mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix: coord review remediations (path traversal, JSON parse, race condition) (#81)

Browse Source 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #81.
This commit is contained in:
Jason Woltje
2026-03-13 03:43:49 +00:00
committed by jason.woltje
parent b03c603759
commit 8da2759fec
5 changed files with 86 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
packages/coord/src/runner.ts
View File

@@ -195,11 +195,12 @@ function resolveLaunchCommand(
return [runtime, '-p', prompt];
}
const hasPromptPlaceholder = configuredCommand.some((value) => value === '{prompt}');
const withInterpolation = configuredCommand.map((value) =>
value === '{prompt}' ? prompt : value,
);
if (withInterpolation.includes(prompt)) {
if (hasPromptPlaceholder) {
return withInterpolation;
}
@@ -224,28 +225,9 @@ async function writeAtomicJson(filePath: string, payload: unknown): Promise<void
async function readSessionLock(mission: Mission): Promise<SessionLockState | undefined> {
const filePath = sessionLockPath(mission);
let raw: string;
try {
const raw = await fs.readFile(filePath, 'utf8');
const data = JSON.parse(raw) as Partial<SessionLockState>;
if (
typeof data.session_id !== 'string' ||
(data.runtime !== 'claude' && data.runtime !== 'codex') ||
typeof data.pid !== 'number' ||
typeof data.started_at !== 'string' ||
typeof data.project_path !== 'string'
) {
return undefined;
}
return {
session_id: data.session_id,
runtime: data.runtime,
pid: data.pid,
started_at: data.started_at,
project_path: data.project_path,
milestone_id: data.milestone_id,
};
raw = await fs.readFile(filePath, 'utf8');
} catch (error) {
if (
typeof error === 'object' &&
@@ -257,6 +239,32 @@ async function readSessionLock(mission: Mission): Promise<SessionLockState | und
}
throw error;
}
let data: Partial<SessionLockState>;
try {
data = JSON.parse(raw) as Partial<SessionLockState>;
} catch {
return undefined;
}
if (
typeof data.session_id !== 'string' ||
(data.runtime !== 'claude' && data.runtime !== 'codex') ||
typeof data.pid !== 'number' ||
typeof data.started_at !== 'string' ||
typeof data.project_path !== 'string'
) {
return undefined;
}
return {
session_id: data.session_id,
runtime: data.runtime,
pid: data.pid,
started_at: data.started_at,
project_path: data.project_path,
milestone_id: data.milestone_id,
};
}
async function writeSessionLock(mission: Mission, lock: SessionLockState): Promise<void> {