Security hardening: URL/image allowlists, genos:// caps, credential redaction#7
Open
Vext-Labs wants to merge 3 commits into
Open
Security hardening: URL/image allowlists, genos:// caps, credential redaction#7Vext-Labs wants to merge 3 commits into
Vext-Labs wants to merge 3 commits into
Conversation
New src/genos/safety modules enforcing at runtime what the system prompt can only request: - urlPolicy: only http(s) links reach Linking; every other scheme blocked - genosLink: genos://open targets validated (catalog ids or safe slug shape), requests capped at 300 chars, toast text at 120 - redaction: credential-shaped form values replaced with [redacted] - tools/images: model-supplied image URLs resolve only on allowlisted https hosts, else fall back to the LoremFlickr semantic path
- GenOS.handleAction routes external URLs through openExternalUrl with a blocked-link toast, and genos:// links through parseOpenLink/capToastText - store.resolveAction redacts credential-shaped form values before they are sent to the provider or replayed as context; openDeepLink re-caps the injected request (defense in depth) - KeyGate masks the API-key entry field (secureTextEntry) - media.tsx documents that raw URLs pass the image-host policy first
12 tests covering the scheme allowlist (javascript:/intent:/sms:/etc blocked), deep-link caps and app-id validation, password redaction into the provider request, and the image-host policy with its LoremFlickr fallback. SECURITY.md adds a reporting policy plus honest hardening notes and limits.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A small, additive security-hardening pass over the model-output trust boundary, from a short audit of how LLM-generated content flows into device capabilities. Each fix is independent and test-backed; the audit's verified-clean areas (no committed secrets, no
console.*, keys only sent asAuthorizationheaders, the DSL evaluator being an AST walker with noeval) are noted inSECURITY.md.Findings addressed (severity-ranked in our audit; file refs against current
main):GenOS.tsxhandleAction) — any model-emitted URL was passed toLinking.openURLunfiltered, includingjavascript:,intent:,tel:/sms:with prefilled bodies, and arbitrary app schemes. Newsrc/genos/safety/urlPolicy.tsopens onlyhttp(s):and shows a "That link type isn't supported" toast otherwise.tools/images.ts) — model-supplied image URLs were fetched directly, which lets generated content make the device GET arbitrary URLs (a potential conversation-context exfil channel). Hosts are now allowlisted (images.unsplash.com,loremflickr.com,upload.wikimedia.org); anything else falls back to the existing LoremFlickr semantic path.genos://hardening (safety/genosLink.ts) —genos://openaccepted arbitrary app ids and unboundedrequesttext that is injected as a user message; ids are now allowlisted (known apps or^[a-z0-9-]{1,32}$) and requests capped at 300 chars.genos://toasttext is capped at 120 chars.store.ts) — values of password-shaped form fields were replayed into model context viaformState; they are now redacted before replay. (Heuristic keys off field names — noted in code; a contract-level field-type fix felt like your call to make.)secureTextEntryon the KeyGate API-key input.Also adds
SECURITY.mdwith a vulnerability-reporting path and honest hardening notes (this is a pass, not a claim of completeness).What this deliberately does NOT change
src/genos/telemetry.ts— the hardcoded PostHog project key means forks' users report into your analytics by default. That's a policy decision for you, so we left it untouched and documented it inSECURITY.mdinstead of unilaterally changing it.Test plan
npm run typecheck✓npm test— 34 passed (22 existing + 12 new in__tests__/security.test.ts) ✓Contributed by Vext Labs.