fix: chain scope bypass + /health info leak when tunneled

1. Chain command now pre-validates ALL subcommand scopes before executing any. A read+meta token can no longer escalate to admin via chain (eval, js, cookies were dispatched without scope checks). tokenInfo flows through handleMetaCommand into the chain handler. Rejects entire chain if any subcommand fails. 2. /health strips sensitive fields (currentUrl, agent.currentMessage, session) when tunnel is active. Only operational metadata (status, mode, uptime, tabs) exposed to the internet. Previously anyone reaching the ngrok URL could surveil browsing activity. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-17 09:41:28 +08:00 · 2026-04-05 00:49:31 -07:00
parent a5b40045b8
commit 36a20c5d59
3 changed files with 72 additions and 21 deletions
--- a/browse/src/meta-commands.ts
+++ b/browse/src/meta-commands.ts
@@ -7,6 +7,7 @@ import { handleSnapshot } from './snapshot';
 import { getCleanText } from './read-commands';
 import { READ_COMMANDS, WRITE_COMMANDS, META_COMMANDS, PAGE_CONTENT_COMMANDS, wrapUntrustedContent } from './commands';
 import { validateNavigationUrl } from './url-validation';
+import { checkScope, type TokenInfo } from './token-registry';
 import * as Diff from 'diff';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -48,7 +49,8 @@ export async function handleMetaCommand(
  command: string,
  args: string[],
  bm: BrowserManager,
-  shutdown: () => Promise<void> | void
+  shutdown: () => Promise<void> | void,
+  tokenInfo?: TokenInfo | null
 ): Promise<string> {
  switch (command) {
    // ─── Tabs ──────────────────────────────────────────
@@ -232,6 +234,21 @@ export async function handleMetaCommand(
      const { handleReadCommand } = await import('./read-commands');
      const { handleWriteCommand } = await import('./write-commands');

+      // Pre-validate ALL subcommands against the token's scope before executing any.
+      // This prevents partial execution where some subcommands succeed before a
+      // scope violation is hit, leaving the browser in an inconsistent state.
+      if (tokenInfo && tokenInfo.clientId !== 'root') {
+        for (const cmd of commands) {
+          const [name] = cmd;
+          if (!checkScope(tokenInfo, name)) {
+            throw new Error(
+              `Chain rejected: subcommand "${name}" not allowed by your token scope (${tokenInfo.scopes.join(', ')}). ` +
+              `All subcommands must be within scope.`
+            );
+          }
+        }
+      }
+
      let lastWasWrite = false;
      for (const cmd of commands) {
        const [name, ...cmdArgs] = cmd;
@@ -247,7 +264,7 @@ export async function handleMetaCommand(
            }
            lastWasWrite = false;
          } else if (META_COMMANDS.has(name)) {
-            result = await handleMetaCommand(name, cmdArgs, bm, shutdown);
+            result = await handleMetaCommand(name, cmdArgs, bm, shutdown, tokenInfo);
            lastWasWrite = false;
          } else {
            throw new Error(`Unknown command: ${name}`);
--- a/browse/src/server.ts
+++ b/browse/src/server.ts
@@ -947,7 +947,7 @@ async function handleCommand(body: any, tokenInfo?: TokenInfo | null): Promise<R
    } else if (WRITE_COMMANDS.has(command)) {
      result = await handleWriteCommand(command, args, browserManager);
    } else if (META_COMMANDS.has(command)) {
-      result = await handleMetaCommand(command, args, browserManager, shutdown);
+      result = await handleMetaCommand(command, args, browserManager, shutdown, tokenInfo);
      // Start periodic snapshot interval when watch mode begins
      if (command === 'watch' && args[0] !== 'stop' && browserManager.isWatching()) {
        const watchInterval = setInterval(async () => {
@@ -1203,6 +1203,8 @@ async function start() {
      }

      // Health check — no auth required, does NOT reset idle timer
+      // When tunneled, /health is reachable from the internet. Only expose
+      // operational metadata, never browsing activity or user messages.
      if (url.pathname === '/health') {
        const healthy = await browserManager.isHealthy();
        const healthResponse: Record<string, any> = {
@@ -1210,22 +1212,22 @@ async function start() {
          mode: browserManager.getConnectionMode(),
          uptime: Math.floor((Date.now() - startTime) / 1000),
          tabs: browserManager.getTabCount(),
-          currentUrl: browserManager.getCurrentUrl(),
-          // Auth token NOT served here. Extension reads from ~/.gstack/.auth.json
-          // (written by launchHeaded at browser-manager.ts:243). Serving the token
-          // on an unauthenticated endpoint is unsafe because Origin headers are
-          // trivially spoofable, and ngrok exposes /health to the internet.
-          chatEnabled: true,
-          agent: {
+        };
+        // Sensitive fields only served on localhost (not through tunnel).
+        // currentUrl reveals internal URLs, currentMessage reveals user intent.
+        if (!tunnelActive) {
+          healthResponse.currentUrl = browserManager.getCurrentUrl();
+          healthResponse.chatEnabled = true;
+          healthResponse.agent = {
            status: agentStatus,
            runningFor: agentStartTime ? Date.now() - agentStartTime : null,
            currentMessage,
            queueLength: messageQueue.length,
-          },
-          session: sidebarSession ? { id: sidebarSession.id, name: sidebarSession.name } : null,
-        };
-        if (tunnelActive) {
-          healthResponse.tunnel = { url: tunnelUrl, active: true };
+          };
+          healthResponse.session = sidebarSession ? { id: sidebarSession.id, name: sidebarSession.name } : null;
+        } else {
+          healthResponse.tunnel = { active: true };
+          healthResponse.chatEnabled = true;
        }
        return new Response(JSON.stringify(healthResponse), {
          status: 200,