fix(security): block dangerous tools from HTTP gateway and fix ACP auto-approval (OC-02)

Two critical RCE vectors patched: Vector 1 - Gateway HTTP /tools/invoke: - Add DEFAULT_GATEWAY_HTTP_TOOL_DENY blocking sessions_spawn, sessions_send, gateway, whatsapp_login from HTTP invocation - Apply deny filter after existing policy cascade, before tool lookup - Add gateway.tools.{allow,deny} config override in GatewayConfig Vector 2 - ACP client auto-approval: - Replace blind allow_once selection with danger-aware permission handler - Dangerous tools (exec, sessions_spawn, etc.) require interactive confirmation - Safe tools retain auto-approve behavior (backward compatible) - Empty options array now denied (was hardcoded "allow") - 30s timeout auto-denies to prevent hung sessions CWE-78 | CVSS:3.1 9.8 Critical
2026-05-06 01:40:21 +00:00 · 2026-02-13 22:28:43 +11:00
parent 8899f9e94a
commit 749e28dec7
5 changed files with 237 additions and 10 deletions
--- a/src/gateway/tools-invoke-http.test.ts
+++ b/src/gateway/tools-invoke-http.test.ts
@@ -225,6 +225,72 @@ describe("POST /tools/invoke", () => {
    expect(profileRes.status).toBe(404);
  });

+  it("denies sessions_spawn via HTTP even when agent policy allows", async () => {
+    testState.agentsConfig = {
+      list: [
+        {
+          id: "main",
+          tools: { allow: ["sessions_spawn"] },
+        },
+      ],
+    } as any;
+
+    const port = await getFreePort();
+    const server = await startGatewayServer(port, { bind: "loopback" });
+    const token = resolveGatewayToken();
+
+    const res = await fetch(`http://127.0.0.1:${port}/tools/invoke`, {
+      method: "POST",
+      headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+      body: JSON.stringify({ tool: "sessions_spawn", args: { task: "test" }, sessionKey: "main" }),
+    });
+
+    expect(res.status).toBe(404);
+    const body = await res.json();
+    expect(body.ok).toBe(false);
+    expect(body.error.type).toBe("not_found");
+
+    await server.close();
+  });
+
+  it("denies sessions_send via HTTP gateway", async () => {
+    testState.agentsConfig = {
+      list: [{ id: "main", tools: { allow: ["sessions_send"] } }],
+    } as any;
+
+    const port = await getFreePort();
+    const server = await startGatewayServer(port, { bind: "loopback" });
+    const token = resolveGatewayToken();
+
+    const res = await fetch(`http://127.0.0.1:${port}/tools/invoke`, {
+      method: "POST",
+      headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+      body: JSON.stringify({ tool: "sessions_send", args: {}, sessionKey: "main" }),
+    });
+
+    expect(res.status).toBe(404);
+    await server.close();
+  });
+
+  it("denies gateway tool via HTTP", async () => {
+    testState.agentsConfig = {
+      list: [{ id: "main", tools: { allow: ["gateway"] } }],
+    } as any;
+
+    const port = await getFreePort();
+    const server = await startGatewayServer(port, { bind: "loopback" });
+    const token = resolveGatewayToken();
+
+    const res = await fetch(`http://127.0.0.1:${port}/tools/invoke`, {
+      method: "POST",
+      headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+      body: JSON.stringify({ tool: "gateway", args: {}, sessionKey: "main" }),
+    });
+
+    expect(res.status).toBe(404);
+    await server.close();
+  });
+
  it("uses the configured main session key when sessionKey is missing or main", async () => {
    testState.agentsConfig = {
      list: [