fix: validate agent toml boundaries

2026-05-25 17:58:22 +08:00
parent fee920a895
commit 425e11c444
4 changed files with 124 additions and 0 deletions
--- a/internal/agents/store.go
+++ b/internal/agents/store.go
@@ -61,6 +61,15 @@ func (s Store) readOne(fileName string) AgentDefinition {
 		def.ParseError = err.Error()
 		return def
 	}
+	if info, err := os.Lstat(safePath); err != nil {
+		def.ParseStatus = "invalid"
+		def.ParseError = err.Error()
+		return def
+	} else if info.Mode()&os.ModeSymlink != 0 {
+		def.ParseStatus = "invalid"
+		def.ParseError = codexhome.ErrForbiddenPath.Error()
+		return def
+	}
 	info, statErr := os.Stat(safePath)
 	if statErr == nil {
 		def.ModifiedAt = info.ModTime()
@@ -109,6 +118,12 @@ func parseSimpleTOML(input string) (map[string]string, error) {
 		if key == "" {
 			return values, fmt.Errorf("第 %d 行缺少字段名", lineNumber)
 		}
+		if !isValidBareKey(key) {
+			return values, fmt.Errorf("第 %d 行包含无效字段名", lineNumber)
+		}
+		if _, exists := values[key]; exists {
+			return values, fmt.Errorf("第 %d 行重复字段名 %q", lineNumber, key)
+		}

 		value, err := parseTOMLString(raw, scanner)
 		if err != nil {
@@ -122,6 +137,25 @@ func parseSimpleTOML(input string) (map[string]string, error) {
 	return values, nil
 }

+func isValidBareKey(key string) bool {
+	for _, char := range key {
+		if char >= 'a' && char <= 'z' {
+			continue
+		}
+		if char >= 'A' && char <= 'Z' {
+			continue
+		}
+		if char >= '0' && char <= '9' {
+			continue
+		}
+		if char == '_' || char == '-' {
+			continue
+		}
+		return false
+	}
+	return true
+}
+
 func parseTOMLString(raw string, scanner *bufio.Scanner) (string, error) {
 	if strings.HasPrefix(raw, `"""`) {
 		block := strings.TrimPrefix(raw, `"""`)
--- a/internal/agents/store_test.go
+++ b/internal/agents/store_test.go
@@ -72,6 +72,54 @@ func TestListAgentsReportsParseError(t *testing.T) {
 	}
 }

+func TestListAgentsReportsDuplicateKeyAsParseError(t *testing.T) {
+	root := t.TempDir()
+	agentsDir := filepath.Join(root, "agents")
+	if err := os.MkdirAll(agentsDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	content := "name = \"a\"\nname = \"b\"\n"
+	if err := os.WriteFile(filepath.Join(agentsDir, "duplicate.toml"), []byte(content), 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	store := Store{CodexHome: root}
+	got, err := store.List()
+	if err != nil {
+		t.Fatalf("List should return parse status, not fatal error: %v", err)
+	}
+	if len(got) != 1 {
+		t.Fatalf("agent count = %d, want 1", len(got))
+	}
+	if got[0].ParseStatus != "invalid" || got[0].ParseError == "" {
+		t.Fatalf("expected duplicate key to be invalid, got %#v", got[0])
+	}
+}
+
+func TestListAgentsReportsInvalidKeyAsParseError(t *testing.T) {
+	root := t.TempDir()
+	agentsDir := filepath.Join(root, "agents")
+	if err := os.MkdirAll(agentsDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	content := "bad key = \"value\"\n"
+	if err := os.WriteFile(filepath.Join(agentsDir, "bad-key.toml"), []byte(content), 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	store := Store{CodexHome: root}
+	got, err := store.List()
+	if err != nil {
+		t.Fatalf("List should return parse status, not fatal error: %v", err)
+	}
+	if len(got) != 1 {
+		t.Fatalf("agent count = %d, want 1", len(got))
+	}
+	if got[0].ParseStatus != "invalid" || got[0].ParseError == "" {
+		t.Fatalf("expected invalid key to be invalid, got %#v", got[0])
+	}
+}
+
 func TestListAgentsRejectsSensitiveSymlinkTargets(t *testing.T) {
 	root := t.TempDir()
 	agentsDir := filepath.Join(root, "agents")
@@ -100,3 +148,34 @@ func TestListAgentsRejectsSensitiveSymlinkTargets(t *testing.T) {
 		t.Fatalf("sensitive file content leaked: %#v", got[0])
 	}
 }
+
+func TestListAgentsRejectsSymlinkToNonAgentToml(t *testing.T) {
+	root := t.TempDir()
+	agentsDir := filepath.Join(root, "agents")
+	if err := os.MkdirAll(agentsDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(root, "config.toml"), []byte(`name = "project-secret"`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Symlink("../config.toml", filepath.Join(agentsDir, "leak.toml")); err != nil {
+		t.Fatal(err)
+	}
+
+	store := Store{CodexHome: root}
+	got, err := store.List()
+	if err != nil {
+		t.Fatalf("List should report unsafe files per item, not fatal error: %v", err)
+	}
+	if len(got) != 1 {
+		t.Fatalf("agent count = %d, want 1", len(got))
+	}
+	if got[0].ParseStatus != "invalid" {
+		t.Fatalf("expected non-agent symlink target to be invalid, got %#v", got[0])
+	}
+	if strings.Contains(got[0].Name, "project-secret") ||
+		strings.Contains(got[0].Description, "project-secret") ||
+		strings.Contains(got[0].ParseError, "project-secret") {
+		t.Fatalf("non-agent TOML content leaked: %#v", got[0])
+	}
+}