fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02)

Two critical RCE vectors patched: Vector 1 - Gateway HTTP /tools/invoke: - Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn, sessions_send, gateway, whatsapp_login from HTTP invocation - Apply deny filter after existing policy cascade, before tool lookup - Add gateway.tools.{allow,deny} config override in GatewayConfig Vector 2 - ACP client auto-approval: - Replace blind allow_once selection with danger-aware permission handler - Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation - Safe tools retain auto-approve behavior (backward compatible) - Empty options array now denied (was hardcoded "allow") - 30s timeout auto-denies to prevent hung sessions CWE-78 | CVSS:3.1 9.8 Critical
2026-05-09 09:47:40 +00:00 · 2026-02-13 22:28:43 +11:00
parent 8899f9e94a
commit 749e28dec7
5 changed files with 237 additions and 10 deletions
--- a/src/acp/client.test.ts
+++ b/src/acp/client.test.ts
@@ -0,0 +1,60 @@
+import { describe, expect, it } from "vitest";
+
+// Structural tests verify security-critical code exists in client.ts.
+// Full integration tests with ACP SDK mocks deferred to future enhancement.
+
+describe("ACP client permission classification", () => {
+  it("should define dangerous tools that include exec and sessions_spawn", async () => {
+    const fs = await import("node:fs/promises");
+    const path = await import("node:path");
+    const source = await fs.readFile(
+      path.resolve(__dirname, "client.ts"),
+      "utf-8",
+    );
+
+    expect(source).toContain("DANGEROUS_ACP_TOOLS");
+    expect(source).toContain('"exec"');
+    expect(source).toContain('"sessions_spawn"');
+    expect(source).toContain('"sessions_send"');
+    expect(source).toContain('"gateway"');
+  });
+
+  it("should not auto-approve when options array is empty", async () => {
+    const fs = await import("node:fs/promises");
+    const path = await import("node:path");
+    const source = await fs.readFile(
+      path.resolve(__dirname, "client.ts"),
+      "utf-8",
+    );
+
+    // Verify the empty-options guard exists
+    expect(source).toContain("options.length === 0");
+    // Verify it denies rather than approves
+    expect(source).toContain("no options available");
+  });
+
+  it("should use stderr for permission logging (not stdout)", async () => {
+    const fs = await import("node:fs/promises");
+    const path = await import("node:path");
+    const source = await fs.readFile(
+      path.resolve(__dirname, "client.ts"),
+      "utf-8",
+    );
+
+    // Permission logs should go to stderr to avoid corrupting ACP protocol on stdout
+    expect(source).toContain("console.error");
+    expect(source).toContain("[permission");
+  });
+
+  it("should have a 30-second timeout for interactive prompts", async () => {
+    const fs = await import("node:fs/promises");
+    const path = await import("node:path");
+    const source = await fs.readFile(
+      path.resolve(__dirname, "client.ts"),
+      "utf-8",
+    );
+
+    expect(source).toContain("30_000");
+    expect(source).toContain("[permission timeout]");
+  });
+});