fix(security): land the 2026-07 audit fixes — SSRF guards, roster lane, SYSTEM path hygiene
The low/medium findings from the July host+Windows security review, as implemented in the audit session's working tree: - Webhooks and library-art fetches refuse loopback/link-local/metadata targets and no longer follow redirects (SSRF pivots from the privileged host process). - The paired-client rosters (/clients, /native/clients) move off the streaming-client auth lane — one paired device could enumerate every other device's name + fingerprint; only the bearer/loopback console keeps them. - Device-name sanitizing extends to bidi/format control characters (spoofable rendering) via the shared native_pairing::is_spoofy_char; stream-marker quoting uses the same set. - The SYSTEM service resolves powershell by its full System32 path — CreateProcess checks the launching EXE's own directory first, so a planted powershell.exe beside the host binary would have run as SYSTEM. - The pf-vdisplay driver's opt-in file log moves from world-writable C:\Users\Public to WUDFHost's own temp dir. - GameStream pairing sessions are single-use (removed whatever the outcome). - Uninstall also removes the pf_mouse driver-store entry (rider from the virtual-HID-mouse work). - openapi.json regenerated (hardened-config-dir doc wording). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -226,7 +226,7 @@ fn uninstall_gamepad() -> Result<()> {
|
||||
// Devnodes first (incl. phantoms — the same ghost-device complaint the vdisplay uninstall
|
||||
// fixed), then the store packages.
|
||||
remove_pad_devnodes();
|
||||
delete_store_drivers(&["pf_dualsense", "pf_dualshock4", "pf_xusb"]);
|
||||
delete_store_drivers(&["pf_dualsense", "pf_dualshock4", "pf_xusb", "pf_mouse"]);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
|
||||
@@ -979,7 +979,14 @@ fn set_fw_public_marker(allow_public: bool) {
|
||||
/// `Get-NetConnectionProfile` (per-interface category: Public / Private / DomainAuthenticated).
|
||||
/// `None` when it can't be determined — the caller then skips the warning.
|
||||
fn active_network_is_public() -> Option<bool> {
|
||||
let out = std::process::Command::new("powershell")
|
||||
// Resolve powershell by full System32 path — this runs in the SYSTEM service, which must not trust
|
||||
// PATH / the CreateProcess search (it checks the launching EXE's OWN directory first, so a planted
|
||||
// `powershell.exe` next to the host binary would run as SYSTEM). Matches the pf_vdisplay resolver
|
||||
// and the "a privileged service must not trust PATH" rule (security-review 2026-07-17).
|
||||
let ps = std::env::var("SystemRoot")
|
||||
.map(|r| format!(r"{r}\System32\WindowsPowerShell\v1.0\powershell.exe"))
|
||||
.unwrap_or_else(|_| "powershell.exe".to_string());
|
||||
let out = std::process::Command::new(&ps)
|
||||
.args([
|
||||
"-NoProfile",
|
||||
"-NonInteractive",
|
||||
|
||||
Reference in New Issue
Block a user