pulsareon/dstalk
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden plugin runtime: TLS verify, LSP deadlock, path traversal, ABI exception safety (W14)
Some checks failed
CI / Determine matrix (push) Has been cancelled
Details
CI / ${{ matrix.os }} / ${{ matrix.build_type }} (push) Has been cancelled
Details

Browse Source 
W14 addresses the five most critical findings from the W13 plugin audits:

- W14.1 network: enable ssl::verify_peer + SSL_set1_host SNI hostname
  verification (fixes TLS bypass, W13.3 CVSS 7.4); add steady_timer DNS
  timeout and bottom-up catch(...) hardening (engineer-zhou)
- W14.2 lsp: fix reader_loop/stop mutex deadlock via stop_nolock/stop_locked
  split (W13.4); wrap 11 vtable/entry functions in try/catch with cv
  notification on reader exit (engineer-sun)
- W14.3 tools: add is_safe_path() rejecting empty/absolute/.. paths before
  file_io calls (fixes path traversal, W13.5 CVSS 7.5); guard g_tools and
  g_session/g_history under mutex; 9 vtable try/catch (security-cao)
- W14.4 host: add fallback plugin search (../plugins/) so binaries run from
  build/tests/ load current DLLs, resolving the W13.6 R2 stale-DLL false
  alarm (architect-lin)
- W14.5 anthropic+deepseek: wrap 12 ABI boundary functions in try/catch with
  log-guard, preventing exceptions from crossing the C ABI (engineer-chen)

Verified: cmake build 0 error 0 warning, ctest 4/4 pass, smoke R2 now
passes naturally.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
XiuChengWu
2026-05-27 12:03:50 +08:00
parent 47082376ef
commit 102cd3e141
12 changed files with 1230 additions and 702 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
agents/engineer-zhou/profile.md
View File

@@ -35,5 +35,20 @@ performance_log:
峰值内存: -67% (~360KB -> ~120KB), 无额外拷贝.
留待真实 API 压测验证 end-to-end.
rating: good
- date: 2026-05-27
event: "W14.1 - network_plugin TLS/DNS/exception 三修复 (W13.3 audit)"
detail: |
修复 W13.3 审计三个问题:
(1) TLS 证书验证 (CVSS 7.4): HttpClientCtx 构造添加 set_verify_mode(verify_peer);
handshake 前 SSL_set1_host 启用 hostname 验证; SNI/hostname-fail / handshake-fail
均 host_log(ERROR).
(2) DNS resolve 超时: 用 steady_timer + async_wait + resolver.cancel() 实现 10s 超时,
超时/失败均返回明确错误码.
(3) catch(...) 兜底: 在 catch(const std::exception&) 后追加 catch(...),
非 std 异常不再穿越 C ABI (对齐 plugin-abi.md §8).
编译 0 error 0 warning, ctest 4/4 pass.
无新增依赖. Windows 上 set_default_verify_paths 可能找不到系统 CA, 已加 TODO
建议设置 SSL_CERT_FILE 或 bundle cacert.pem.
rating: completed
current_groups: []
---