agent-security-scanner-mcp 3.16.0 → 3.17.0

package/src/daemon-client.js

@@ -40,11 +40,24 @@ class DaemonClient {
   async ensureRunning() {
     if (this._dead) throw new Error('Daemon permanently unavailable');
     if (this._proc && !this._proc.killed && this._proc.exitCode === null) return;
+
+    // Security: Fix race condition - create promise synchronously before any await
     if (this._starting) return this._starting;
 
-    this._starting = this._spawn();
+    // Create promise SYNCHRONOUSLY to prevent race window
+    const spawnPromise = (async () => {
+      try {
+        await this._spawn();
+      } catch (err) {
+        this._starting = null; // Clear on error
+        throw err;
+      }
+    })();
+
+    this._starting = spawnPromise;
+
     try {
-      await this._starting;
+      await spawnPromise;
     } finally {
       this._starting = null;
     }
@@ -218,12 +231,46 @@ class DaemonClient {
 
   async shutdown() {
     if (!this._proc || this._proc.killed || this._proc.exitCode !== null) return;
+
+    // Security: Fix process orphaning with timeout and SIGKILL fallback
+    // Try graceful shutdown first (5 second timeout)
     try {
-      await this._send({ action: 'shutdown' });
-    } catch {
-      // ignore — process may already be gone
+      await Promise.race([
+        this._send({ action: 'shutdown' }),
+        new Promise((_, reject) => setTimeout(() => reject(new Error('Shutdown timeout')), 5000))
+      ]);
+    } catch (err) {
+      console.warn(`Graceful daemon shutdown failed: ${err.message}. Force-killing.`);
     }
+
+    // Force kill if still running
+    if (this._proc && !this._proc.killed && this._proc.exitCode === null) {
+      try {
+        this._proc.kill('SIGKILL');
+      } catch (err) {
+        console.error(`Failed to kill daemon process:`, err.message);
+      }
+    }
+
     this._cleanup();
+
+    // Wait for process to actually exit (with timeout)
+    if (this._proc) {
+      await new Promise(resolve => {
+        const checkInterval = setInterval(() => {
+          if (!this._proc || this._proc.exitCode !== null) {
+            clearInterval(checkInterval);
+            resolve();
+          }
+        }, 100);
+
+        // Timeout after 2 seconds
+        setTimeout(() => {
+          clearInterval(checkInterval);
+          resolve();
+        }, 2000);
+      });
+    }
   }
 }
 

package/src/tools/scan-prompt.js

@@ -484,12 +484,29 @@ export async function scanAgentPrompt({ prompt_text, context, verbosity }) {
   const allRules = [...agentRules, ...promptRules, ...openclawRules];
 
   // 2.7: Extract content from code blocks (``` and ~~~) and append to scan text
+  // Security: Add size limits and iteration caps to prevent ReDoS
+  const EXPANDED_TEXT_MAX = 500 * 1024; // 500KB absolute max
+  const MAX_CODE_BLOCK_ITERATIONS = 100;
+  const MAX_SINGLE_BLOCK_SIZE = 10000; // 10KB per code block
+
   let expandedText = prompt_text;
   const codeBlockRegex = /(`{3,})([\s\S]*?)\1|(~{3,})([\s\S]*?)\3/g;
   let codeBlockMatch;
+  let iterations = 0;
+
   while ((codeBlockMatch = codeBlockRegex.exec(prompt_text)) !== null) {
+    if (++iterations > MAX_CODE_BLOCK_ITERATIONS) {
+      console.warn('Code block extraction iteration limit reached');
+      break;
+    }
+    if (expandedText.length > EXPANDED_TEXT_MAX) {
+      console.warn('Expanded text size limit reached');
+      break;
+    }
+
     // Group 2 = content inside backtick fences, Group 4 = content inside tilde fences
     const inner = (codeBlockMatch[2] || codeBlockMatch[4] || '')
+      .substring(0, MAX_SINGLE_BLOCK_SIZE) // Cap individual block size
       .replace(/^\w*\n?/, '');  // strip optional language tag
     expandedText += '\n' + inner;
   }
@@ -531,9 +548,10 @@ export async function scanAgentPrompt({ prompt_text, context, verbosity }) {
   }
 
   // 2.7d: Strip Zalgo diacritics — NFKD decompose first, then strip combining marks
+  // Security: Use Unicode property escapes to catch ALL combining marks (fixes bypass)
   const nfkd = expandedText.normalize('NFKD');
-  const zalgoStripped = nfkd.replace(/[\u0300-\u036f\u0488\u0489\u1dc0-\u1dff\u20d0-\u20ff\ufe20-\ufe2f]/g, '');
-  if (zalgoStripped !== expandedText) {
+  const zalgoStripped = nfkd.replace(/\p{Mn}/gu, ''); // All Mark-Nonspacing combining characters
+  if (zalgoStripped !== expandedText && expandedText.length < EXPANDED_TEXT_MAX) {
     expandedText += '\n' + zalgoStripped;
   }
 
@@ -562,12 +580,22 @@ export async function scanAgentPrompt({ prompt_text, context, verbosity }) {
   }
 
   // Scan expanded text against all rules
+  // Security: Add timeout protection for regex matching
+  const REGEX_TIMEOUT_MS = 1000;
+
   for (const rule of allRules) {
     for (const pattern of rule.patterns) {
       try {
         const regex = new RegExp(pattern, 'i');
+        const startTime = Date.now();
         const match = expandedText.match(regex);
 
+        // Check for regex timeout (ReDoS protection)
+        if (Date.now() - startTime > REGEX_TIMEOUT_MS) {
+          console.warn(`Regex timeout for rule ${rule.id}, skipping`);
+          break;
+        }
+
         if (match) {
           findings.push({
             rule_id: rule.id,
@@ -583,6 +611,7 @@ export async function scanAgentPrompt({ prompt_text, context, verbosity }) {
         }
       } catch (e) {
         // Skip invalid regex
+        console.warn(`Regex error for rule ${rule.id}:`, e.message);
       }
     }
   }

package/src/tools/scan-skill.js

@@ -3,7 +3,7 @@
 // supply chain verification, and rug pull detection.
 
 import { z } from "zod";
-import { existsSync, readFileSync, readdirSync, statSync, lstatSync, realpathSync, writeFileSync, mkdirSync, unlinkSync, renameSync, chmodSync } from "fs";
+import { existsSync, readFileSync, readdirSync, statSync, lstatSync, realpathSync, writeFileSync, mkdirSync, unlinkSync, renameSync, chmodSync, mkdtempSync, rmSync } from "fs";
 import { resolve, basename, dirname, extname, join, sep } from "path";
 import { createHash } from "crypto";
 import { tmpdir, homedir } from "os";
@@ -329,11 +329,20 @@ async function runCodeBlockScan(blocks, signal) {
       const ext = LANG_EXT_MAP[lang];
       if (!ext) continue;
 
-      const tmpName = `skill-scan-${Date.now()}-${Math.random().toString(36).slice(2)}.${ext}`;
-      const tmpPath = join(tmpdir(), tmpName);
+      // Security: Create unique temp directory to prevent race conditions and symlink attacks
+      let tmpDir;
+      try {
+        tmpDir = mkdtempSync(join(tmpdir(), 'skill-scan-'));
+      } catch (err) {
+        console.error(`Failed to create temp directory: ${err.message}`);
+        continue;
+      }
+
+      const tmpPath = join(tmpDir, `code.${ext}`);
 
       try {
-        writeFileSync(tmpPath, code, 'utf-8');
+        // Write with restrictive permissions (0600) to prevent other users from reading
+        writeFileSync(tmpPath, code, { encoding: 'utf-8', mode: 0o600 });
         const issues = await runAnalyzerAsync(tmpPath, 'auto', signal);
         if (Array.isArray(issues)) {
           for (const issue of issues) {
@@ -350,7 +359,12 @@ async function runCodeBlockScan(blocks, signal) {
           }
         }
       } finally {
-        try { unlinkSync(tmpPath); } catch { /* best effort cleanup */ }
+        // Clean up entire directory atomically
+        try {
+          rmSync(tmpDir, { recursive: true, force: true });
+        } catch (err) {
+          console.error(`Failed to clean up temp dir ${tmpDir}:`, err.message);
+        }
       }
     } catch (error) {
       console.error(`Layer 2 (code block scan) failed for ${lang}:`, error.message);
@@ -878,64 +892,52 @@ function generateRecommendation(grade) {
 // ---------------------------------------------------------------------------
 
 export async function scanSkill({ skill_path, verbosity, baseline }) {
-  // Path resolution
-  const resolvedPath = resolve(skill_path);
+  // Security: Resolve to canonical path FIRST to prevent TOCTOU and symlink attacks
+  const inputPath = skill_path;
+  let realPath;
 
-  // Path containment — check on resolved path FIRST (before existence)
-  // so that invalid external paths get rejected with the right error message.
-  // Use raw cwd here (resolvedPath is also non-canonical at this point).
-  const rawCwd = process.cwd();
-  const allowedSkillRoots = [
-    resolve(homedir(), '.openclaw', 'skills'),
-    resolve(homedir(), '.openclaw', 'workspace', 'skills'),
-  ];
-  const isAllowed = pathStartsWith(resolvedPath, rawCwd)
-    || allowedSkillRoots.some(root => pathStartsWith(resolvedPath, root));
-  if (!isAllowed) {
+  try {
+    // Resolve to canonical path immediately (defeats symlink attacks)
+    realPath = realpathSync(resolve(inputPath));
+  } catch (err) {
     return {
       content: [{ type: "text", text: JSON.stringify({
-        error: "skill_path must be within the current working directory or ~/.openclaw/skills/ (or ~/.openclaw/workspace/skills/)",
-        skill_path: resolvedPath
+        error: "Invalid path, symlink loop, or permission denied",
+        skill_path: inputPath,
+        details: err.message
       }) }]
     };
   }
 
-  if (!existsSync(resolvedPath)) {
-    return {
-      content: [{ type: "text", text: JSON.stringify({ error: "Skill path not found", skill_path: resolvedPath }) }]
-    };
-  }
+  // Verify containment on canonical path ONLY
+  // This prevents symlink escapes by checking the REAL resolved location
+  const canonCwd = realpathSync(process.cwd());
+  const allowedSkillRoots = [
+    resolve(homedir(), '.openclaw', 'skills'),
+    resolve(homedir(), '.openclaw', 'workspace', 'skills'),
+  ].map(root => {
+    try {
+      return existsSync(root) ? realpathSync(root) : null;
+    } catch {
+      return null;
+    }
+  }).filter(Boolean);
 
-  // Reject symlinks at the top level to prevent symlink-based path escapes
-  const topStat = lstatSync(resolvedPath);
-  if (topStat.isSymbolicLink()) {
-    return {
-      content: [{ type: "text", text: JSON.stringify({
-        error: "Symbolic links are not allowed as skill_path — resolve the real path first",
-        skill_path: resolvedPath
-      }) }]
-    };
-  }
+  const isAllowed = pathStartsWith(realPath, canonCwd)
+    || allowedSkillRoots.some(root => pathStartsWith(realPath, root));
 
-  // Resolve to real path and re-verify containment (defeats symlink escapes)
-  // Use canonical cwd here since realPath is also canonical.
-  const realPath = realpathSync(resolvedPath);
-  let canonCwd;
-  try { canonCwd = realpathSync(rawCwd); } catch { canonCwd = rawCwd; }
-  const canonRoots = allowedSkillRoots.map(root => {
-    try { return realpathSync(root); } catch { return root; }
-  });
-  const realAllowed = pathStartsWith(realPath, canonCwd)
-    || canonRoots.some(root => pathStartsWith(realPath, root));
-  if (!realAllowed) {
+  if (!isAllowed) {
     return {
       content: [{ type: "text", text: JSON.stringify({
         error: "skill_path must be within the current working directory or ~/.openclaw/skills/ (or ~/.openclaw/workspace/skills/)",
-        skill_path: realPath
+        skill_path: realPath,
+        attempted_path: inputPath
       }) }]
     };
   }
 
+  // Path is now safe - realPath is canonical and within allowed boundaries
+
   const stat = statSync(realPath);
   let skillDir, skillFile;