alvin-bot 5.2.0 → 5.4.0

package/dist/providers/tool-executor.js

@@ -9,8 +9,10 @@
  */
 import { execSync } from "child_process";
 import fs from "fs";
-import { resolve } from "path";
+import os from "os";
+import { resolve, join as pathJoin } from "path";
 import { isSelfRestartCommand, scheduleGracefulRestart } from "../services/restart.js";
+import { checkExecAllowed } from "../services/exec-guard.js";
 // ── Tool Definitions (OpenAI function calling format) ───────────────────────
 export const AGENT_TOOLS = [
     {
@@ -227,7 +229,18 @@ function executeShell(command, cwd) {
         scheduleGracefulRestart();
         return { name: "run_shell", result: "Bot restart scheduled. Grammy will commit the Telegram offset before exiting." };
     }
-    // Security: block obviously dangerous commands
+    // Exec-guard: enforce EXEC_SECURITY on this non-SDK provider path.
+    // checkExecAllowed reads config.execSecurity (deny → reject all;
+    // allowlist → reject metachars + non-allowlisted bins; full → pass).
+    const guardResult = checkExecAllowed(command);
+    if (!guardResult.allowed) {
+        return {
+            name: "run_shell",
+            result: `Command not allowed: ${guardResult.reason ?? "exec execution denied"}`,
+            error: true,
+        };
+    }
+    // Security: block obviously dangerous commands (belt-and-suspenders)
     const blocked = ["rm -rf /", "mkfs", "dd if=/dev/zero", "> /dev/sda"];
     if (blocked.some(b => command.includes(b))) {
         return { name: "run_shell", result: "Command blocked for safety.", error: true };
@@ -395,9 +408,21 @@ function executeListDirectory(dirPath, recursive, cwd) {
     }
 }
 function executePython(code, cwd) {
+    // Exec-guard: enforce EXEC_SECURITY before writing or executing anything.
+    // Use "python3" as the representative binary — deny blocks all execution;
+    // allowlist allows python3 (it is in SAFE_BINS) unless globally denied.
+    const guardResult = checkExecAllowed("python3");
+    if (!guardResult.allowed) {
+        return {
+            name: "python_execute",
+            result: `Python execution not allowed: ${guardResult.reason ?? "exec execution denied"}`,
+            error: true,
+        };
+    }
     try {
-        // Write code to temp file to avoid shell escaping issues
-        const tmpFile = `/tmp/alvin-bot-py-${Date.now()}.py`;
+        // Write code to temp file to avoid shell escaping issues.
+        // os.tmpdir() is cross-platform (works on Windows/Linux/macOS).
+        const tmpFile = pathJoin(os.tmpdir(), `alvin-bot-py-${Date.now()}.py`);
         fs.writeFileSync(tmpFile, code);
         try {
             const output = execSync(`python3 "${tmpFile}"`, {

package/dist/services/async-agent-watcher.js

@@ -62,6 +62,13 @@ function getMissingFileFailureMs() {
 const pending = new Map();
 let pollTimer = null;
 let started = false;
+/**
+ * C-M2 — Set of agent IDs registered in THIS boot (not loaded from disk).
+ * Only in-memory-registered agents have a pid we can safely attribute to
+ * our own subprocess — disk-loaded pids may have been reused by the OS
+ * after a restart. We never kill a disk-loaded pid; only pids in this set.
+ */
+const thisBootAgentIds = new Set();
 /**
  * Hard cap on the pending-agents map. Without this, a bot that runs many
  * async agents but sees some fail to write their outputFile would see
@@ -135,6 +142,9 @@ export function registerPendingAgent(input) {
     };
     enforcePendingCap();
     pending.set(input.agentId, entry);
+    // C-M2: mark this agent as registered in the current boot.
+    // Only this-boot agents have pids we can safely attribute to our own subprocess.
+    thisBootAgentIds.add(input.agentId);
     saveToDisk();
 }
 /**
@@ -295,11 +305,32 @@ async function deliverAsFailure(entry, status, error) {
  *
  * Never throws — all per-entry errors are swallowed.
  */
-export function killSessionDetachedAgents(session, killFn = (p) => {
+/**
+ * C-M1 — Compute the signal target for a detached subprocess pid.
+ *
+ * Since agents are spawned `detached:true` they become process-group
+ * leaders. `claude -p` typically forks further (sub-agents), leaving
+ * grandchildren in the same group. Signalling only the group-leader PID
+ * lets those grandchildren survive. Instead, we signal the entire group
+ * by negating the pid (POSIX: kill(-pgid, sig) = signal the group).
+ *
+ * Windows does not support negative-pid group signals; on win32 we fall
+ * back to the positive pid (signals the leader only). A full win32 group-
+ * kill would require `taskkill /T /PID` — that can be layered later if
+ * Windows support becomes important.
+ *
+ * The injectable `killFn` always receives the already-transformed value
+ * (negative on POSIX, positive on win32) so tests can assert the correct
+ * target without needing platform-specific logic in test code.
+ */
+function resolveKillTarget(pid) {
+    return process.platform !== "win32" ? -pid : pid;
+}
+export function killSessionDetachedAgents(session, killFn = (target) => {
     try {
-        process.kill(p, "SIGTERM");
+        process.kill(target, "SIGTERM");
     }
-    catch { /* already gone */ }
+    catch { /* already gone — ESRCH is fine */ }
 }) {
     // Use session.sessionKey — the real canonical key stamped by getSession().
     // Before v5.1.x this field did not exist on UserSession, causing a silent
@@ -310,12 +341,24 @@ export function killSessionDetachedAgents(session, killFn = (p) => {
     for (const entry of pending.values()) {
         if (entry.sessionKey !== key)
             continue;
-        if (typeof entry.pid === "number") {
-            try {
-                killFn(entry.pid);
-            }
-            catch { /* best-effort */ }
+        if (typeof entry.pid !== "number")
+            continue;
+        // C-M2: only kill pids that are attributable to our own subprocess.
+        // Pids loaded from disk on a previous boot may have been reused by
+        // the OS for an unrelated process. We guard by only killing agents
+        // registered in THIS boot (thisBootAgentIds). Disk-loaded entries
+        // (those not in the set) are skipped — their subprocess may have
+        // already exited and the pid may point at an innocent process.
+        if (!thisBootAgentIds.has(entry.agentId)) {
+            console.log(`[async-watcher] skipping kill for disk-loaded agent ${entry.agentId} ` +
+                `(pid=${entry.pid}) — cannot safely attribute pid after restart`);
+            continue;
+        }
+        // C-M1: pass the group-kill target (negative pid on POSIX) to killFn.
+        try {
+            killFn(resolveKillTarget(entry.pid));
         }
+        catch { /* best-effort */ }
     }
 }
 /**
@@ -345,6 +388,7 @@ export function cancelPendingForSession(sessionKey) {
 /** Test-only: drop in-memory state. Doesn't touch disk. */
 export function __resetForTest() {
     pending.clear();
+    thisBootAgentIds.clear();
     if (pollTimer)
         clearInterval(pollTimer);
     pollTimer = null;

package/dist/services/browser-manager.js

@@ -10,7 +10,7 @@
  * If a strategy is unavailable, we automatically cascade to the next one
  * and log a warning so failures are visible, not silent.
  */
-import { execSync, spawn } from "child_process";
+import { execSync, execFileSync, spawn } from "child_process";
 import http from "http";
 import fs from "fs";
 import { config } from "../config.js";
@@ -22,7 +22,7 @@ const CDP_PORT = 9222;
 const EXEC_TIMEOUT = 60_000; // 60s for page loads via shell
 // ── Logging ──────────────────────────────────────────────────────────
 function log(msg) {
-    console.warn(`[browser-manager] ${msg}`);
+    console.log(`[browser-manager] ${msg}`);
 }
 // ── Availability Checks ──────────────────────────────────────────────
 function isGatewayScriptPresent() {
@@ -170,9 +170,11 @@ export async function resolveStrategy(preferred) {
     }
     return "cli";
 }
-function execHub(args) {
+function execHub(argv) {
     try {
-        const result = execSync(`"${HUB_BROWSER_SH}" ${args}`, {
+        // H3: use execFileSync with discrete argv array — no shell interpolation,
+        // so attacker-controlled URLs cannot inject shell metacharacters.
+        const result = execFileSync(HUB_BROWSER_SH, argv, {
             stdio: "pipe",
             timeout: EXEC_TIMEOUT,
             env: { ...process.env, PATH: process.env.PATH },
@@ -310,7 +312,7 @@ async function navigateOne(strategy, url) {
         case "cdp": {
             // Try hub CDP first
             if (isHubBrowserAvailable()) {
-                const result = execHub(`cdp goto "${url}"`);
+                const result = execHub(["cdp", "goto", url]);
                 if (result && !result.error) {
                     return { title: result.title || "", url: result.url || url };
                 }
@@ -329,7 +331,7 @@ async function navigateOne(strategy, url) {
                 log(`Direct CDP failed: ${err.message}`);
                 // Last resort: try stealth
                 if (isHubBrowserAvailable()) {
-                    const stealthResult = execHub(`stealth "${url}"`);
+                    const stealthResult = execHub(["stealth", url]);
                     if (stealthResult) {
                         return { title: stealthResult.title || "", url: stealthResult.url || url };
                     }
@@ -338,7 +340,7 @@ async function navigateOne(strategy, url) {
             }
         }
         case "hub-stealth": {
-            const result = execHub(`stealth "${url}"`);
+            const result = execHub(["stealth", url]);
             if (result && !result.error) {
                 return { title: result.title || "", url: result.url || url };
             }
@@ -369,7 +371,7 @@ export async function screenshot(url, options = {}) {
         case "cdp": {
             if (isHubBrowserAvailable()) {
                 const tmpName = `shot_${Date.now()}.png`;
-                const result = execHub(`cdp shot "${url}" ${tmpName}`);
+                const result = execHub(["cdp", "shot", url, tmpName]);
                 if (result?.screenshot)
                     return result.screenshot;
             }
@@ -378,7 +380,7 @@ export async function screenshot(url, options = {}) {
         }
         case "hub-stealth": {
             const tmpName = `shot_${Date.now()}.png`;
-            const result = execHub(`stealth "${url}" --screenshot=${tmpName}`);
+            const result = execHub(["stealth", url, `--screenshot=${tmpName}`]);
             if (result?.screenshot)
                 return result.screenshot;
             // Fallback

package/dist/services/browser-webfetch.js

@@ -11,8 +11,18 @@
  * See browser-manager.ts for the full cascade; this module is the
  * leaf-level primitive with no dependencies on that file so both can
  * be unit-tested in isolation.
+ *
+ * SSRF hardening (M1): assertSsrfSafe() is called before every fetch hop to
+ * reject loopback / link-local / RFC-1918 / metadata / non-http(s)
+ * destinations. Redirects are followed manually (redirect:"manual") so every
+ * hop's Location header is re-validated before following — a public host that
+ * returns 302 → 169.254.169.254 is therefore blocked. Redirects are capped at
+ * 10 hops; an operator who needs redirect-to-internal can set
+ * ALLOW_PRIVATE_FETCH=1.
  */
+import { assertSsrfSafe, SsrfBlockedError } from "./ssrf-guard.js";
 const DEFAULT_TIMEOUT_MS = 15_000;
+const MAX_REDIRECTS = 10;
 const DEFAULT_USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 " +
     "(KHTML, like Gecko) Version/17.0 Safari/605.1.15 AlvinBot/webfetch";
 export class WebfetchFailed extends Error {
@@ -53,24 +63,48 @@ export function parseTitle(html) {
     return decodeEntities(inner);
 }
 export async function webfetchNavigate(url, options = {}) {
+    // M1: SSRF guard — reject private/internal destinations before fetching.
+    // SsrfBlockedError is intentionally not wrapped in WebfetchFailed so
+    // callers can distinguish "blocked by policy" from "server error".
+    // We validate EVERY redirect hop manually (redirect:"manual") so a
+    // public host cannot 302 us into an internal address.
+    await assertSsrfSafe(url);
     const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
     try {
+        let currentUrl = url;
         let response;
-        try {
-            response = await fetch(url, {
-                method: "GET",
-                headers: {
-                    "User-Agent": options.userAgent ?? DEFAULT_USER_AGENT,
-                    Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
-                },
-                redirect: "follow",
-                signal: controller.signal,
-            });
-        }
-        catch (err) {
-            throw new WebfetchFailed(url, err.message, { cause: err });
+        for (let hop = 0;; hop++) {
+            try {
+                response = await fetch(currentUrl, {
+                    method: "GET",
+                    headers: {
+                        "User-Agent": options.userAgent ?? DEFAULT_USER_AGENT,
+                        Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                    },
+                    redirect: "manual",
+                    signal: controller.signal,
+                });
+            }
+            catch (err) {
+                throw new WebfetchFailed(url, err.message, { cause: err });
+            }
+            // Not a redirect — we have the final response
+            if (response.status < 300 || response.status >= 400)
+                break;
+            const loc = response.headers.get("location");
+            if (!loc)
+                break; // no Location header — treat as final response
+            if (hop >= MAX_REDIRECTS) {
+                throw new SsrfBlockedError(url, `too many redirects (> ${MAX_REDIRECTS})`);
+            }
+            const next = new URL(loc, currentUrl).href;
+            // Re-validate each redirect target before following — closes the
+            // post-redirect SSRF bypass where fetch would silently follow a
+            // 302 pointing at 169.254.169.254 / loopback / RFC-1918.
+            await assertSsrfSafe(next);
+            currentUrl = next;
         }
         if (!response.ok) {
             throw new WebfetchFailed(url, `HTTP ${response.status}`, { status: response.status });

package/dist/services/cron-scheduling.js

@@ -29,34 +29,94 @@ function parseInterval(input) {
     };
     return value * (mult[unit] || 60_000);
 }
-function parseField(expr, min, max) {
-    if (expr === "*")
-        return Array.from({ length: max - min + 1 }, (_, i) => i + min);
-    if (expr.includes("/")) {
-        const [, step] = expr.split("/");
-        const s = parseInt(step);
-        return Array.from({ length: max - min + 1 }, (_, i) => i + min).filter((v) => v % s === 0);
+/**
+ * Parse a single cron field token (no commas — commas are handled by parseField).
+ * Supports: `*`, `a`, `a-b`, `a/s`, `a-b/s`, `*\/s`.
+ * Returns an array of valid integers in [min,max], or null if the token is invalid/garbage.
+ */
+function parseFieldToken(token, min, max) {
+    const fullRange = () => Array.from({ length: max - min + 1 }, (_, i) => i + min);
+    if (token.includes("/")) {
+        const slashIdx = token.indexOf("/");
+        const basePart = token.slice(0, slashIdx);
+        const stepPart = token.slice(slashIdx + 1);
+        const step = parseInt(stepPart, 10);
+        if (!Number.isFinite(step) || step <= 0)
+            return null;
+        let base;
+        if (basePart === "*") {
+            base = fullRange();
+        }
+        else if (basePart.includes("-")) {
+            const [aPart, bPart] = basePart.split("-");
+            const a = parseInt(aPart, 10);
+            const b = parseInt(bPart, 10);
+            if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+                return null;
+            base = Array.from({ length: b - a + 1 }, (_, i) => i + a);
+        }
+        else {
+            const a = parseInt(basePart, 10);
+            if (!Number.isFinite(a) || a < min || a > max)
+                return null;
+            base = [a];
+        }
+        // Filter by step aligned to base start
+        const baseStart = base[0];
+        return base.filter((v) => (v - baseStart) % step === 0);
     }
-    if (expr.includes(","))
-        return expr.split(",").map(Number);
-    if (expr.includes("-")) {
-        const [a, b] = expr.split("-").map(Number);
+    if (token === "*")
+        return fullRange();
+    if (token.includes("-")) {
+        const parts = token.split("-");
+        if (parts.length !== 2)
+            return null;
+        const a = parseInt(parts[0], 10);
+        const b = parseInt(parts[1], 10);
+        if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+            return null;
         return Array.from({ length: b - a + 1 }, (_, i) => i + a);
     }
-    return [parseInt(expr)];
+    const v = parseInt(token, 10);
+    if (!Number.isFinite(v) || v < min || v > max)
+        return null;
+    return [v];
+}
+/**
+ * Parse a cron field expression (may contain commas) into a sorted array of valid integers.
+ * Supports comma-separated combinations of: `*`, `a`, `a-b`, `a-b/s`, `*\/s`.
+ * Returns null if any token is invalid/garbage (signals an invalid schedule).
+ */
+function parseField(expr, min, max) {
+    // Split on commas; filter empty strings (handles "1,,3" gracefully — skip empty)
+    const tokens = expr.split(",").filter((t) => t.length > 0);
+    if (tokens.length === 0)
+        return null;
+    const result = new Set();
+    for (const token of tokens) {
+        const vals = parseFieldToken(token, min, max);
+        if (vals === null)
+            return null; // propagate invalid token as parse failure
+        for (const v of vals)
+            result.add(v);
+    }
+    const arr = [...result].sort((a, b) => a - b);
+    return arr.length > 0 ? arr : null;
 }
 function parseCronFields(expression) {
     const parts = expression.trim().split(/\s+/);
     if (parts.length !== 5)
         return null;
     const [minExpr, hourExpr, dayExpr, monthExpr, weekdayExpr] = parts;
-    return {
-        minutes: parseField(minExpr, 0, 59),
-        hours: parseField(hourExpr, 0, 23),
-        days: parseField(dayExpr, 1, 31),
-        months: parseField(monthExpr, 1, 12),
-        weekdays: parseField(weekdayExpr, 0, 6),
-    };
+    const minutes = parseField(minExpr, 0, 59);
+    const hours = parseField(hourExpr, 0, 23);
+    const days = parseField(dayExpr, 1, 31);
+    const months = parseField(monthExpr, 1, 12);
+    const weekdays = parseField(weekdayExpr, 0, 6);
+    // Any field returning null means the expression is invalid → reject it
+    if (!minutes || !hours || !days || !months || !weekdays)
+        return null;
+    return { minutes, hours, days, months, weekdays };
 }
 function nextCronRun(expression, after) {
     const fields = parseCronFields(expression);