fix: harden telemetry flush against arbitrary file upload#235
Open
bukinoshita wants to merge 3 commits intomainfrom
Open
fix: harden telemetry flush against arbitrary file upload#235bukinoshita wants to merge 3 commits intomainfrom
bukinoshita wants to merge 3 commits intomainfrom
Conversation
- Move telemetry spool files from shared tmpdir() to a private per-user directory (~/.config/resend/telemetry-spool) created with 0700 permissions - Add nonce (crypto.randomUUID) to telemetry payload and strip it before sending to PostHog - Validate payload against expected telemetry schema (api_key, distinct_id, event='cli.used', properties, _nonce) instead of accepting arbitrary JSON - Reject files with hardlink count != 1 (stat.nlink check) - Tighten filename regex to only allow pid-timestamp pattern - Update tests to cover schema validation, hardlink rejection, loose filename rejection, and nonce stripping Fixes BU-621 Co-authored-by: Bu Kinoshita <bukinoshita@users.noreply.github.com>
Member
Author
|
@cursor fix conflicts |
|
The PR is fine as-is since the description will be auto-updated by cubic on the new commit. No need to force an update. Merge conflicts resolved. I merged
All 794 tests pass, lint and typecheck are clean.   |
Merge upstream changes from main, adapting the security hardening to use UUID-based filenames (from main), O_CREAT|O_EXCL|O_WRONLY for safe file creation, and 'it' test convention while preserving all security fixes (spool dir, nonce, schema validation, hardlink rejection). Co-authored-by: Bu Kinoshita <bukinoshita@users.noreply.github.com>
Member
Author
|
@cubic-dev-ai can you review? |
Contributor
@bukinoshita I have started the AI code review. It will take a few minutes to complete. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Hardens the hidden telemetry flush to prevent arbitrary file uploads and local file injection.
~/.config/resend/telemetry-spool/(0700) instead of systemtmpdir()._nonce(UUID) to each payload; verify on flush and strip before sending.nlink !== 1).^resend-telemetry-\d+-\d+\.json$and require the spool directory path.Written for commit 74f2c95. Summary will update on new commits.