kobako 0.9.1 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f2af9677bcec2d298db05d1259360b9589ac7726d855157dbbfd0be0ca666472
-  data.tar.gz: 5ed589a7b179274650d04280d9f84456873ec6fbab46166e85974a3d92d9ab9d
+  metadata.gz: 3177d01c5cb742a539ac9713226c17c159299911344b1590a680aacd99aa70fd
+  data.tar.gz: 6f9a4503a56855076b1f5d83725775669ae4c34283b24bcb8467485509e26c03
 SHA512:
-  metadata.gz: 59c775f5aacdf0b81a8f00970385974d2e7173b356d9886bd7e173f006a668449eb1672833b222129a227a5f4a3746b92d1fece7b44265eba44963414406b8d2
-  data.tar.gz: d902273d0c0df298c41e6be747d692ba8ceec86f564c81cd81347a75bf2a78b2fc35cfd73ccbd44696cabcff01cfdcf76d7260ba99cd2f194a1400cdbe4e88df
+  metadata.gz: b8f0f15f5c76c54b785e109ca6f7c10a37ebc7394d49f05637b18ace67a1326f941aa0a03ee99b985d8b09b70c39ba42c8318f9dd4fe885dba530472e5b24c81
+  data.tar.gz: 794e0c2f476fceaee007fbeb1c8082accd8d1de2de682aa333606bc0ab6593ed281abda277222ca51d58a88f2663d37220e8068891396565221ecc694bdc2b68

data/.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.9.1","wasm/kobako-core":"0.4.0","wasm/kobako":"0.4.0","wasm/kobako-io":"0.4.0","wasm/kobako-regexp":"0.4.0"}
+{".":"0.9.2","wasm/kobako-core":"0.4.1","wasm/kobako":"0.4.1","wasm/kobako-io":"0.4.1","wasm/kobako-regexp":"0.4.1"}

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## [0.9.2](https://github.com/elct9620/kobako/compare/v0.9.1...v0.9.2) (2026-06-11)
+
+
+### Bug Fixes
+
+* **catalog:** never mint a Capability Handle for a reflective gadget ([6c2d29d](https://github.com/elct9620/kobako/commit/6c2d29d0fbcced5187df5538c2c6c437705fd6d8))
+* **ext:** cap stdin frames at 16 MiB like the run envelope ([a94099a](https://github.com/elct9620/kobako/commit/a94099a03830929c55fcb266e227073db9c5a624))
+* **ext:** deny guest ambient clock and entropy at the WASI layer ([1275b35](https://github.com/elct9620/kobako/commit/1275b35264813628a2aeb396a3546faf1f6d9d0c))
+* **transport:** reject reflective gadget methods in guest dispatch ([948fb9e](https://github.com/elct9620/kobako/commit/948fb9ea7d6c0d6bd91f6e261d3263743974388b))
+* **wasm:** mirror the reflection rejection in the guest proxy ([f6ead3b](https://github.com/elct9620/kobako/commit/f6ead3b91f1ac92c3c075397d177edb4b82cd15d))
+
 ## [0.9.1](https://github.com/elct9620/kobako/compare/v0.9.0...v0.9.1) (2026-06-11)
 
 

data/Cargo.lock

@@ -878,7 +878,7 @@ dependencies = [
 
 [[package]]
 name = "kobako"
-version = "0.9.1"
+version = "0.9.2"
 dependencies = [
  "magnus",
  "wasmtime",

data/Cargo.toml

@@ -9,3 +9,9 @@ members = ["./ext/kobako"]
 # dependency graphs separate.
 exclude = ["wasm", "vendor"]
 resolver = "2"
+
+# Strip the local-symbol table from the shipped ext (~22% of the binary).
+# Guest wasm backtraces and Rust panic locations don't depend on it; for
+# native-crash debugging rebuild with `RB_SYS_CARGO_PROFILE=dev`.
+[profile.release]
+strip = true

data/ext/kobako/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "kobako"
-version = "0.9.1"
+version = "0.9.2"
 edition = "2021"
 authors = ["Aotokitsuruya <contact@aotoki.me>"]
 license = "Apache-2.0"

data/ext/kobako/src/runtime/ambient.rs

@@ -0,0 +1,78 @@
+//! Defense-in-depth denial of guest ambient authority at the WASI layer.
+//!
+//! `wasmtime-wasi`'s `WasiCtxBuilder` defaults the guest's `wasi:clocks` to
+//! the host wall / monotonic clock and `wasi:random` to a fresh per-context
+//! seed. No allowlisted mrbgem reaches these preview1 imports today
+//! (`build_config/wasi.rb`), but a future libc-backed gem would silently
+//! obtain real time and host entropy — a covert timing channel and a
+//! nondeterminism source the sandbox deliberately excludes (docs/security.md).
+//! Pinning the clocks to the Unix epoch and the RNG to a constant stream
+//! makes that denial a property of the host, not merely of the gem allowlist.
+//!
+//! The host wall-clock cap is unaffected: the per-invocation timeout runs on
+//! wasmtime epoch interruption against a host `Instant`, never the guest's
+//! frozen `wasi:clocks/monotonic-clock` (docs/behavior.md B-01).
+
+use std::time::Duration;
+
+use wasmtime_wasi::random::Deterministic;
+use wasmtime_wasi::{HostMonotonicClock, HostWallClock};
+
+/// Wall clock frozen at the Unix epoch — the guest observes no real time.
+pub(super) struct FrozenWallClock;
+
+impl HostWallClock for FrozenWallClock {
+    fn resolution(&self) -> Duration {
+        Duration::from_secs(1)
+    }
+
+    fn now(&self) -> Duration {
+        Duration::ZERO
+    }
+}
+
+/// Monotonic clock frozen at zero — the guest observes no elapsed time.
+pub(super) struct FrozenMonotonicClock;
+
+impl HostMonotonicClock for FrozenMonotonicClock {
+    fn resolution(&self) -> u64 {
+        1
+    }
+
+    fn now(&self) -> u64 {
+        0
+    }
+}
+
+/// Constant-stream RNG handed to the guest's `wasi:random`, so a guest that
+/// reaches `random_get` receives no host entropy.
+pub(super) fn deterministic_rng() -> Deterministic {
+    Deterministic::new(vec![0])
+}
+
+#[cfg(test)]
+mod tests {
+    //! Pin the frozen-clock contract: the guest must observe no real wall
+    //! or monotonic time through `wasi:clocks`, regardless of the host's
+    //! actual clock. A regression that reverts either clock to the WASI
+    //! default would re-expose ambient time to a future libc-backed gem.
+    use super::*;
+
+    #[test]
+    fn the_guest_wall_clock_reads_the_unix_epoch() {
+        assert_eq!(
+            FrozenWallClock.now(),
+            Duration::ZERO,
+            "guest wasi:clocks/wall-clock must read the Unix epoch, not host time"
+        );
+    }
+
+    #[test]
+    fn the_guest_monotonic_clock_never_advances() {
+        assert_eq!(
+            FrozenMonotonicClock.now(),
+            0,
+            "guest wasi:clocks/monotonic-clock must stay frozen at zero"
+        );
+    }
+}

data/ext/kobako/src/runtime/invocation.rs

@@ -18,7 +18,7 @@
 //! initial allocation and prior invocations' watermark are outside the
 //! budget.
 //!
-//! [SPEC.md Single-Invocation Slot]: ../../../SPEC.md
+//! [SPEC.md Single-Invocation Slot]: ../../../../SPEC.md
 
 use std::cell::{Ref, RefCell, RefMut};
 use std::time::{Duration, Instant};

data/ext/kobako/src/runtime.rs

@@ -31,6 +31,7 @@
 // `timeout_err` / `memory_limit_err` / `setup_err` constructors shared by
 // every submodule, and the Ruby init() that registers the class.
 
+mod ambient;
 mod cache;
 mod capture;
 mod config;
@@ -506,7 +507,7 @@ impl Runtime {
             rstring_to_vec(preamble),
             rstring_to_vec(source),
             rstring_to_vec(snippets),
-        ]);
+        ])?;
         self.call_with_caps(eval, ())
             .map_err(|e| trap::call_err(&ruby, e))?;
         self.build_snapshot(&ruby)
@@ -530,7 +531,7 @@ impl Runtime {
     ) -> Result<Snapshot, MagnusError> {
         let ruby = Ruby::get().expect("Ruby thread");
         let run = require_export(&ruby, self.exports.run.as_ref())?;
-        self.refresh_wasi(&[rstring_to_vec(preamble), rstring_to_vec(snippets)]);
+        self.refresh_wasi(&[rstring_to_vec(preamble), rstring_to_vec(snippets)])?;
         let (env_ptr, env_len) = self.write_envelope(&ruby, envelope)?;
         self.call_with_caps(run, (env_ptr, env_len))
             .map_err(|e| trap::call_err(&ruby, e))?;
@@ -735,8 +736,18 @@ impl Runtime {
     /// `capture::clip_capture` can distinguish "wrote exactly cap
     /// bytes" from "exceeded cap"; uncapped channels fall back
     /// to `usize::MAX` and rely on `memory_limit` (docs/behavior.md E-20)
-    /// for the real ceiling.
-    fn refresh_wasi(&self, frames: &[Vec<u8>]) {
+    /// for the real ceiling. Raises `Kobako::TrapError` when any frame
+    /// exceeds the 16 MiB cap that keeps its `u32` length prefix from
+    /// wrapping.
+    fn refresh_wasi(&self, frames: &[Vec<u8>]) -> Result<(), MagnusError> {
+        let ruby = Ruby::get().expect("Ruby thread");
+        // Every frame carries the same 16 MiB cap as the `#run` envelope
+        // (`write_envelope`): the length prefix is a `u32`, so a frame past
+        // the cap would silently wrap and corrupt the stdin frame stream.
+        for frame in frames {
+            guest_mem::checked_payload_len(frame.len()).map_err(|msg| trap_err(&ruby, msg))?;
+        }
+
         let total: usize = frames.iter().map(|f| 4 + f.len()).sum();
         let mut stdin_content: Vec<u8> = Vec::with_capacity(total);
         for frame in frames {
@@ -754,12 +765,18 @@ impl Runtime {
         builder.stdin(stdin_pipe);
         builder.stdout(stdout_pipe.clone());
         builder.stderr(stderr_pipe.clone());
+        // Deny the preview1 ambient-authority imports the guest never legitimately
+        // reaches but the WASI layer would otherwise grant (see `ambient`).
+        builder.wall_clock(ambient::FrozenWallClock);
+        builder.monotonic_clock(ambient::FrozenMonotonicClock);
+        builder.secure_random(ambient::deterministic_rng());
         let wasi = builder.build_p1();
 
         self.store
             .borrow_mut()
             .data_mut()
             .install_wasi(wasi, stdout_pipe, stderr_pipe);
+        Ok(())
     }
 
     /// Invoke `__kobako_take_outcome`, decode the packed `(ptr<<32)|len`

data/lib/kobako/catalog/handles.rb

@@ -30,6 +30,13 @@ module Kobako
     #     +0x7fff_ffff+ (2³¹ − 1). Allocation beyond the cap raises
     #     immediately — no silent truncation, no wrap, no ID reuse.
     class Handles
+      # Reflective gadget types that are never minted as a Capability Handle
+      # ({docs/behavior.md B-43}[link:../../../docs/behavior.md]): wrapping a
+      # +Binding+ / +Method+ / +UnboundMethod+ would hand the guest a callable
+      # proxy onto host reflection (a returned +Binding+ reaches +Binding#eval+).
+      UNWRAPPABLE_TYPES = [Binding, Method, UnboundMethod].freeze
+      private_constant :UNWRAPPABLE_TYPES
+
       # Build a fresh, empty table. +next_id+ is an internal seam that
       # sets the starting value of the monotonic counter (defaults to 1 per
       # B-15); tests pass a value near +Kobako::Handle::MAX_ID+ to exercise
@@ -53,14 +60,9 @@ module Kobako
       # is reserved for the codec's wire-decode path, where the id is
       # the only thing the bytes carry.
       def alloc(object)
+        reject_unwrappable!(object)
+        ensure_capacity!
         id = @next_id
-        cap = Kobako::Handle::MAX_ID
-        if id > cap
-          raise HandlerExhaustedError,
-                "Out of handle allocations: too many host objects were referenced " \
-                "in a single invocation (limit #{cap})"
-        end
-
         @entries[id] = object
         @next_id = id + 1
         Kobako::Handle.restore(id)
@@ -94,6 +96,27 @@ module Kobako
 
       private
 
+      # Refuse to mint a Capability Handle for a reflective gadget
+      # ({UNWRAPPABLE_TYPES}, B-43). Raising here keeps the rule at the single
+      # mint point, so it holds on both the Service-return (B-14) and the
+      # +#run+ host→guest auto-wrap (B-34) paths.
+      def reject_unwrappable!(object)
+        return unless UNWRAPPABLE_TYPES.any? { |type| object.is_a?(type) }
+
+        raise SandboxError, "a #{object.class} cannot cross as a Capability Handle"
+      end
+
+      # Guard {#alloc} against issuing an ID past the B-21 cap. Returns +nil+
+      # on success; raises +Kobako::HandlerExhaustedError+ at exhaustion.
+      def ensure_capacity!
+        cap = Kobako::Handle::MAX_ID
+        return unless @next_id > cap
+
+        raise HandlerExhaustedError,
+              "Out of handle allocations: too many host objects were referenced " \
+              "in a single invocation (limit #{cap})"
+      end
+
       # Single source of truth for the "unknown Handle id" raise used by
       # {#fetch}. Returns +nil+ on success; raises +Kobako::SandboxError+
       # when +id+ is not currently bound.

data/lib/kobako/catalog/namespaces.rb

@@ -3,7 +3,6 @@
 require_relative "handles"
 require_relative "../codec"
 require_relative "../errors"
-require_relative "../transport/request"
 require_relative "../namespace"
 
 module Kobako

data/lib/kobako/codec.rb

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
 
 require_relative "codec/error"
+require_relative "codec/utils"
+require_relative "codec/factory"
+require_relative "codec/encoder"
+require_relative "codec/decoder"
 
 module Kobako
   # Host-side MessagePack codec for the kobako wire contract — the
@@ -17,15 +21,10 @@ module Kobako
   # {Decoder} are thin wrappers that register the three kobako-specific
   # ext types (0x00 Symbol, 0x01 Capability Handle, 0x02 Exception
   # envelope) on a single +MessagePack::Factory+ instance. The Rust side
-  # mirrors this layer as the +codec+ module in the +kobako-wasm+ crate;
+  # mirrors this layer as the +codec+ module in the +kobako-core+ crate;
   # the ext-code constants live as module-private values on {Factory}
   # alongside +codec::EXT_SYMBOL+ / +codec::EXT_HANDLE+ /
   # +codec::EXT_ERRENV+ on that side.
   module Codec
   end
 end
-
-require_relative "codec/utils"
-require_relative "codec/factory"
-require_relative "codec/encoder"
-require_relative "codec/decoder"

data/lib/kobako/transport/dispatcher.rb

@@ -46,13 +46,28 @@ module Kobako
       # metaprogramming surface (+send+, +public_send+, +instance_eval+,
       # +method+, +tap+, +instance_variable_get+, ...) rather than Service
       # behaviour. A guest-supplied method name resolving to one of these is
-      # rejected: the security contract is that only methods the bound object
-      # itself defines are reachable, and +public_send(:send, ...)+ would
-      # otherwise let a guest pivot through +send+ into the private
-      # +Kernel#eval+ / +#system+ surface (host RCE).
+      # rejected ({docs/behavior.md B-42}[link:../../../docs/behavior.md]):
+      # only methods the bound object itself exposes as Service behaviour are
+      # reachable, and +public_send(:send, ...)+ would otherwise let a guest
+      # pivot through +send+ into the private +Kernel#eval+ / +#system+
+      # surface (host RCE).
       META_OWNERS = [BasicObject, Kernel, Object, Module, Class].freeze
       private_constant :META_OWNERS
 
+      # Callable gadget types whose own public methods are reflection surface
+      # (+Proc#binding+ reaches +Binding#eval+, +Method#receiver+ / +#unbind+
+      # hand back the underlying object) rather than Service behaviour. Only
+      # {CALLABLE_ALLOW} is reachable on a target of these types; a bound
+      # lambda stays invocable, its reflective surface does not (B-42).
+      GADGET_OWNERS = [Proc, Method, UnboundMethod, Binding].freeze
+      private_constant :GADGET_OWNERS
+
+      # The sole methods reachable on a {GADGET_OWNERS} target: invoking it
+      # (+call+ / +[]+ / +yield+) and the harmless +arity+ / +lambda?+
+      # describers that aid guest-side debugging.
+      CALLABLE_ALLOW = %i[call [] yield arity lambda?].freeze
+      private_constant :CALLABLE_ALLOW
+
       # Dispatch a single transport request and return the encoded
       # Response bytes ({docs/behavior.md B-12}[link:../../../docs/behavior.md]).
       # Invoked from the +Runtime#on_dispatch+ Proc that
@@ -131,14 +146,18 @@ module Kobako
       end
 
       # Guard the +public_send+ below against ambient reflection methods
-      # (see {META_OWNERS}). A concretely-defined public method whose owner
-      # is a meta module is rejected; a name with no concrete public method
-      # is allowed only when the target opts into it via +respond_to?+
-      # (dynamic +method_missing+ Services), since the dangerous meta methods
-      # are all concretely defined and therefore never reach that branch.
+      # ({docs/behavior.md B-42}[link:../../../docs/behavior.md]). A public
+      # method whose owner is a {META_OWNERS} or {GADGET_OWNERS} module is
+      # rejected, except {CALLABLE_ALLOW} on a gadget target (a bound lambda
+      # stays invocable). A name with no concrete public method is allowed
+      # only when the target opts into it via +respond_to?+ (dynamic
+      # +method_missing+ Services), since the dangerous methods are all
+      # concretely defined and therefore never reach that branch.
       def reject_meta_method!(target, name)
         owner = target.public_method(name).owner
-        return unless META_OWNERS.include?(owner)
+        gadget = GADGET_OWNERS.include?(owner)
+        return unless META_OWNERS.include?(owner) || gadget
+        return if gadget && CALLABLE_ALLOW.include?(name)
 
         raise UndefinedTargetError, "method #{name.inspect} is not a Service method"
       rescue NameError

data/lib/kobako/transport/request.rb

@@ -5,16 +5,8 @@ require_relative "../codec"
 
 module Kobako
   # See lib/kobako/transport.rb for the umbrella module doc; this file
-  # owns the Request value object and its +#encode+ / +.decode+ codec,
-  # plus the +STATUS_OK+ / +STATUS_ERROR+ constants shared with Response.
+  # owns the Request value object and its +#encode+ / +.decode+ codec.
   module Transport
-    # ---------------- Response status bytes (docs/wire-contract.md § Response Shape) ---
-
-    # Response variant marker for the success branch.
-    STATUS_OK    = 0
-    # Response variant marker for the fault branch.
-    STATUS_ERROR = 1
-
     # Value object for a single guest-initiated Transport Request
     # ({docs/wire-codec.md Envelope Encoding → Request}[link:../../../docs/wire-codec.md]).
     #

data/lib/kobako/transport/response.rb

@@ -2,12 +2,19 @@
 
 require_relative "../codec"
 require_relative "../fault"
-require_relative "request"
 
 module Kobako
   # See lib/kobako/transport.rb for the umbrella module doc; this file
-  # owns the Response value object and its +#encode+ / +.decode+ codec.
+  # owns the Response value object and its +#encode+ / +.decode+ codec,
+  # plus the +STATUS_OK+ / +STATUS_ERROR+ status bytes.
   module Transport
+    # ---------------- Response status bytes (docs/wire-contract.md § Response Shape) ---
+
+    # Response variant marker for the success branch.
+    STATUS_OK    = 0
+    # Response variant marker for the fault branch.
+    STATUS_ERROR = 1
+
     # Value object for a single host-side Transport Response
     # ({docs/wire-codec.md Envelope Encoding → Response}[link:../../../docs/wire-codec.md]).
     #

data/lib/kobako/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Kobako
-  VERSION = "0.9.1"
+  VERSION = "0.9.2"
 end

data/release-please-config.json

@@ -7,8 +7,7 @@
       "component": "kobako",
       "include-component-in-tag": false,
       "release-type": "ruby",
-      "exclude-paths": ["wasm"],
-      "release-as": "0.9.1"
+      "exclude-paths": ["wasm"]
     },
     "wasm/kobako-core": {
       "component": "kobako-core",

data/sig/kobako/catalog/handles.rbs

@@ -1,6 +1,8 @@
 module Kobako
   module Catalog
     class Handles
+      UNWRAPPABLE_TYPES: Array[Module]
+
       def initialize: (?next_id: Integer) -> void
 
       def alloc: (untyped object) -> Kobako::Handle
@@ -13,6 +15,10 @@ module Kobako
 
       private
 
+      def reject_unwrappable!: (untyped object) -> void
+
+      def ensure_capacity!: () -> void
+
       def require_bound!: (Integer id) -> void
     end
   end

data/sig/kobako/transport/dispatcher.rbs

@@ -8,6 +8,10 @@ module Kobako
 
       META_OWNERS: Array[Module]
 
+      GADGET_OWNERS: Array[Module]
+
+      CALLABLE_ALLOW: Array[Symbol]
+
       def self?.dispatch: (String request_bytes, Kobako::Catalog::Namespaces namespaces, Kobako::Catalog::Handles handler, ^(String) -> String yield_to_guest) -> String
 
       def self?.resolve_call_args: (Kobako::Transport::Request request, Kobako::Catalog::Handles handler) -> [Array[untyped], Hash[Symbol, untyped]]

data/sig/kobako/transport/request.rbs

@@ -1,8 +1,5 @@
 module Kobako
   module Transport
-    STATUS_OK: Integer
-    STATUS_ERROR: Integer
-
     class Request < Data
       attr_reader target: String | Kobako::Handle
       attr_reader method_name: String

data/sig/kobako/transport/response.rbs

@@ -1,5 +1,8 @@
 module Kobako
   module Transport
+    STATUS_OK: Integer
+    STATUS_ERROR: Integer
+
     class Response < Data
       attr_reader status: Integer
       attr_reader payload: untyped

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kobako
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors:
 - Aotokitsuruya
@@ -58,6 +58,7 @@ files:
 - ext/kobako/extconf.rb
 - ext/kobako/src/lib.rs
 - ext/kobako/src/runtime.rs
+- ext/kobako/src/runtime/ambient.rs
 - ext/kobako/src/runtime/cache.rs
 - ext/kobako/src/runtime/capture.rs
 - ext/kobako/src/runtime/config.rs