Fix security vulnerabilities and session reliability from code review

teggen · claude · teggen · commit 05586226fc27 · 2026-03-25T21:00:14.000+01:00
- Decouple gateway bind from launcher public mode so -public no longer exposes the gateway port on 0.0.0.0 (review finding sipeed#3) - Return HTTP 500 for real session directory read errors instead of silently returning an empty list (review finding sipeed#4) - Sort sessions by time.Time instead of RFC3339 strings to handle mixed timezone offsets correctly (review finding sipeed#5) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go
@@ -389,9 +389,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int
 	if h.configPath != "" {
 		cmd.Env = append(cmd.Env, config.EnvConfig+"="+h.configPath)
 	}
-	if host := h.gatewayHostOverride(); host != "" {
-		cmd.Env = append(cmd.Env, config.EnvGatewayHost+"="+host)
-	}
 
 	stdoutPipe, err := cmd.StdoutPipe()
 	if err != nil {
diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go
@@ -10,30 +10,7 @@ import (
 	"github.com/sipeed/picoclaw/pkg/config"
 )
 
-func (h *Handler) effectiveLauncherPublic() bool {
-	if h.serverPublicExplicit {
-		return h.serverPublic
-	}
-
-	cfg, err := h.loadLauncherConfig()
-	if err == nil {
-		return cfg.Public
-	}
-
-	return h.serverPublic
-}
-
-func (h *Handler) gatewayHostOverride() string {
-	if h.effectiveLauncherPublic() {
-		return "0.0.0.0"
-	}
-	return ""
-}
-
 func (h *Handler) effectiveGatewayBindHost(cfg *config.Config) string {
-	if override := h.gatewayHostOverride(); override != "" {
-		return override
-	}
 	if cfg == nil {
 		return ""
 	}
diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go
@@ -10,42 +10,32 @@ import (
 	"time"
 
 	"github.com/sipeed/picoclaw/pkg/config"
-	"github.com/sipeed/picoclaw/web/backend/launcherconfig"
 )
 
-func TestGatewayHostOverrideUsesExplicitRuntimePublic(t *testing.T) {
+func TestPublicLauncherDoesNotOverrideGatewayBind(t *testing.T) {
 	configPath := filepath.Join(t.TempDir(), "config.json")
-	launcherPath := launcherconfig.PathForAppConfig(configPath)
-	if err := launcherconfig.Save(launcherPath, launcherconfig.Config{
-		Port:   18800,
-		Public: false,
-	}); err != nil {
-		t.Fatalf("launcherconfig.Save() error = %v", err)
+	cfg := config.DefaultConfig()
+	cfg.Gateway.Host = "127.0.0.1"
+	cfg.Gateway.Port = 18790
+	if err := config.SaveConfig(configPath, cfg); err != nil {
+		t.Fatalf("SaveConfig() error = %v", err)
 	}
 
 	h := NewHandler(configPath)
 	h.SetServerOptions(18800, true, true, nil)
 
-	if got := h.gatewayHostOverride(); got != "0.0.0.0" {
-		t.Fatalf("gatewayHostOverride() = %q, want %q", got, "0.0.0.0")
+	if got := h.effectiveGatewayBindHost(cfg); got != "127.0.0.1" {
+		t.Fatalf("effectiveGatewayBindHost() = %q, want %q (public mode should not override)", got, "127.0.0.1")
 	}
 }
 
-func TestBuildWsURLUsesRequestHostWhenLauncherPublicSaved(t *testing.T) {
+func TestBuildWsURLUsesRequestHostWhenGatewayBindIsWildcard(t *testing.T) {
 	configPath := filepath.Join(t.TempDir(), "config.json")
-	launcherPath := launcherconfig.PathForAppConfig(configPath)
-	if err := launcherconfig.Save(launcherPath, launcherconfig.Config{
-		Port:   18800,
-		Public: true,
-	}); err != nil {
-		t.Fatalf("launcherconfig.Save() error = %v", err)
-	}
-
 	h := NewHandler(configPath)
 	h.SetServerOptions(18800, false, false, nil)
 
 	cfg := config.DefaultConfig()
-	cfg.Gateway.Host = "127.0.0.1"
+	cfg.Gateway.Host = "" // empty = wildcard, should use request host
 	cfg.Gateway.Port = 18790
 
 	req := httptest.NewRequest("GET", "http://launcher.local/api/pico/token", nil)
@@ -56,6 +46,23 @@ func TestBuildWsURLUsesRequestHostWhenLauncherPublicSaved(t *testing.T) {
 	}
 }
 
+func TestBuildWsURLUsesConfigHostWhenSet(t *testing.T) {
+	configPath := filepath.Join(t.TempDir(), "config.json")
+	h := NewHandler(configPath)
+	h.SetServerOptions(18800, false, false, nil)
+
+	cfg := config.DefaultConfig()
+	cfg.Gateway.Host = "10.0.0.5"
+	cfg.Gateway.Port = 18790
+
+	req := httptest.NewRequest("GET", "http://launcher.local/api/pico/token", nil)
+	req.Host = "192.168.1.9:18800"
+
+	if got := h.buildWsURL(req, cfg); got != "ws://10.0.0.5:18800/pico/ws" {
+		t.Fatalf("buildWsURL() = %q, want %q", got, "ws://10.0.0.5:18800/pico/ws")
+	}
+}
+
 func TestGatewayProbeHostUsesLoopbackForWildcardBind(t *testing.T) {
 	if got := gatewayProbeHost("0.0.0.0"); got != "127.0.0.1" {
 		t.Fatalf("gatewayProbeHost() = %q, want %q", got, "127.0.0.1")
@@ -106,13 +113,13 @@ func TestGetGatewayHealthUsesConfiguredHost(t *testing.T) {
 	}
 }
 
-func TestGetGatewayHealthUsesProbeHostForPublicLauncher(t *testing.T) {
+func TestGetGatewayHealthUsesConfigHostForPublicLauncher(t *testing.T) {
 	configPath := filepath.Join(t.TempDir(), "config.json")
 	h := NewHandler(configPath)
 	h.SetServerOptions(18800, true, true, nil)
 
 	cfg := config.DefaultConfig()
-	cfg.Gateway.Host = "127.0.0.1"
+	cfg.Gateway.Host = "192.168.1.10"
 	cfg.Gateway.Port = 18791
 
 	originalHealthGet := gatewayHealthGet
@@ -130,8 +137,9 @@ func TestGetGatewayHealthUsesProbeHostForPublicLauncher(t *testing.T) {
 	_ = statusCode
 	_ = err
 
-	if requestedURL != "http://127.0.0.1:18791/health" {
-		t.Fatalf("health url = %q, want %q", requestedURL, "http://127.0.0.1:18791/health")
+	// Public mode no longer overrides the gateway host — config host is used directly.
+	if requestedURL != "http://192.168.1.10:18791/health" {
+		t.Fatalf("health url = %q, want %q", requestedURL, "http://192.168.1.10:18791/health")
 	}
 }
 
diff --git a/web/backend/api/session.go b/web/backend/api/session.go
@@ -34,12 +34,13 @@ type sessionFile struct {
 
 // sessionListItem is a lightweight summary returned by GET /api/sessions.
 type sessionListItem struct {
-	ID           string `json:"id"`
-	Title        string `json:"title"`
-	Preview      string `json:"preview"`
-	MessageCount int    `json:"message_count"`
-	Created      string `json:"created"`
-	Updated      string `json:"updated"`
+	ID           string    `json:"id"`
+	Title        string    `json:"title"`
+	Preview      string    `json:"preview"`
+	MessageCount int       `json:"message_count"`
+	Created      string    `json:"created"`
+	Updated      string    `json:"updated"`
+	updatedTime  time.Time // unexported; used for sorting, omitted from JSON
 }
 
 type sessionMetaFile struct {
@@ -229,6 +230,7 @@ func buildSessionListItem(sessionID string, sess sessionFile) sessionListItem {
 		MessageCount: validMessageCount,
 		Created:      sess.Created.Format(time.RFC3339),
 		Updated:      sess.Updated.Format(time.RFC3339),
+		updatedTime:  sess.Updated,
 	}
 }
 
@@ -286,9 +288,13 @@ func (h *Handler) handleListSessions(w http.ResponseWriter, r *http.Request) {
 
 	entries, err := os.ReadDir(dir)
 	if err != nil {
-		// Directory doesn't exist yet = no sessions
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode([]sessionListItem{})
+		if errors.Is(err, os.ErrNotExist) {
+			// Directory doesn't exist yet = no sessions
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode([]sessionListItem{})
+			return
+		}
+		http.Error(w, "failed to read sessions directory", http.StatusInternalServerError)
 		return
 	}
 
@@ -367,7 +373,7 @@ func (h *Handler) handleListSessions(w http.ResponseWriter, r *http.Request) {
 
 	// Sort by updated descending (most recent first)
 	sort.Slice(items, func(i, j int) bool {
-		return items[i].Updated > items[j].Updated
+		return items[i].updatedTime.After(items[j].updatedTime)
 	})
 
 	// Pagination parameters
diff --git a/web/backend/api/session_test.go b/web/backend/api/session_test.go
@@ -320,3 +320,157 @@ func TestHandleSessions_FiltersEmptyJSONLFiles(t *testing.T) {
 		t.Fatalf("detail status = %d, want %d, body=%s", detailRec.Code, http.StatusNotFound, detailRec.Body.String())
 	}
 }
+
+func TestHandleListSessions_MissingDirectory(t *testing.T) {
+	configPath, cleanup := setupOAuthTestEnv(t)
+	defer cleanup()
+
+	// Don't create the sessions dir — it should return empty list with 200.
+	h := NewHandler(configPath)
+	mux := http.NewServeMux()
+	h.RegisterRoutes(mux)
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/sessions", nil)
+	mux.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusOK, rec.Body.String())
+	}
+
+	var items []sessionListItem
+	if err := json.Unmarshal(rec.Body.Bytes(), &items); err != nil {
+		t.Fatalf("Unmarshal() error = %v", err)
+	}
+	if len(items) != 0 {
+		t.Fatalf("len(items) = %d, want 0", len(items))
+	}
+}
+
+func TestHandleListSessions_UnreadableDirectory(t *testing.T) {
+	configPath, cleanup := setupOAuthTestEnv(t)
+	defer cleanup()
+
+	dir := sessionsTestDir(t, configPath)
+
+	// Remove all permissions so ReadDir fails with a permission error.
+	if err := os.Chmod(dir, 0o000); err != nil {
+		t.Fatalf("Chmod() error = %v", err)
+	}
+	t.Cleanup(func() { os.Chmod(dir, 0o755) })
+
+	h := NewHandler(configPath)
+	mux := http.NewServeMux()
+	h.RegisterRoutes(mux)
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/sessions", nil)
+	mux.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusInternalServerError {
+		t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusInternalServerError, rec.Body.String())
+	}
+}
+
+func TestHandleListSessions_MalformedSessionFileSkipped(t *testing.T) {
+	configPath, cleanup := setupOAuthTestEnv(t)
+	defer cleanup()
+
+	dir := sessionsTestDir(t, configPath)
+
+	// Write a valid session.
+	store, err := memory.NewJSONLStore(dir)
+	if err != nil {
+		t.Fatalf("NewJSONLStore() error = %v", err)
+	}
+	validKey := picoSessionPrefix + "valid-session"
+	if err := store.AddFullMessage(nil, validKey, providers.Message{
+		Role:    "user",
+		Content: "hello",
+	}); err != nil {
+		t.Fatalf("AddFullMessage() error = %v", err)
+	}
+
+	// Write a malformed legacy JSON session alongside it.
+	corruptName := sanitizeSessionKey(picoSessionPrefix+"corrupt-session") + ".json"
+	if err := os.WriteFile(filepath.Join(dir, corruptName), []byte("{invalid json"), 0o644); err != nil {
+		t.Fatalf("WriteFile() error = %v", err)
+	}
+
+	h := NewHandler(configPath)
+	mux := http.NewServeMux()
+	h.RegisterRoutes(mux)
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/sessions", nil)
+	mux.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusOK, rec.Body.String())
+	}
+
+	var items []sessionListItem
+	if err := json.Unmarshal(rec.Body.Bytes(), &items); err != nil {
+		t.Fatalf("Unmarshal() error = %v", err)
+	}
+	if len(items) != 1 {
+		t.Fatalf("len(items) = %d, want 1 (valid session only)", len(items))
+	}
+	if items[0].ID != "valid-session" {
+		t.Fatalf("items[0].ID = %q, want %q", items[0].ID, "valid-session")
+	}
+}
+
+func TestHandleListSessions_SortsByTimeNotString(t *testing.T) {
+	configPath, cleanup := setupOAuthTestEnv(t)
+	defer cleanup()
+
+	dir := sessionsTestDir(t, configPath)
+	store, err := memory.NewJSONLStore(dir)
+	if err != nil {
+		t.Fatalf("NewJSONLStore() error = %v", err)
+	}
+
+	// Create "older" session first, then "newer" session.
+	// The newer session should appear first in results.
+	olderKey := picoSessionPrefix + "older"
+	if err := store.AddFullMessage(nil, olderKey, providers.Message{
+		Role: "user", Content: "old message",
+	}); err != nil {
+		t.Fatalf("AddFullMessage(older) error = %v", err)
+	}
+
+	newerKey := picoSessionPrefix + "newer"
+	if err := store.AddFullMessage(nil, newerKey, providers.Message{
+		Role: "user", Content: "new message",
+	}); err != nil {
+		t.Fatalf("AddFullMessage(newer) error = %v", err)
+	}
+
+	h := NewHandler(configPath)
+	mux := http.NewServeMux()
+	h.RegisterRoutes(mux)
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/sessions", nil)
+	mux.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
+	}
+
+	var items []sessionListItem
+	if err := json.Unmarshal(rec.Body.Bytes(), &items); err != nil {
+		t.Fatalf("Unmarshal() error = %v", err)
+	}
+	if len(items) != 2 {
+		t.Fatalf("len(items) = %d, want 2", len(items))
+	}
+	// The session created last should sort first (most recent).
+	if items[0].ID != "newer" {
+		t.Fatalf("items[0].ID = %q, want %q (most recent first)", items[0].ID, "newer")
+	}
+	if items[1].ID != "older" {
+		t.Fatalf("items[1].ID = %q, want %q", items[1].ID, "older")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -389,9 +389,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int`
`389`	`389`	`if h.configPath != "" {`
`390`	`390`	`cmd.Env = append(cmd.Env, config.EnvConfig+"="+h.configPath)`
`391`	`391`	`}`
`392`		`- if host := h.gatewayHostOverride(); host != "" {`
`393`		`- cmd.Env = append(cmd.Env, config.EnvGatewayHost+"="+host)`
`394`		`- }`
`395`	`392`
`396`	`393`	`stdoutPipe, err := cmd.StdoutPipe()`
`397`	`394`	`if err != nil {`