fix: harden terminal action endpoints

2026-05-17 14:14:45 +02:00
parent 8605d0baab
commit d7df2e4aee
6 changed files with 190 additions and 31 deletions
--- a/server.mjs
+++ b/server.mjs
@@ -39,6 +39,7 @@ let sweepStartedAt = null; // Timestamp when current/last sweep started
 let sweepInProgress = false;
 const startTime = Date.now();
 const sseClients = new Set();
+const terminalActionBuckets = new Map();

 // === Delta/Memory ===
 const memory = new MemoryManager(RUNS_DIR);
@@ -289,28 +290,35 @@ app.get('/api/metrics', (req, res) => {
 });

 app.post('/api/sweep', express.json(), (req, res) => {
-  if (!canRunTerminalAction(req)) return res.status(403).json({ error: 'Terminal actions disabled or unauthorized' });
-  triggerSweep(res);
+  const guard = authorizeTerminalAction(req, res, 'sweep');
+  if (!guard.ok) return;
+  triggerSweepAction(req, res, 'sweep');
 });

-app.post('/api/action', express.json(), async (req, res) => {
-  if (!canRunTerminalAction(req)) return res.status(403).json({ error: 'Terminal actions disabled or unauthorized' });
-  const action = String(req.body?.action || req.query.action || '').toLowerCase();
+app.post('/api/action', express.json(), (req, res) => {
+  const action = String(req.body?.action || req.body?.command || '').trim().toLowerCase();
+  const guard = authorizeTerminalAction(req, res, action || 'unknown');
+  if (!guard.ok) return;

  if (action === 'status') {
-    return res.json({ ok: true, action, health: buildHealth() });
+    auditTerminalAction(req, 'status', 'ok');
+    return res.json({ ok: true, action, status: 'ok', health: buildHealth() });
  }

  if (action === 'brief') {
-    if (!currentData) return res.status(503).json({ ok: false, action, error: 'No data yet — first sweep in progress' });
-    return res.json({ ok: true, action, text: buildBrief(currentData) });
+    if (!currentData) {
+      auditTerminalAction(req, 'brief', 'rejected', 'no_data');
+      return res.status(503).json({ ok: false, action, error: 'No data yet - first sweep in progress' });
+    }
+    auditTerminalAction(req, 'brief', 'ok');
+    const brief = buildBrief(currentData);
+    return res.json({ ok: true, action, status: 'ok', brief, text: brief });
  }

-  if (action === 'sweep') {
-    return triggerSweep(res);
-  }
+  if (action === 'sweep') return triggerSweepAction(req, res, 'action:sweep');

-  res.status(400).json({ ok: false, error: 'Unknown action', actions: ['status', 'brief', 'sweep'] });
+  auditTerminalAction(req, action || 'unknown', 'rejected', 'unknown_action');
+  return res.status(400).json({ ok: false, error: 'Unknown action', allowed: ['status', 'brief', 'sweep'], actions: ['status', 'brief', 'sweep'] });
 });

 // API: available locales
@@ -341,26 +349,114 @@ function broadcast(data) {
  }
 }

+function requestIp(req) {
+  return req.ip || req.socket?.remoteAddress || 'unknown';
+}
+
+function isLocalRequest(req) {
+  const remote = requestIp(req);
+  return remote === '::1'
+    || remote === '127.0.0.1'
+    || remote === '::ffff:127.0.0.1'
+    || remote.startsWith('127.')
+    || remote === 'localhost';
+}
+
+function sameOriginPost(req) {
+  const origin = req.get('origin');
+  if (!origin) return true;
+  try {
+    const originUrl = new URL(origin);
+    const host = req.get('host');
+    return host && originUrl.host === host;
+  } catch {
+    return false;
+  }
+}
+
+function actionToken(req) {
+  return req.get('x-crucix-token') || req.body?.token || null;
+}
+
+function auditTerminalAction(req, action, outcome, detail = null) {
+  const suffix = detail ? ` detail=${detail}` : '';
+  console.log(`[Crucix][audit] terminal_action action=${action || 'unknown'} outcome=${outcome} ip=${requestIp(req)}${suffix}`);
+}
+
+function rateLimitTerminalAction(req, action) {
+  const now = Date.now();
+  const windowMs = Math.max(1000, config.terminalActionRateLimitWindowMs || 60_000);
+  const max = Math.max(1, config.terminalActionRateLimitMax || 10);
+  const key = `${requestIp(req)}:${action}`;
+  const bucket = terminalActionBuckets.get(key);
+  if (!bucket || now > bucket.resetAt) {
+    terminalActionBuckets.set(key, { count: 1, resetAt: now + windowMs });
+    return { ok: true };
+  }
+  bucket.count += 1;
+  if (bucket.count > max) {
+    return { ok: false, retryAfterSeconds: Math.ceil((bucket.resetAt - now) / 1000) };
+  }
+  return { ok: true };
+}
+
+function authorizeTerminalAction(req, res, action) {
+  const rate = rateLimitTerminalAction(req, action);
+  if (!rate.ok) {
+    auditTerminalAction(req, action, 'rejected', 'rate_limited');
+    res.set('Retry-After', String(rate.retryAfterSeconds));
+    res.status(429).json({ error: 'Too many terminal actions', retryAfterSeconds: rate.retryAfterSeconds });
+    return { ok: false };
+  }
+
+  if (!sameOriginPost(req)) {
+    auditTerminalAction(req, action, 'rejected', 'csrf_origin');
+    res.status(403).json({ error: 'Origin mismatch' });
+    return { ok: false };
+  }
+
+  const local = isLocalRequest(req);
+  const token = actionToken(req);
+  if (!config.terminalActionsEnabled) {
+    auditTerminalAction(req, action, 'rejected', 'disabled');
+    res.status(403).json({ error: 'Terminal actions are disabled' });
+    return { ok: false };
+  }
+
+  if (config.sweepToken) {
+    if (token !== config.sweepToken) {
+      auditTerminalAction(req, action, 'rejected', 'invalid_token');
+      res.status(401).json({ error: 'Invalid terminal action token' });
+      return { ok: false };
+    }
+    return { ok: true };
+  }
+
+  if (!local) {
+    auditTerminalAction(req, action, 'rejected', 'missing_token');
+    res.status(403).json({ error: 'Terminal actions are local-only unless SWEEP_TOKEN is set' });
+    return { ok: false };
+  }
+
+  return { ok: true };
+}
+
+function triggerSweepAction(req, res, auditAction) {
+  if (sweepInProgress) {
+    auditTerminalAction(req, auditAction, 'rejected', 'already_running');
+    return res.status(409).json({ ok: true, status: 'already_running', sweepStartedAt });
+  }
+  auditTerminalAction(req, auditAction, 'accepted');
+  runSweepCycle().catch(err => console.error('[Crucix] API-triggered sweep failed:', err.message));
+  return res.status(202).json({ ok: true, status: 'accepted' });
+}
+
 function dataAgeMs() {
  const ts = currentData?.meta?.timestamp || lastSuccessfulSweepTime || lastSweepTime;
  const ms = ts ? Date.now() - new Date(ts).getTime() : null;
  return Number.isFinite(ms) ? ms : null;
 }

-function canRunTerminalAction(req) {
-  const remote = req.ip || '';
-  const local = remote.includes('127.0.0.1') || remote === '::1' || remote === '::ffff:127.0.0.1';
-  const token = req.get('x-crucix-token') || req.query.token || req.body?.token;
-  if (config.sweepToken) return token === config.sweepToken;
-  return Boolean(config.terminalActionsEnabled || local);
-}
-
-function triggerSweep(res) {
-  if (sweepInProgress) return res.status(409).json({ ok: true, status: 'already_running', sweepStartedAt });
-  runSweepCycle().catch(err => console.error('[Crucix] API-triggered sweep failed:', err.message));
-  return res.status(202).json({ ok: true, status: 'accepted' });
-}
-
 function getLLMStatus() {
  if (!config.llm.provider) return { state: 'disabled' };
  if (!llmProvider) return { state: 'misconfigured', provider: config.llm.provider };
@@ -404,7 +500,8 @@ function buildHealth() {
    llm: getLLMStatus(),
    telegramEnabled: !!(config.telegram.botToken && config.telegram.chatId),
    discordEnabled: !!(config.discord?.botToken || config.discord?.webhookUrl),
-    terminalActionsEnabled: Boolean(config.terminalActionsEnabled || config.sweepToken),
+    terminalActionsEnabled: config.terminalActionsEnabled,
+    terminalActionsTokenRequired: !!config.sweepToken,
    refreshIntervalMinutes: config.refreshIntervalMinutes,
    language: currentLanguage,
    memory: intelligenceStore.status(),