fix: security remediation — 17 findings fixed#1
Merged
Conversation
Install vitest, add vitest.config.ts with node environment and globals, update test script to vitest run --passWithNoTests for clean zero-test bootstrap.
Remove the unauthenticated /api/auth/biometric route and the /api/auth/lock/biometric storage route. Strip credentialId, userId, and biometricConfigured from /api/auth/password/status and /api/auth/lock/state responses. Add test asserting these fields and routes are absent.
Replace 4-var blocklist in buildSafeEnv with an explicit allowlist so that secrets like AWS keys, GitHub tokens, and database URLs cannot leak into PTY child processes. ANTHROPIC_API_KEY is explicitly allowed because running Claude Code inside PTY is the primary use case. Export buildSafeEnv for testing.
Add MAX_STDIN_SIZE = 4096 constant and enforce it in handleStdin, returning an error to the client if the payload exceeds the limit.
…my-claude-utils#20) Add explicit script-src 'self' to Content-Security-Policy header and pin better-sqlite3 and node-pty to exact versions to prevent unexpected native binary rebuilds on version drift.
Replace -L clsh (named socket in world-accessible tmpdir) with -S ~/.clsh/tmux.sock (explicit path in user-owned directory) to prevent local users from connecting to or hijacking the tmux socket.
…y-claude-utils#14,my-claude-utils#17) - Increase scrypt N from 16384 (2^14) to 131072 (2^17) per OWASP recommendation - New hash format `scrypt:<N>$salt$key` encodes the cost parameter - Backward-compatible verification of legacy `scrypt$salt$key` hashes (N=16384) - Remove clientHash handling from POST /api/auth/password/setup - Add tests for new format, N value, and legacy hash verification
…nding my-claude-utils#12) Writes JSON-lines to stderr for auth.login, auth.login.failed, auth.logout, auth.password.setup, ws.connected, ws.auth.failed, and ws.disconnected events.
…utils#3) Tracks consecutive password failures at the module level and locks the account for 1 hour after 10 consecutive failures, bypassing the IP-based rate limiter which fails when all clients share 127.0.0.1 through an SSH tunnel.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses all 20 security audit findings from the fork handoff document (
docs/clsh-fork-handoff.md). Fixes 17, defers 3 with documented justification.Critical/High (P0)
DELETE /api/auth/logoutANTHROPIC_API_KEYfor Claude Code)P1 — Pre-daily-use
P2 — Hardening
CLSH_NO_LOCAL_FALLBACK=1prevents plaintext HTTP fallback~/.clsh/tmux.sock(restricted permissions)script-src 'self'to CSPnode-ptyandbetter-sqlite3to exact versionsP3 — Nice to have
Deferred (acceptable for single-user tool)
Infrastructure
@clsh/agent(22 tests)Test plan
npm run test --workspace=@clsh/agent— 22 tests passnpm run typecheck --workspace=@clsh/agent— cleannpm run dev— agent starts, QR code prints, phone can connect