Harden plugin runtime: TLS verify, LSP deadlock, path traversal, ABI exception safety (W14)
W14 addresses the five most critical findings from the W13 plugin audits:
- W14.1 network: enable ssl::verify_peer + SSL_set1_host SNI hostname
verification (fixes TLS bypass, W13.3 CVSS 7.4); add steady_timer DNS
timeout and bottom-up catch(...) hardening (engineer-zhou)
- W14.2 lsp: fix reader_loop/stop mutex deadlock via stop_nolock/stop_locked
split (W13.4); wrap 11 vtable/entry functions in try/catch with cv
notification on reader exit (engineer-sun)
- W14.3 tools: add is_safe_path() rejecting empty/absolute/.. paths before
file_io calls (fixes path traversal, W13.5 CVSS 7.5); guard g_tools and
g_session/g_history under mutex; 9 vtable try/catch (security-cao)
- W14.4 host: add fallback plugin search (../plugins/) so binaries run from
build/tests/ load current DLLs, resolving the W13.6 R2 stale-DLL false
alarm (architect-lin)
- W14.5 anthropic+deepseek: wrap 12 ABI boundary functions in try/catch with
log-guard, preventing exceptions from crossing the C ABI (engineer-chen)
Verified: cmake build 0 error 0 warning, ctest 4/4 pass, smoke R2 now
passes naturally.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
XiuChengWu
102cd3e141