_capacity!
+        cap = Kobako::Handle::MAX_ID
+        return unless @next_id > cap
+
+        raise HandlerExhaustedError,
+              "Out of handle allocations: too many host objects were referenced " \
+              "in a single invocation (limit #{cap})"
+      end
+
       # Single source of truth for the "unknown Handle id" raise used by
       # {#fetch}. Returns +nil+ on success; raises +Kobako::SandboxError+
       # when +id+ is not currently bound.

data/lib/kobako/catalog/namespaces.rb

@@ -3,7 +3,6 @@
 require_relative "handles"
 require_relative "../codec"
 require_relative "../errors"
-require_relative "../transport/request"
 require_relative "../namespace"
 
 module Kobako

data/lib/kobako/codec.rb

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
 
 require_relative "codec/error"
+require_relative "codec/utils"
+require_relative "codec/factory"
+require_relative "codec/encoder"
+require_relative "codec/decoder"
 
 module Kobako
   # Host-side MessagePack codec for the kobako wire contract — the
@@ -17,15 +21,10 @@ module Kobako
   # {Decoder} are thin wrappers that register the three kobako-specific
   # ext types (0x00 Symbol, 0x01 Capability Handle, 0x02 Exception
   # envelope) on a single +MessagePack::Factory+ instance. The Rust side
-  # mirrors this layer as the +codec+ module in the +kobako-wasm+ crate;
+  # mirrors this layer as the +codec+ module in the +kobako-core+ crate;
   # the ext-code constants live as module-private values on {Factory}
   # alongside +codec::EXT_SYMBOL+ / +codec::EXT_HANDLE+ /
   # +codec::EXT_ERRENV+ on that side.
   module Codec
   end
 end
-
-require_relative "codec/utils"
-require_relative "codec/factory"
-require_relative "codec/encoder"
-require_relative "codec/decoder"

data/lib/kobako/transport/dispatcher.rb

@@ -42,6 +42,32 @@ module Kobako
       # ({docs/behavior.md E-12}[link:../../../docs/behavior.md]).
       class UndefinedTargetError < StandardError; end
 
+      # Modules whose instance methods are ambient Ruby reflection /
+      # metaprogramming surface (+send+, +public_send+, +instance_eval+,
+      # +method+, +tap+, +instance_variable_get+, ...) rather than Service
+      # behaviour. A guest-supplied method name resolving to one of these is
+      # rejected ({docs/behavior.md B-42}[link:../../../docs/behavior.md]):
+      # only methods the bound object itself exposes as Service behaviour are
+      # reachable, and +public_send(:send, ...)+ would otherwise let a guest
+      # pivot through +send+ into the private +Kernel#eval+ / +#system+
+      # surface (host RCE).
+      META_OWNERS = [BasicObject, Kernel, Object, Module, Class].freeze
+      private_constant :META_OWNERS
+
+      # Callable gadget types whose own public methods are reflection surface
+      # (+Proc#binding+ reaches +Binding#eval+, +Method#receiver+ / +#unbind+
+      # hand back the underlying object) rather than Service behaviour. Only
+      # {CALLABLE_ALLOW} is reachable on a target of these types; a bound
+      # lambda stays invocable, its reflective surface does not (B-42).
+      GADGET_OWNERS = [Proc, Method, UnboundMethod, Binding].freeze
+      private_constant :GADGET_OWNERS
+
+      # The sole methods reachable on a {GADGET_OWNERS} target: invoking it
+      # (+call+ / +[]+ / +yield+) and the harmless +arity+ / +lambda?+
+      # describers that aid guest-side debugging.
+      CALLABLE_ALLOW = %i[call [] yield arity lambda?].freeze
+      private_constant :CALLABLE_ALLOW
+
       # Dispatch a single transport request and return the encoded
       # Response bytes ({docs/behavior.md B-12}[link:../../../docs/behavior.md]).
       # Invoked from the +Runtime#on_dispatch+ Proc that
@@ -109,14 +135,37 @@ module Kobako
       # so the same call site handles both cases without an explicit
       # conditional.
       def invoke(target, method, args, kwargs, yielder = nil)
+        name = method.to_sym
+        reject_meta_method!(target, name)
         block = yielder&.to_proc
         if kwargs.empty?
-          target.public_send(method.to_sym, *args, &block)
+          target.public_send(name, *args, &block)
         else
-          target.public_send(method.to_sym, *args, **kwargs, &block)
+          target.public_send(name, *args, **kwargs, &block)
         end
       end
 
+      # Guard the +public_send+ below against ambient reflection methods
+      # ({docs/behavior.md B-42}[link:../../../docs/behavior.md]). A public
+      # method whose owner is a {META_OWNERS} or {GADGET_OWNERS} module is
+      # rejected, except {CALLABLE_ALLOW} on a gadget target (a bound lambda
+      # stays invocable). A name with no concrete public method is allowed
+      # only when the target opts into it via +respond_to?+ (dynamic
+      # +method_missing+ Services), since the dangerous methods are all
+      # concretely defined and therefore never reach that branch.
+      def reject_meta_method!(target, name)
+        owner = target.public_method(name).owner
+        gadget = GADGET_OWNERS.include?(owner)
+        return unless META_OWNERS.include?(owner) || gadget
+        return if gadget && CALLABLE_ALLOW.include?(name)
+
+        raise UndefinedTargetError, "method #{name.inspect} is not a Service method"
+      rescue NameError
+        return if target.respond_to?(name)
+
+        raise UndefinedTargetError, "no public method #{name.inspect} on target"
+      end
+
       # {docs/behavior.md B-16}[link:../../../docs/behavior.md] — A Kobako::Handle arriving as a positional or keyword
       # argument identifies a host-side object previously allocated by a prior
       # transport call's Handle wrap (B-14). Resolve it back to the Ruby object before

data/lib/kobako/transport/request.rb

@@ -5,16 +5,8 @@ require_relative "../codec"
 
 module Kobako
   # See lib/kobako/transport.rb for the umbrella module doc; this file
-  # owns the Request value object and its +#encode+ / +.decode+ codec,
-  # plus the +STATUS_OK+ / +STATUS_ERROR+ constants shared with Response.
+  # owns the Request value object and its +#encode+ / +.decode+ codec.
   module Transport
-    # ---------------- Response status bytes (docs/wire-contract.md § Response Shape) ---
-
-    # Response variant marker for the success branch.
-    STATUS_OK    = 0
-    # Response variant marker for the fault branch.
-    STATUS_ERROR = 1
-
     # Value object for a single guest-initiated Transport Request
     # ({docs/wire-codec.md Envelope Encoding → Request}[link:../../../docs/wire-codec.md]).
     #

data/lib/kobako/transport/response.rb

@@ -2,12 +2,19 @@
 
 require_relative "../codec"
 require_relative "../fault"
-require_relative "request"
 
 module Kobako
   # See lib/kobako/transport.rb for the umbrella module doc; this file
-  # owns the Response value object and its +#encode+ / +.decode+ codec.
+  # owns the Response value object and its +#encode+ / +.decode+ codec,
+  # plus the +STATUS_OK+ / +STATUS_ERROR+ status bytes.
   module Transport
+    # ---------------- Response status bytes (docs/wire-contract.md § Response Shape) ---
+
+    # Response variant marker for the success branch.
+    STATUS_OK    = 0
+    # Response variant marker for the fault branch.
+    STATUS_ERROR = 1
+
     # Value object for a single host-side Transport Response
     # ({docs/wire-codec.md Envelope Encoding → Response}[link:../../../docs/wire-codec.md]).
     #

data/lib/kobako/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Kobako
-  VERSION = "0.9.0"
+  VERSION = "0.9.2"
 end

data/sig/kobako/catalog/handles.rbs

@@ -1,6 +1,8 @@
 module Kobako
   module Catalog
     class Handles
+      UNWRAPPABLE_TYPES: Array[Module]
+
       def initialize: (?next_id: Integer) -> void
 
       def alloc: (untyped object) -> Kobako::Handle
@@ -13,6 +15,10 @@ module Kobako
 
       private
 
+      def reject_unwrappable!: (untyped object) -> void
+
+      def ensure_capacity!: () -> void
+
       def require_bound!: (Integer id) -> void
     end
   end

data/sig/kobako/transport/dispatcher.rbs

@@ -6,6 +6,12 @@ module Kobako
 
       BREAK_THROW: Symbol
 
+      META_OWNERS: Array[Module]
+
+      GADGET_OWNERS: Array[Module]
+
+      CALLABLE_ALLOW: Array[Symbol]
+
       def self?.dispatch: (String request_bytes, Kobako::Catalog::Namespaces namespaces, Kobako::Catalog::Handles handler, ^(String) -> String yield_to_guest) -> String
 
       def self?.resolve_call_args: (Kobako::Transport::Request request, Kobako::Catalog::Handles handler) -> [Array[untyped], Hash[Symbol, untyped]]
@@ -14,6 +20,8 @@ module Kobako
 
       def self?.invoke: (untyped target, String method, Array[untyped] args, Hash[Symbol, untyped] kwargs, ?Kobako::Transport::Yielder? yielder) -> untyped
 
+      def self?.reject_meta_method!: (untyped target, Symbol name) -> void
+
       def self?.resolve_arg: (untyped value, Kobako::Catalog::Handles handler) -> untyped
 
       def self?.resolve_target: (String | Kobako::Handle target, Kobako::Catalog::Namespaces namespaces, Kobako::Catalog::Handles handler) -> untyped

data/sig/kobako/transport/request.rbs

@@ -1,8 +1,5 @@
 module Kobako
   module Transport
-    STATUS_OK: Integer
-    STATUS_ERROR: Integer
-
     class Request < Data
       attr_reader target: String | Kobako::Handle
       attr_reader method_name: String

data/sig/kobako/transport/response.rbs

@@ -1,5 +1,8 @@
 module Kobako
   module Transport
+    STATUS_OK: Integer
+    STATUS_ERROR: Integer
+
     class Response < Data
       attr_reader status: Integer
       attr_reader payload: untyped

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kobako
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.2
 platform: x86_64-linux
 authors:
 - Aotokitsuruya
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2026-06-10 00:00:00.000000000 Z
+date: 2026-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: msgpack