The putStat function in kernel/sql/stat.go was building SQL queries
via string concatenation instead of using parameterized queries.
While currently only called with hardcoded internal values, this is
a defense-in-depth improvement that prevents future SQL injection
if the function is ever called with user-controlled input.
The execStmtTx helper already supports variadic args, so this is
a straightforward change to use ? placeholders.
Co-authored-by: Test User <test@example.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
The /repo/diff/ endpoint used the URL path parameter directly in
filepath.Join without validation, allowing an authenticated admin
user to read arbitrary files via path traversal sequences.
This fix:
- Cleans the path with filepath.Clean
- Rejects paths containing ".."
- Validates the final path with IsSubPath to ensure it stays within
{TempDir}/repo/diff/
Co-authored-by: Test User <test@example.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
The /export/temp/ endpoint used c.Request.URL.Path directly in
filepath.Join without any validation, allowing path traversal via
sequences like /export/temp/../../ to access files outside the
intended temp directory.
This fix:
- Constrains file access to {TempDir}/export/temp/ base directory
- Cleans the relative path with filepath.Clean
- Rejects paths containing ".."
- Validates the final path with IsSubPath check
Co-authored-by: Test User <test@example.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* perf(kernel-plugin): strengthen RPC, sandbox, and form parsing
Validate and harden plugin RPC and request handling: ensure RPC API call first argument is a string; treat missing method using HasValue(); return InvalidParams for malformed params; bail out early when kernel is incompatible or missing. Fix sandbox promise invocation to return after reporting errors to avoid continuing on nil/invalid values. Change RequestForm files to []*RequestFile, allocate pointer entries, properly open/read/close uploaded files, and clone request headers before modifying them. These changes prevent nil derefs, resource leaks, and improve error reporting.
* perf(kernel-plugin): Skip empty Content-Type; use safe type assertions
Avoid setting an empty Content-Type header in the proxy when gin.Context.ContentType() is empty. Replace unsafe type assertions with comma-ok checks when converting request and file body bytes to Data objects to prevent panics on unexpected types or nil pointers. Also comment out assignments of c.Request.Context().Err() in plugin request handlers to avoid overwriting other error state on context cancellation. Affected files: kernel/api/network.go, kernel/plugin/plugin.go, kernel/plugin/sandbox.go.
