mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix: coord review remediations — path traversal, JSON parse, race condition

Browse Source 
Addresses code review findings from P2-005:
- Validate projectPath against allowed workspace roots (path traversal)
- Guard JSON.parse with try/catch in loadMission, readActiveSession, readSessionLock
- Add delay after stale lock removal to reduce race window
- Add @Inject(CoordService) per project guideline (no emitDecoratorMetadata)
- Eliminate double loadMission in getTaskStatus via shared buildStatusSummary
- Fix fragile prompt-inclusion check to test original command for {prompt}
- Add mkdir to writeAtomic for consistency with other atomic helpers

Closes #80

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-03-12 22:43:30 -05:00
parent b03c603759
commit 4de23e238a
5 changed files with 86 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
apps/gateway/src/coord/coord.controller.ts
View File

@@ -1,15 +1,39 @@
import { Controller, Get, NotFoundException, Param, Query, UseGuards } from '@nestjs/common';
import {
BadRequestException,
Controller,
Get,
Inject,
NotFoundException,
Param,
Query,
UseGuards,
} from '@nestjs/common';
import path from 'node:path';
import { AuthGuard } from '../auth/auth.guard.js';
import { CoordService } from './coord.service.js';
/** Only paths under these roots are allowed for coord queries. */
const ALLOWED_ROOTS = [process.cwd()];
function resolveAndValidatePath(raw: string | undefined): string {
const resolved = path.resolve(raw ?? process.cwd());
const isAllowed = ALLOWED_ROOTS.some(
(root) => resolved === root || resolved.startsWith(`${root}/`),
);
if (!isAllowed) {
throw new BadRequestException('projectPath is outside the allowed workspace');
}
return resolved;
}
@Controller('api/coord')
@UseGuards(AuthGuard)
export class CoordController {
constructor(private readonly coordService: CoordService) {}
constructor(@Inject(CoordService) private readonly coordService: CoordService) {}
@Get('status')
async missionStatus(@Query('projectPath') projectPath?: string) {
const resolvedPath = projectPath ?? process.cwd();
const resolvedPath = resolveAndValidatePath(projectPath);
const status = await this.coordService.getMissionStatus(resolvedPath);
if (!status) throw new NotFoundException('No active coord mission found');
return status;
@@ -17,13 +41,13 @@ export class CoordController {
@Get('tasks')
async listTasks(@Query('projectPath') projectPath?: string) {
const resolvedPath = projectPath ?? process.cwd();
const resolvedPath = resolveAndValidatePath(projectPath);
return this.coordService.listTasks(resolvedPath);
}
@Get('tasks/:taskId')
async taskStatus(@Param('taskId') taskId: string, @Query('projectPath') projectPath?: string) {
const resolvedPath = projectPath ?? process.cwd();
const resolvedPath = resolveAndValidatePath(projectPath);
const detail = await this.coordService.getTaskStatus(resolvedPath, taskId);
if (!detail) throw new NotFoundException(`Task ${taskId} not found in coord mission`);
return detail;

9
packages/coord/src/mission.ts
View File

@@ -379,7 +379,14 @@ export async function loadMission(projectPath: string): Promise<Mission> {
throw error;
}
const mission = normalizeMission(JSON.parse(raw), resolvedProjectPath);
let parsed: unknown;
try {
parsed = JSON.parse(raw);
} catch {
throw new Error(`Invalid JSON in mission file: ${filePath}`);
}
const mission = normalizeMission(parsed, resolvedProjectPath);
if (mission.status === 'inactive') {
throw new Error('Mission exists but is inactive. Re-initialize with mosaic coord init.');
}

36
packages/coord/src/runner.ts
View File

@@ -195,11 +195,12 @@ function resolveLaunchCommand(
return [runtime, '-p', prompt];
}
const hasPromptPlaceholder = configuredCommand.some((value) => value === '{prompt}');
const withInterpolation = configuredCommand.map((value) =>
value === '{prompt}' ? prompt : value,
);
if (withInterpolation.includes(prompt)) {
if (hasPromptPlaceholder) {
return withInterpolation;
}
@@ -224,9 +225,27 @@ async function writeAtomicJson(filePath: string, payload: unknown): Promise<void
async function readSessionLock(mission: Mission): Promise<SessionLockState | undefined> {
const filePath = sessionLockPath(mission);
let raw: string;
try {
const raw = await fs.readFile(filePath, 'utf8');
const data = JSON.parse(raw) as Partial<SessionLockState>;
raw = await fs.readFile(filePath, 'utf8');
} catch (error) {
if (
typeof error === 'object' &&
error !== null &&
'code' in error &&
(error as { code?: string }).code === 'ENOENT'
) {
return undefined;
}
throw error;
}
let data: Partial<SessionLockState>;
try {
data = JSON.parse(raw) as Partial<SessionLockState>;
} catch {
return undefined;
}
if (
typeof data.session_id !== 'string' ||
@@ -246,17 +265,6 @@ async function readSessionLock(mission: Mission): Promise<SessionLockState | und
project_path: data.project_path,
milestone_id: data.milestone_id,
};
} catch (error) {
if (
typeof error === 'object' &&
error !== null &&
'code' in error &&
(error as { code?: string }).code === 'ENOENT'
) {
return undefined;
}
throw error;
}
}
async function writeSessionLock(mission: Mission, lock: SessionLockState): Promise<void> {

23
packages/coord/src/status.ts
View File

@@ -78,7 +78,12 @@ async function readActiveSession(mission: Mission): Promise<MissionSession | und
throw error;
}
const lock = JSON.parse(lockRaw) as SessionLockState;
let lock: SessionLockState;
try {
lock = JSON.parse(lockRaw) as SessionLockState;
} catch {
return undefined;
}
if (
typeof lock.session_id !== 'string' ||
(lock.runtime !== 'claude' && lock.runtime !== 'codex') ||
@@ -106,10 +111,10 @@ async function readActiveSession(mission: Mission): Promise<MissionSession | und
};
}
export async function getMissionStatus(mission: Mission): Promise<MissionStatusSummary> {
const freshMission = await loadMission(mission.projectPath);
const tasks = await readTasks(freshMission);
async function buildStatusSummary(
freshMission: Mission,
tasks: MissionTask[],
): Promise<MissionStatusSummary> {
const done = tasks.filter((task) => task.status === 'done').length;
const inProgress = tasks.filter((task) => task.status === 'in-progress').length;
const pending = tasks.filter((task) => task.status === 'not-started').length;
@@ -151,6 +156,12 @@ export async function getMissionStatus(mission: Mission): Promise<MissionStatusS
};
}
export async function getMissionStatus(mission: Mission): Promise<MissionStatusSummary> {
const freshMission = await loadMission(mission.projectPath);
const tasks = await readTasks(freshMission);
return buildStatusSummary(freshMission, tasks);
}
export async function getTaskStatus(mission: Mission, taskId: string): Promise<TaskDetail> {
const freshMission = await loadMission(mission.projectPath);
const tasks = await readTasks(freshMission);
@@ -164,7 +175,7 @@ export async function getTaskStatus(mission: Mission, taskId: string): Promise<T
throw new Error(`Duplicate task IDs found: ${taskId}`);
}
const summary = await getMissionStatus(freshMission);
const summary = await buildStatusSummary(freshMission, tasks);
return {
missionId: freshMission.id,

2
packages/coord/src/tasks-file.ts
View File

@@ -219,6 +219,7 @@ async function acquireLock(lockPath: string): Promise<void> {
const stats = await fs.stat(lockPath);
if (Date.now() - stats.mtimeMs > TASKS_LOCK_STALE_MS) {
await fs.rm(lockPath, { force: true });
await delay(TASKS_LOCK_RETRY_MS);
continue;
}
} catch (statError) {
@@ -240,6 +241,7 @@ async function releaseLock(lockPath: string): Promise<void> {
async function writeAtomic(filePath: string, content: string): Promise<void> {
const directory = path.dirname(filePath);
await fs.mkdir(directory, { recursive: true });
const tempPath = path.join(
directory,
`.TASKS.md.tmp-${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}`,