fix(security): tighten fs path extraction and honor forwarder test timeout

bb-connor · bb-connor · commit b8b31017ff7c · 2026-02-10T14:58:02.000-05:00
diff --git a/crates/libs/clawdstrike/src/irm/fs.rs b/crates/libs/clawdstrike/src/irm/fs.rs
@@ -135,19 +135,24 @@ impl FilesystemIrm {
 
     /// Extract path from host call arguments
     fn extract_path(&self, call: &HostCall) -> Option<String> {
+        // Prefer explicit object path fields over free-form string args.
         for arg in &call.args {
-            if let Some(s) = arg.as_str() {
-                if self.looks_like_path(s) {
-                    return Some(s.to_string());
+            if let Some(obj) = arg.as_object() {
+                for key in ["path", "file_path", "target_path"] {
+                    if let Some(path) = obj.get(key).and_then(|value| value.as_str()) {
+                        let trimmed = path.trim();
+                        if !trimmed.is_empty() {
+                            return Some(trimmed.to_string());
+                        }
+                    }
                 }
             }
         }
 
-        // Check for named path argument
-        if let Some(first) = call.args.first() {
-            if let Some(obj) = first.as_object() {
-                if let Some(path) = obj.get("path") {
-                    return path.as_str().map(|s| s.to_string());
+        for arg in &call.args {
+            if let Some(s) = arg.as_str() {
+                if self.looks_like_path(s) {
+                    return Some(s.to_string());
                 }
             }
         }
@@ -172,7 +177,36 @@ impl FilesystemIrm {
             return true;
         }
 
-        value.contains('/') && !value.contains("://")
+        value.contains('/') && !value.contains("://") && !self.looks_like_mime_type(value)
+    }
+
+    fn looks_like_mime_type(&self, value: &str) -> bool {
+        let mut parts = value.split('/');
+        let Some(kind) = parts.next() else {
+            return false;
+        };
+        let Some(subtype) = parts.next() else {
+            return false;
+        };
+        if parts.next().is_some() {
+            return false;
+        }
+        if kind.is_empty() || subtype.is_empty() {
+            return false;
+        }
+
+        matches!(
+            kind.to_ascii_lowercase().as_str(),
+            "application"
+                | "audio"
+                | "font"
+                | "image"
+                | "message"
+                | "model"
+                | "multipart"
+                | "text"
+                | "video"
+        )
     }
 
     fn has_parent_traversal(&self, path: &str) -> bool {
@@ -341,6 +375,21 @@ mod tests {
             Some("../../etc/passwd".to_string())
         );
 
+        let call = HostCall::new(
+            "fd_read",
+            vec![
+                serde_json::json!("text/plain"),
+                serde_json::json!({"path": "../../etc/passwd"}),
+            ],
+        );
+        assert_eq!(
+            irm.extract_path(&call),
+            Some("../../etc/passwd".to_string())
+        );
+
+        assert!(!irm.looks_like_path("text/plain"));
+        assert!(irm.looks_like_path("src/main.rs"));
+
         let call = HostCall::new("fd_read", vec![serde_json::json!(123)]);
         assert_eq!(irm.extract_path(&call), None);
     }
@@ -366,6 +415,19 @@ mod tests {
             !decision.is_allowed(),
             "object traversal path should be denied"
         );
+
+        let call = HostCall::new(
+            "fd_read",
+            vec![
+                serde_json::json!("text/plain"),
+                serde_json::json!({"path": "../../etc/passwd"}),
+            ],
+        );
+        let decision = irm.evaluate(&call, &policy).await;
+        assert!(
+            !decision.is_allowed(),
+            "object traversal path must not be bypassed by slash-containing non-path tokens"
+        );
     }
 
     #[test]
diff --git a/crates/services/hush-cli/src/hush_run.rs b/crates/services/hush-cli/src/hush_run.rs
@@ -129,8 +129,7 @@ impl HushdForwarder {
         let mut req = self
             .client
             .post(format!("{}/api/v1/eval", self.base_url))
-            .json(event)
-            .timeout(HUSHD_FORWARD_TIMEOUT);
+            .json(event);
 
         if let Some(token) = self.token.as_ref() {
             req = req.bearer_auth(token);
@@ -1468,4 +1467,41 @@ name: "slowloris-cap"
         let _ = tokio::time::timeout(Duration::from_secs(2), writer).await;
         stalled_handle.abort();
     }
+
+    #[tokio::test]
+    async fn forwarder_test_timeout_is_respected() {
+        let stalled_listener = TcpListener::bind(("127.0.0.1", 0))
+            .await
+            .expect("bind stalled target");
+        let stalled_addr = stalled_listener.local_addr().expect("stalled addr");
+        let stalled_handle = tokio::spawn(async move {
+            while let Ok((mut stream, _)) = stalled_listener.accept().await {
+                tokio::spawn(async move {
+                    let mut buf = [0u8; 1024];
+                    let _ =
+                        tokio::time::timeout(Duration::from_secs(1), stream.read(&mut buf)).await;
+                    tokio::time::sleep(Duration::from_secs(5)).await;
+                });
+            }
+        });
+
+        let forwarder = HushdForwarder::new_with_timeout(
+            format!("http://{}", stalled_addr),
+            None,
+            Duration::from_millis(50),
+        );
+        let event = test_custom_event(0);
+
+        let started = tokio::time::Instant::now();
+        tokio::time::timeout(Duration::from_millis(300), forwarder.forward_event(&event))
+            .await
+            .expect("forward_event should honor test timeout");
+        let elapsed = started.elapsed();
+        assert!(
+            elapsed < Duration::from_millis(300),
+            "forward_event exceeded expected test timeout; elapsed: {elapsed:?}"
+        );
+
+        stalled_handle.abort();
+    }
 }
