security: remove unnecessary sanitization from chat.inject
chat.inject is a privileged operation that injects assistant messages into transcripts. The injection sanitization was being called but its result was ignored - the original message was used anyway. Rather than using the sanitized text (which would be identical since useBoundaries=false for assistant content), remove the sanitization entirely because: 1. This injects assistant content, not user input - boundary markers are inappropriate 2. Injection patterns detect user prompt manipulations, not assistant responses 3. This is a privileged gateway operation requiring authenticated access This addresses the new finding in the post-fix audit. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
56926e73ec
commit
01b5a757d9
@ -655,21 +655,10 @@ export const chatHandlers: GatewayRequestHandlers = {
|
||||
return;
|
||||
}
|
||||
|
||||
// Sanitize injected message
|
||||
const sanitized = sanitizeIncomingMessage(p.message, {
|
||||
stripEnvelopes: false, // Don't strip envelopes from injected content
|
||||
blockCritical: false, // Default: warn but don't block critical injection attempts
|
||||
logAttempts: true,
|
||||
useBoundaries: false, // Don't wrap injected assistant messages
|
||||
});
|
||||
if (sanitized.blocked) {
|
||||
respond(
|
||||
false,
|
||||
undefined,
|
||||
errorShape(ErrorCodes.INVALID_REQUEST, "message blocked by security policy"),
|
||||
);
|
||||
return;
|
||||
}
|
||||
// Note: No injection sanitization for chat.inject because:
|
||||
// 1. This injects assistant content (not user input), so user boundary markers are inappropriate
|
||||
// 2. Injection patterns detect user prompt manipulations, not assistant responses
|
||||
// 3. This is a privileged gateway operation requiring authenticated access
|
||||
|
||||
// Resolve transcript path
|
||||
const transcriptPath = entry?.sessionFile
|
||||
|
||||
Loading…
Reference in New Issue
Block a user