feat: enhance terminal input validation and update keyboard shortcuts

- Added validation for terminal input to ensure it is a string and limited to 1MB to prevent memory issues. - Implemented checks for terminal resize dimensions to ensure they are positive integers within specified bounds. - Updated keyboard shortcuts for terminal actions to use Alt key combinations instead of Ctrl+Shift for better accessibility.
2026-01-31 06:42:03 +00:00 · 2025-12-20 23:26:28 -05:00
parent 8f5e782583
commit 820f43078b
3 changed files with 37 additions and 15 deletions
--- a/apps/server/src/index.ts
+++ b/apps/server/src/index.ts
@@ -297,11 +297,34 @@ terminalWss.on(

        switch (msg.type) {
          case "input":
+            // Validate input data type and length
+            if (typeof msg.data !== "string") {
+              ws.send(JSON.stringify({ type: "error", message: "Invalid input type" }));
+              break;
+            }
+            // Limit input size to 1MB to prevent memory issues
+            if (msg.data.length > 1024 * 1024) {
+              ws.send(JSON.stringify({ type: "error", message: "Input too large" }));
+              break;
+            }
            // Write user input to terminal
            terminalService.write(sessionId, msg.data);
            break;

          case "resize":
+            // Validate resize dimensions are positive integers within reasonable bounds
+            if (
+              typeof msg.cols !== "number" ||
+              typeof msg.rows !== "number" ||
+              !Number.isInteger(msg.cols) ||
+              !Number.isInteger(msg.rows) ||
+              msg.cols < 1 ||
+              msg.cols > 1000 ||
+              msg.rows < 1 ||
+              msg.rows > 500
+            ) {
+              break; // Silently ignore invalid resize requests
+            }
            // Resize terminal with deduplication and rate limiting
            if (msg.cols && msg.rows) {
              const now = Date.now();
--- a/apps/server/src/routes/terminal/common.ts
+++ b/apps/server/src/routes/terminal/common.ts
@@ -2,6 +2,7 @@
 * Common utilities and state for terminal routes
 */

+import { randomBytes } from "crypto";
 import { createLogger } from "../../lib/logger.js";
 import type { Request, Response, NextFunction } from "express";
 import { getTerminalService } from "../../services/terminal-service.js";
@@ -49,12 +50,10 @@ export function getTokenData(
 }

 /**
- * Generate a secure random token
+ * Generate a cryptographically secure random token
 */
 export function generateToken(): string {
-  return `term-${Date.now()}-${Math.random()
-    .toString(36)
-    .slice(2, 17)}${Math.random().toString(36).slice(2, 17)}`;
+  return `term-${randomBytes(32).toString("base64url")}`;
 }

 /**