Skip to content

Act on review findings from SECURITYREVIEW-2026-06-25-1 #45

Description

@mnsmarko

A new security review has been opened on branch SECURITYREVIEW-2026-06-25-1.

  • Report: docs/reviews/2026-06/SECURITYREVIEW-2026-06-25-1.md
  • TODO: docs/reviews/2026-06/TODO-SECURITYREVIEW-2026-06-25-1.md

Please review the findings and either fix, defer (ONHOLD), or reject (WONTFIX) each one. Record ONHOLD/WONTFIX in the report file itself so future reviews honor them — a GitHub comment alone is not enough. Only WONTFIX/ONHOLD findings are suppressed later; anything you leave unmarked will be re-reported by the next review if it's still present in the code.


Please leave this issue open until you're done

While this issue or its review PR stays open, the scheduler will not open another security review of this repo — so you won't get a second review stacked on top of one you're still working through. To free the repo for its next review you must resolve both:

  • Close this issue, and
  • Merge or close the review PRmerge it (recommended) to land the report with your WONTFIX/ONHOLD markers on the default branch, the record future runs read to avoid repeating deferred/rejected findings; or close it without merging to abandon this cycle and get a fresh review of newer code (nothing is recorded, so still-present findings come back).
Handover prompt for an AI coding agent (click to expand — paste into Claude Code / Codex in a clone of this repo, with gh authenticated)

You are picking up a completed dual-agent review. There is this open review PR (it contains only the dated report + TODO — no source changes) and a companion issue. Act on the findings, record my defer/reject decisions in the report, then merge the PR and close the issue.

  • Report: docs/reviews/2026-06/SECURITYREVIEW-2026-06-25-1.md
  • TODO: docs/reviews/2026-06/TODO-SECURITYREVIEW-2026-06-25-1.md
  • Review branch: SECURITYREVIEW-2026-06-25-1 · PR base: the default branch

0. Orient. Read the report + TODO on the review branch. Each finding has an ID like 2026-06-03-1-7 and a severity. Check out the base branch and pull latest — the review was a snapshot and code may have moved since.

1. Re-anchor every finding against the CURRENT code (commits may have landed after the review). Report line numbers can be stale — locate each finding now by symbol/content, not by line number. Then: already fixed by a later commit → don't re-fix, leave it unmarked (it just won't be re-reported); no longer applicable → mark WONTFIX with a reason; still live → fix it. Never trust the report's line numbers blindly.

2. Fix the still-live findings via this repo's normal workflow (a fix branch off latest base, or direct commits per convention). Keep code fixes OUT of the review PR branch — it's report-only so it always merges cleanly. Reference the finding ID in commit messages.

3. Record defer/reject decisions IN THE REPORT FILE on the review branch (a GitHub comment is not enough — only the report is read by future runs): WONTFIX to reject, ONHOLD to defer, each with a brief reason. Anything left unmarked and still present will be re-reported next time. Commit + push these edits to the PR branch.

4. Close out with gh — the next review of this type is blocked while either the PR or issue is open, so resolve both:

  • gh pr merge <pr> --squash --delete-branch (recommended — lands the report + your markers; it's report-only so it merges into the advanced base. If GitHub says the branch is behind, gh pr update-branch <pr> first.)
  • gh issue close <issue> --comment "Fixed: <ids>. Deferred: <ids>. Rejected: <ids>. Already resolved by later commits: <ids>."

Abandoning instead? gh pr close <pr> (no merge) + close the issue — nothing is recorded, markers are lost, still-present findings come back. Only do this deliberately.

Report back: what you fixed, what you marked WONTFIX/ONHOLD (with reasons), what was already resolved by later commits, and the final PR/issue state.


Findings summary

11 issues found.

Severity Count
🟡 Medium 3
🟢 Low 8

🟡 Medium

  • 2026-06-25-1-1: Predictable /tmp/.atch-<uid> fallback with symlink-following log/socket creation and unchecked mkdir
  • 2026-06-25-1-2: One non-reading client freezes the whole session and stalls the child (head-of-line blocking DoS)
  • 2026-06-25-1-11: Unbounded client connections can drive FD_SET past FD_SETSIZE and crash/corrupt the master

🟢 Low

  • 2026-06-25-1-3: Control socket has no message origin check — any same-uid process can inject input and signals into a session
  • 2026-06-25-1-6: Session log fd leaked to the executed program (missing FD_CLOEXEC)
  • 2026-06-25-1-10: Verbatim replay of on-disk logs is a terminal-escape-injection vector (cold attach / tail)
  • 2026-06-25-1-7: parse_size integer overflow and unchecked malloc/path-truncation around session paths
  • 2026-06-25-1-8: Scrollback ring can be overwritten mid-replay, delivering corrupted/out-of-order history
  • 2026-06-25-1-4: Protocol read assumes one packet per read(); a short read disconnects a valid client
  • 2026-06-25-1-5: Signal handlers call async-signal-unsafe printf/exit/system
  • 2026-06-25-1-9: No security/concurrency tests, no CI or SAST in-repo; security-relevant paths are untested

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions