feat: enhance terminal input validation and update keyboard shortcuts

- Added validation for terminal input to ensure it is a string and limited to 1MB to prevent memory issues. - Implemented checks for terminal resize dimensions to ensure they are positive integers within specified bounds. - Updated keyboard shortcuts for terminal actions to use Alt key combinations instead of Ctrl+Shift for better accessibility.
2026-02-01 08:13:37 +00:00 · 2025-12-20 23:26:28 -05:00
parent 8f5e782583
commit 820f43078b
3 changed files with 37 additions and 15 deletions
--- a/apps/server/src/index.ts
+++ b/apps/server/src/index.ts
@@ -297,11 +297,34 @@ terminalWss.on(

        switch (msg.type) {
          case "input":
+            // Validate input data type and length
+            if (typeof msg.data !== "string") {
+              ws.send(JSON.stringify({ type: "error", message: "Invalid input type" }));
+              break;
+            }
+            // Limit input size to 1MB to prevent memory issues
+            if (msg.data.length > 1024 * 1024) {
+              ws.send(JSON.stringify({ type: "error", message: "Input too large" }));
+              break;
+            }
            // Write user input to terminal
            terminalService.write(sessionId, msg.data);
            break;

          case "resize":
+            // Validate resize dimensions are positive integers within reasonable bounds
+            if (
+              typeof msg.cols !== "number" ||
+              typeof msg.rows !== "number" ||
+              !Number.isInteger(msg.cols) ||
+              !Number.isInteger(msg.rows) ||
+              msg.cols < 1 ||
+              msg.cols > 1000 ||
+              msg.rows < 1 ||
+              msg.rows > 500
+            ) {
+              break; // Silently ignore invalid resize requests
+            }
            // Resize terminal with deduplication and rate limiting
            if (msg.cols && msg.rows) {
              const now = Date.now();