forked from wrenn/wrenn
fix: security and stability fixes from code review
- Scope WebSocket auth bypass to only WS endpoints by restructuring routes into separate chi Groups. Non-WS routes no longer passthrough unauthenticated requests with spoofed Upgrade headers. Added optionalAPIKeyOrJWT middleware for WS routes (injects auth context from API key/JWT if present, passes through otherwise) and markAdminWS middleware for admin WS routes. - Fix nil pointer dereference in envd Handler.Wait() — p.tty.Close() was called unconditionally but p.tty is nil for non-PTY processes, crashing every non-PTY process exit. - Fix goroutine leak in sandbox Pause — stopSampler was never called, leaking one sampler goroutine per successful pause operation. - Decouple PTY WebSocket reads from RPC dispatch using a buffered channel to prevent backpressure-induced connection drops under fast typing. Includes input coalescing to reduce RPC call volume.
This commit is contained in:
@ -446,7 +446,9 @@ func (p *Handler) Wait() {
|
||||
|
||||
err := p.cmd.Wait()
|
||||
|
||||
p.tty.Close()
|
||||
if p.tty != nil {
|
||||
p.tty.Close()
|
||||
}
|
||||
|
||||
var errMsg *string
|
||||
|
||||
|
||||
Reference in New Issue
Block a user