Fix five code-review bugs (#37–#41)#42
Merged
Merged
Conversation
#37 security: validate git-include URLs before cloning. Reject git's remote-helper transport syntax (`ext::`, `fd::`, any `<name>::<addr>`) and leading-`-`/control chars in `validate_git_url`, applied at `parse_target` (so dangerous directives never parse) and in `git_clone` (defence in depth, plus `--` separator). `run_git` now exports `GIT_ALLOW_PROTOCOL=https:ssh:git:file`. Same validator is applied to `memory_sync`'s remote_url. #38 panic: truncate subagent task labels in GET /v1/tasks by char count, not raw byte slice — multibyte (CJK/emoji) names >48 bytes no longer panic (and no longer crash the WS socket). #39 streaming agent loop: when a terminal tool is emitted alongside sibling calls, synthesize a cancelled tool_result for every unprocessed sibling on the sequential path (avoids orphaned tool_calls → provider 400 on resume), and emit a closing ToolEnd for cancelled in-flight calls on the parallel path (no dangling ToolStart on the wire). #40 fs.patch atomicity: make the disk-commit phase atomic. Snapshot each target's prior content, and on any mid-batch I/O failure roll back every already-committed write/delete so the working tree is left unchanged. #41 SummarizingMemory: place the summary at the chronological position of the dropped turns. On the cache-breakpoint path the kept set is non-contiguous (cached prefix + recent tail); the summary now sits between them instead of before the cached prefix. Adds regression tests for all five. https://claude.ai/code/session_013gxHmLU1sk8WabMxPvMRf7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves the five open code-review bugs. Each fix is targeted and ships a regression test.
#37 — Security: arbitrary command execution via unvalidated git-include URL
validate_git_urlrejects git's remote-helper transport syntax (ext::,fd::, any<name>::<addr>), leading-, and control chars — while still allowing normalhttps/ssh/git/fileURLs, scp-likegit@host:path, and plain local paths (which git clones over the safe local transport, and which existing tests rely on).IncludeDirective::parse_target(dangerous directives never parse into aGitUrl) and ingit_clone(defence in depth, plus a--separator before the URL).run_gitnow exportsGIT_ALLOW_PROTOCOL=https:ssh:git:fileso git itself refuses command-executing transports even if a bad URL slipped through.--only check inmemory_sync'sremote_url.#38 — Panic: byte-slice truncation in
GET /v1/taskschars().take(47)), not a raw byte slice, so multibyte (CJK/emoji) task names >48 bytes no longer panic — and no longer take down the WS socket via the turn-terminal handler.#39 — Streaming agent loop: terminal tool orphans sibling tool_calls / dangles ToolStart
tool cancelled: …tool_resultfor every unprocessed sibling before returning, so the persisted conversation has a reply for everytool_callid (no more provider 400 on resume).ToolEnds genuinely fired and emit a closingToolEndfor any call cancelled in-flight, so noToolStartis left dangling on the wire.#40 —
fs.patch: disk-commit phase not atomic on I/O failure#41 —
SummarizingMemory: summary inserted out of chronological order under cache breakpointTesting
cargo clippy -p harness-core -p harness-tools -p harness-memory -p harness-server --all-targets -- -D warnings— clean.validate_git_url_*/parse_target_drops_command_executing_git_transport/sync_setup_rejects_command_executing_transport(Security: arbitrary command execution via unvalidated git URL in memory-include directives #37),multibyte_task_name_does_not_panic(Panic: byte-slice truncation in GET /v1/tasks crashes request and WS socket on multibyte task names #38),streaming_terminal_tool_fills_sibling_results_and_pairs_events(Streaming agent loop: terminal tool in a multi-call batch orphans sibling tool_calls / dangles ToolStart events #39),phase_two_io_failure_rolls_back_committed_writes(fs.patch: disk-commit phase is not atomic on I/O failure, leaving a partial multi-file write #40),breakpoint_summary_sits_between_cached_prefix_and_recent_tail(SummarizingMemory: summary of dropped 'hole' turns is inserted out of chronological order under cache breakpoint #41).memory_include/memory_syncthat perform realgit commit/push— they fail on baseline too because the sandbox's commit-signing hook returns HTTP 400.Closes #37, closes #38, closes #39, closes #40, closes #41.
https://claude.ai/code/session_013gxHmLU1sk8WabMxPvMRf7
Generated by Claude Code