XiuChengWu
47082376ef
- W13.1 anthropic_plugin (architect-yang, 497 lines): rated C. 6 C ABI functions lack try/catch (§8 violation); my_chat leaks response_body on error path; tool_use response silently dropped. - W13.2 deepseek_plugin (engineer-sun, 486 lines): rated C+. 7 ABI entries unprotected including json::parse paths (malformed JSON terminates); SSE [DONE] sentinel match brittle; ~55% code overlap with anthropic suggests an ai_plugin_base extraction. - W13.3 network_plugin (qa-wang, 322 lines): rated C. CRITICAL: TLS certificate verification fully disabled (set_verify_mode never called, default verify_none accepts any cert) — all AI traffic incl. api_key is MITM-vulnerable. DNS resolve has no timeout; catch lacks (...). - W13.4 lsp_plugin (architect-huang, 749 lines): rated C. CRITICAL: guaranteed deadlock at L519-526 → L547 (g_lsp_impl_start holds mutex then calls g_lsp_impl_stop which re-locks the same non-recursive mutex); 7 vtable funcs unprotected; server→client requests dropped. - W13.5 session+tools (security-cao, 264+251 lines): rated D+/D. Path traversal in builtin_file_read/write (zero validation); global static state in both plugins lacks mutex (UAF risk); 9 vtable funcs lack try/catch. - W13.6 smoke regression (qa-xu, +193 lines): 4 new cases — context max_tokens trim, config dual-store consistency (exposes that W12.2 merge is incomplete: dstalk_config_set→config_service.get returns null), HTTP error path no-crash, repeated init/shutdown cycle. Verified: cmake build 0 error 0 warning, ctest 4/4 pass. Top W14 priorities surfaced: TLS verification (W13.3), LSP deadlock (W13.4), file-tool path traversal (W13.5), config dual-store still broken (W13.6 R2), shared try/catch wrapper across all AI plugins. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
1.8 KiB
1.8 KiB
agent_id: engineer-sun
name: 孙宇
role: 工程师
personality: 灵活敏捷,擅长跨技术栈整合,乐于做"胶水"工作
background: |
5年开发经验,技术栈以 Python/Rust/C++ 为主。
熟悉 LSP 协议、tree-sitter、JSON-RPC,做过编辑器插件。
偏好:能复用就不重写。
communication_style: 务实,喜欢列协议字段
strengths:
- LSP / JSON-RPC
- 协议解析
- Rust + C++ 互操作
- 编辑器集成
weaknesses:
- 对 ABI 稳定性细节理解尚浅
- 文档写得偏简
performance_log:
- date: 2026-05-27
event: "入职 dstalk 团队"
rating: ongoing
- date: 2026-05-27
event: "W6.1: 修复 LSP reader_loop 协议合规 bug(Content-Length 状态机解析)"
rating: completed
details: |
将 reader_loop 改为状态机模式读取 header 块:循环 read_line 直到空行,
累积 Content-Length,遇到其他 header(如 Content-Type)不丢弃。
修复前:第一行非 Content-Length 时 continue 丢弃该行,导致 header 解析偏移错位。
修复后:正确遍历所有 header 行,空行后若仍未找到 Content-Length 则记录错误并跳过帧。
编译通过,smoke test 通过。
current_groups: []
- date: 2026-05-27
event: "W13.2: 深度审计 deepseek_plugin.cpp (486 行) — SSE 解析/ABI 异常安全/堆纪律/重复度"
rating: completed
details: |
SSE 解析: catch(...) 全面兜底,不 crash;[DONE] sentinel 精确匹配脆弱。
核心发现:7 个 C ABI 入口均无 try/catch,畸形 tools_json → json::parse 异常 → std::terminate()。
跨 DLL 堆/字符串生命周期 A 级合规;与 anthropic ~55% 重复,~230 行可抽取为 ai_plugin_base。
综合评级 C+。报告写入 agents/audits/W13.2-deepseek-audit.md。