security: remove unnecessary sanitization from chat.inject

chat.inject is a privileged operation that injects assistant messages into
transcripts. The injection sanitization was being called but its result was
ignored - the original message was used anyway.

Rather than using the sanitized text (which would be identical since
useBoundaries=false for assistant content), remove the sanitization entirely
because:
1. This injects assistant content, not user input - boundary markers are inappropriate
2. Injection patterns detect user prompt manipulations, not assistant responses
3. This is a privileged gateway operation requiring authenticated access

This addresses the new finding in the post-fix audit.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
ronitchidara 2026-01-27 21:38:54 +05:30
parent 56926e73ec
commit 01b5a757d9

View File

@ -655,21 +655,10 @@ export const chatHandlers: GatewayRequestHandlers = {
return;
}
// Sanitize injected message
const sanitized = sanitizeIncomingMessage(p.message, {
stripEnvelopes: false, // Don't strip envelopes from injected content
blockCritical: false, // Default: warn but don't block critical injection attempts
logAttempts: true,
useBoundaries: false, // Don't wrap injected assistant messages
});
if (sanitized.blocked) {
respond(
false,
undefined,
errorShape(ErrorCodes.INVALID_REQUEST, "message blocked by security policy"),
);
return;
}
// Note: No injection sanitization for chat.inject because:
// 1. This injects assistant content (not user input), so user boundary markers are inappropriate
// 2. Injection patterns detect user prompt manipulations, not assistant responses
// 3. This is a privileged gateway operation requiring authenticated access
// Resolve transcript path
const transcriptPath = entry?.sessionFile