Skip to content

v1.58.4.0 fix: scope /health bootstrap token to pinned extension + patch dependency CVEs#2062

Open
Saimoguloju wants to merge 3 commits into
garrytan:mainfrom
Saimoguloju:fix/health-token-cves
Open

v1.58.4.0 fix: scope /health bootstrap token to pinned extension + patch dependency CVEs#2062
Saimoguloju wants to merge 3 commits into
garrytan:mainfrom
Saimoguloju:fix/health-token-cves

Conversation

@Saimoguloju

Copy link
Copy Markdown

What

Two related daemon-security fixes:

  1. /health token leak (privilege escalation). /health returned the
    root AUTH_TOKEN to any caller with a chrome-extension:// Origin,
    regardless of which extension. On a multi-extension machine a second
    extension could scrape it and drive every browse-server endpoint. The
    extension-origin path now requires an exact
    chrome-extension://<BROWSE_EXTENSION_ID> match when the id is pinned,
    mirroring the existing /ws origin gate in terminal-agent.ts.
    Backward-compatible: unset id = unchanged behavior.

  2. Dependency CVEs. bun audit flagged 37 advisories. Patched the direct
    deps we control (@anthropic-ai/sdk 0.78.0 → 0.91.1 insecure file perms,
    diff 7 → 8 parsePatch DoS) and refreshed transitive deps within range.
    Added a non-blocking dependency-audit CI workflow so new CVEs surface at
    review time.

Why

The /health behavior is a real, exploitable privilege-escalation path on
shared/multi-extension machines (it was already filed internally as a deferred
P2). The remaining transitive advisories live behind pinned upstream packages
and are documented as follow-up.

Testing

  • bun test browse/test/server-auth.test.ts — 39/39 pass (added a regression
    test pinning the extension-id gate).
  • bun audit before/after confirms the two direct-dep CVEs are cleared.

Notes

  • No behavior change unless BROWSE_EXTENSION_ID is set.
  • Pure additive CI; the audit job is non-blocking to start.

Saimoguloju and others added 3 commits June 20, 2026 22:28
/health handed the root AUTH_TOKEN to ANY chrome-extension:// origin,
so a second extension on the same machine could scrape it and drive
every browse-server endpoint (privilege escalation). Gate the
extension-origin path on an exact chrome-extension://<BROWSE_EXTENSION_ID>
match when the id is pinned, mirroring the existing /ws origin gate in
terminal-agent.ts. Unset id = unchanged behavior, so this is opt-in
tightening, not a break. Adds a regression test pinning the gate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
bun audit flagged 37 advisories. Bump the direct deps we control
(@anthropic-ai/sdk 0.78.0->0.91.1 insecure file perms, diff 7->8
parsePatch DoS) and refresh transitive deps within range. Add a
non-blocking dependency-audit workflow so new CVEs surface on every PR
(CI watched our code but never the third-party tree).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@trunk-io

trunk-io Bot commented Jun 20, 2026

Copy link
Copy Markdown

Merging to main in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

@github-actions github-actions Bot changed the title fix: scope /health bootstrap token to pinned extension + patch dependency CVEs v1.58.4.0 fix: scope /health bootstrap token to pinned extension + patch dependency CVEs Jun 20, 2026
@Saimoguloju

Copy link
Copy Markdown
Author

trunk merge below.

@time-attack

Copy link
Copy Markdown
Contributor

@16francej — recommend closing this PR as superseded by #2226. Unresolved security problems remain, and the branch also combines unrelated dependency and release changes; #2226 owns the complete local-auth and legacy-profile migration. Preserve #2062’s authentication-hardening attribution in #2226, and move any still-current dependency remediation to a separate compatibility-reviewed change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants