Skip to content

fix(security): 2 improvements across 2 files#1412

Open
tomaioo wants to merge 2 commits into
MoonshotAI:mainfrom
tomaioo:fix/security/path-traversal-in-plugin-node-entry-exec
Open

fix(security): 2 improvements across 2 files#1412
tomaioo wants to merge 2 commits into
MoonshotAI:mainfrom
tomaioo:fix/security/path-traversal-in-plugin-node-entry-exec

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 6, 2026

Copy link
Copy Markdown

Summary

fix(security): 2 improvements across 2 files

Problem

Severity: High | File: apps/kimi-code/src/cli/sub/plugin-run-node.ts:L5

The runPluginNodeEntry function in plugin-run-node.ts attempts to validate that an plugin entry point is within the KIMI_PLUGIN_ROOT directory using isWithin(). However, the validation is performed on resolved real paths after calling realpath() on both the entry and root. While this prevents some symlink-based traversal, the isWithin function uses path.relative() which can be bypassed on case-insensitive filesystems (Windows, macOS) or with certain Unicode normalization attacks. More critically, the function then directly imports the entry file via import(pathToFileURL(entryReal).href) with no additional sandboxing, allowing arbitrary code execution within the Node.js process. An attacker who can control the entry parameter or influence KIMI_PLUGIN_ROOT could execute arbitrary code.

Solution

Add additional validation: (1) ensure the resolved entry path ends with expected extensions (.js, .mjs, .cjs), (2) add a second check after realpath that the entry is still within root using a more robust check like entryReal.startsWith(rootReal + path.sep), (3) consider running plugin entries in a worker thread or subprocess with limited privileges, (4) validate that KIMI_PLUGIN_ROOT is not writable by untrusted users.

Changes

  • apps/kimi-code/src/cli/sub/plugin-run-node.ts (modified)
  • apps/kimi-code/src/feedback/archive.ts (modified)

tomaioo added 2 commits July 5, 2026 23:16
- Security: Path Traversal in Plugin Node Entry Execution
- Security: Arbitrary File Write via Feedback Archive Path

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Path Traversal in Plugin Node Entry Execution
- Security: Arbitrary File Write via Feedback Archive Path

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@changeset-bot

changeset-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 45d46c1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 45d46c100f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +21 to +23
const ext = path.extname(entryReal).toLowerCase();
if (!ALLOWED_EXTENSIONS.includes(ext)) {
throw new Error(`Plugin node entry must have a valid extension (${ALLOWED_EXTENSIONS.join(', ')}): ${entry}`);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve extensionless Node entrypoints

When the native binary rewrites plugin MCP servers with command: "node", it passes the manifest's original args directly to __plugin_run_node (packages/agent-core/src/plugin/manager.ts:501-506), so this helper needs to accept the same script paths users can pass to Node. A valid plugin config such as args: ["./server"] or a direct package bin without a .js/.mjs/.cjs suffix previously ran from the plugin root, but now path.extname(entryReal) is "" and the MCP server fails before import. Please allow extensionless in-root scripts or otherwise emulate Node's accepted entrypoint behavior.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant