fix(security): resolve issue #1 panel report findings

AI Assistant · AI Assistant · commit 4da4c758b925 · 2026-04-27T07:41:19.000-04:00
Adds path traversal prevention on target_rules_file, restricts api_key_env exfiltration, truncates LLM logs to prevent OOM, and removes dead code.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/llm_client.rs b/src/llm_client.rs
@@ -37,6 +37,12 @@ pub async fn ask_llm(
         // 2. Generic OpenAI-compatible endpoint
         let url = config.base_url.clone().unwrap_or_else(|| "https://api.openai.com/v1/chat/completions".to_string());
         let env_var = config.api_key_env.as_deref().unwrap_or("OPENAI_API_KEY");
+        
+        // P0 Security Fix: Prevent exfiltration of arbitrary host env vars (like AWS_SECRET_ACCESS_KEY or SSH_PRIVATE_KEY) via malicious plasticity.json
+        if !env_var.ends_with("_API_KEY") && !env_var.ends_with("_TOKEN") && env_var != "API_KEY" {
+            anyhow::bail!("Security Exception: To prevent credential exfiltration, `api_key_env` must end in '_API_KEY' or '_TOKEN'. Attempted to use: {}", env_var);
+        }
+        
         let api_key = std::env::var(env_var).unwrap_or_default();
         
         if api_key.is_empty() {
diff --git a/src/main.rs b/src/main.rs
@@ -30,6 +30,11 @@ async fn run_single_manifest(manifest_path: &Path) -> Result<(bool, u32, manifes
 
     let target_rules_file = PathBuf::from(&manifest.optimization.target_rules_file);
 
+    // Prevent Path Traversal (P0 Fix)
+    if target_rules_file.is_absolute() || target_rules_file.components().any(|c| c.as_os_str() == "..") {
+        anyhow::bail!("Security Exception: target_rules_file must be a safe, relative path inside the project directory.");
+    }
+
     for epoch in 1..=max_epochs {
         println!("\n--- Epoch {} / {} ---", epoch, max_epochs);
 
diff --git a/src/optimizer.rs b/src/optimizer.rs
@@ -31,46 +31,16 @@ DO NOT suggest rules that are already in the Existing Rules array. The agent alr
     
     let rules_json = serde_json::to_string_pretty(existing_rules).unwrap_or_else(|_| "[]".to_string());
     
-    let user_prompt = format!("Task: {}\n\nExisting Rules Already Attempted (Do not repeat these):\n{}\n\nFailing Logs:\n{}", task_prompt, rules_json, failing_logs);
+    // Truncate logs to prevent LLM context overflow or API rejection (P1 Fix)
+    let max_log_len = 8000;
+    let truncated_logs = if failing_logs.len() > max_log_len {
+        let skip = failing_logs.len() - max_log_len;
+        format!("...[TRUNCATED]...\n{}", &failing_logs[skip..])
+    } else {
+        failing_logs.to_string()
+    };
+    
+    let user_prompt = format!("Task: {}\n\nExisting Rules Already Attempted (Do not repeat these):\n{}\n\nFailing Logs:\n{}", task_prompt, rules_json, truncated_logs);
     
     ask_llm(config, system_prompt, &user_prompt).await
 }
-
-/// Runs the meta-optimizer and writes a rules overlay if the score is below the pass threshold.
-pub async fn run_optimizer(score: f64, pass_threshold: f64, task_prompt: &str, stderr: &str, config: &MetaLlmConfig) -> Result<()> {
-    if score >= pass_threshold {
-        println!("Score {} >= pass threshold {}. No optimization needed.", score, pass_threshold);
-        return Ok(());
-    }
-
-    println!("Score {} < pass threshold {}. Generating rules overlay...", score, pass_threshold);
-
-    let existing_rules: Vec<String> = vec![];
-    let new_rule = run_llm_optimizer(config, stderr, task_prompt, &existing_rules).await?;
-
-    let mocked_rules = vec![
-        new_rule,
-    ];
-
-    let rule_set = RuleSet {
-        rules: mocked_rules,
-        metadata: Metadata {
-            generation_reason: format!("Generated due to failing task: '{}', Error output: '{}'", task_prompt, stderr),
-            original_score: score,
-        },
-    };
-
-    let target_dir = Path::new(".neuroplasticity");
-    if !target_dir.exists() {
-        fs::create_dir_all(target_dir).context("Failed to create .neuroplasticity directory")?;
-    }
-
-    let rules_path = target_dir.join("rules.json");
-    let rules_json = serde_json::to_string_pretty(&rule_set).context("Failed to serialize rule set")?;
-
-    fs::write(&rules_path, rules_json).context("Failed to write rules.json")?;
-
-    println!("Rules overlay successfully written to {:?}", rules_path);
-
-    Ok(())
-}
