Claude/security functionality analysis al5 zg#7
Merged
caiqinghua merged 8 commits intoopenagen:mainfrom Feb 23, 2026
Merged
Conversation
Minor Cargo.lock update from running cargo commands during security analysis — normalizes `rustix 1.1.3` version reference to `rustix`. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
…tation Fix 5 compilation errors blocking the build: - reliable.rs: remove duplicate `chat` method implementation - agent.rs, loop_.rs: replace `futures::` with `futures_util::` (correct crate name) - Cargo.toml: add `alloc` feature to futures-util (required for join_all) - memory/cli.rs: gate PostgresMemory behind #[cfg(feature = "memory-postgres")] with a clear compile-time error when the feature is absent Security hardening: - Enable Landlock sandbox by default on Linux: remove `optional = true` from the Linux-specific landlock dependency; replace all `cfg(feature = "sandbox-landlock")` gates with `cfg(target_os = "linux")` in mod.rs, detect.rs, and landlock.rs. The `sandbox-landlock` feature flag is kept as a no-op for backward compatibility. - Add explicit security warning to channels-reference.md for the whatsapp-web feature flag (unofficial API, account-suspension risk, unpredictable attack surface). - Add SSRF threat model document for the http_request tool: docs/security/http-request-ssrf-threat-model.md covering existing defenses (allowlist, private-host blocking, redirect-none, scheme restriction), known residual risks (DNS rebinding, HTTP cleartext), and operator guidance. - Register the SSRF doc in docs/security/README.md. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
Document the security model of the shell tool: - Defenses in place: autonomy policy, command validation, rate limiting, env_clear + SAFE_ENV_VARS whitelist, 60s timeout, 1MB output truncation - Residual risks: no FS isolation without Landlock, no network egress filter, parent fd inheritance, shell injection via interpolated command strings - Full test coverage matrix - Operator configuration guidance https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
|
Thanks for contributing to ZeroClaw. For faster review, please ensure:
See |
PR intake checks found warnings (non-blocking)Fast safe checks found advisory issues. CI lint/test/build gates still enforce merge quality.
Action items:
Run logs: https://github.com/openagen/zeroclaw/actions/runs/22276711163 Detected blocking line issues (sample):
Detected advisory line issues (sample):
|
github-actions
bot
added
agent
github-actions
bot
added
memory
Add a dated security audit table covering 8 tool surfaces identified during the 2026-02-22 security analysis. Each entry includes the risk area, current grade, finding, and a concrete recommended remediation. Surfaces covered: http_request (MITM, DNS rebinding), file_write (path traversal), shell (network egress), git_operations (unintended push), browser/browser_open (SSRF-adjacent, phishing), delegate (prompt injection), and compiler hygiene (allow suppression). https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
…urfaces Full source-code re-audit of every tool in src/tools/. Previous table covered 8 surfaces with preliminary grades. Updated table: - Covers all 31 tool surfaces organized by tier (file, network, command execution, memory, delegation, scheduling, external APIs, utility, hardware, compiler hygiene) - Corrects grades based on actual code inspection (e.g. file_read upgraded to A, git_operations to A-, http_request SSRF to B+) - Adds new surfaces: file_read, glob_search, pdf_read, image_info, web_search_tool, browser_open, memory_*, cron_*, composio, pushover, proxy_config, screenshot, hardware_*, delegate - Each entry includes a verified finding and a concrete recommended action - Adds an overall posture summary table by tier https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
The `build_system_prompt_with_mode` function signature was extended with a new `skills_prompt_mode: SkillsPromptInjectionMode` parameter, but the call in the `native_tools_system_prompt_contains_zero_xml` test was not updated to match. This caused a compile-time error (E0061: wrong number of arguments) that blocked all test compilation. Fix: pass `SkillsPromptInjectionMode::Full` as the 8th argument, consistent with the default used throughout the codebase. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
Fix 36 clippy errors and formatting violations to make the codebase pass `cargo fmt --all -- --check` and `cargo clippy --all-targets -- -D warnings` with zero diagnostics. Key fixes by category: Correctness: - Replace invalid regex backreferences (\1) in XML tool-tag parser with a manual closing-tag search (iter_xml_tagged_sections); the `regex` crate does not support backreferences, so the original code would have panicked at runtime on first use of the XML dispatcher path. MSRV: - Bump rust-version 1.87 → 1.91 to align with str::floor_char_boundary (stable since 1.91) already used in shell/screenshot/memory tools. Visibility / privacy: - Narrow channels::handle_command to pub(crate) to match ChannelCommands visibility; eliminates private-interface-in-public-API lint. Lint suppressions (intentional API surface): - #[allow(unused_imports)] on pub use re-exports in cost/mod.rs, onboard/mod.rs, tools/mod.rs, peripherals/mod.rs that are used from the binary crate or are intentional public API. - #[allow(clippy::unused_async)] on the hardware-feature stub for create_peripheral_tools (must stay async for call-site consistency). - #[allow(clippy::assertions_on_constants)] on a platform-guard assertion in the landlock test. - #[allow(clippy::type_complexity)] on the pairing guard's brute-force field. Style / idiomatic fixes: - Replace format!-collect with fold+writeln! in discord/telegram tests. - Elide explicit lifetimes in providers/copilot.rs. - Merge identical match arms (bedrock, compatible, telegram, wizard, main.rs unreachable arms). - Use ? operator instead of let-else for question_mark lint. - Use array-of-char pattern for manual_pattern_char_comparison. - Remove needless return / continue statements. - Derive Default for SkillsConfig (all fields use standard defaults). - Replace criterion::black_box (deprecated) with std::hint::black_box. - Box::pin large heartbeat future directly to move it off the stack. - Use struct initializer syntax in config_persistence tests. - Use array literals instead of vec! where Vec is not needed. - Remove duplicate unreachable cfg block in memory/cli.rs. - Fix unreadable long literal in nextcloud_talk test. - Replace ALLOWED_IMAGE_MIME_TYPES.iter().any() with .contains(). - Suppress cast_possible_truncation for intentional u64→usize casts. https://claude.ai/code/session_01EFyqry32yYwkmYs2zFMiyb
github-actions
bot
added
agent
github-actions
bot
added
size: M
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Describe this PR in 2-5 bullets:
Label Snapshot (required)
risk: low|medium|high):size: XS|S|M|L|XL, auto-managed/read-only):core|agent|channel|config|cron|daemon|doctor|gateway|health|heartbeat|integration|memory|observability|onboard|provider|runtime|security|service|skillforge|skills|tool|tunnel|docs|dependencies|ci|tests|scripts|dev, comma-separated):<module>: <component>, for examplechannel: telegram,provider: kimi,tool: shell):trusted contributor|experienced contributor|principal contributor|distinguished contributor, auto-managed/read-only; author merged PRs >=5/10/20/50):Change Metadata
bug|feature|refactor|docs|security|chore):runtime|provider|channel|memory|security|ci|docs|multi):Linked Issue
Supersede Attribution (required when
Supersedes #is used)#<pr> by @<author>, one per line):Co-authored-bytrailers added for materially incorporated contributors? (Yes/No)No, explain why (for example: inspiration-only, no direct code/design carry-over):\n): (Pass/Fail)Validation Evidence (required)
Commands and result summary:
cargo fmt --all -- --check cargo clippy --all-targets -- -D warnings cargo testSecurity Impact (required)
Yes/No)Yes/No)Yes/No)Yes/No)Yes, describe risk and mitigation:Privacy and Data Hygiene (required)
pass|needs-follow-up):Compatibility / Migration
Yes/No)Yes/No)Yes/No)Human Verification (required)
What was personally validated beyond CI:
Side Effects / Blast Radius (required)
Agent Collaboration Notes (recommended)
AGENTS.md+CONTRIBUTING.md):Rollback Plan (required)
Risks and Mitigations
List real risks in this PR (or write
None).