From 01b5a757d9aa6d63f0d48921028b6a8cbf94adfc Mon Sep 17 00:00:00 2001 From: ronitchidara Date: Tue, 27 Jan 2026 21:38:54 +0530 Subject: [PATCH] security: remove unnecessary sanitization from chat.inject chat.inject is a privileged operation that injects assistant messages into transcripts. The injection sanitization was being called but its result was ignored - the original message was used anyway. Rather than using the sanitized text (which would be identical since useBoundaries=false for assistant content), remove the sanitization entirely because: 1. This injects assistant content, not user input - boundary markers are inappropriate 2. Injection patterns detect user prompt manipulations, not assistant responses 3. This is a privileged gateway operation requiring authenticated access This addresses the new finding in the post-fix audit. Co-Authored-By: Claude Opus 4.5 --- src/gateway/server-methods/chat.ts | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/src/gateway/server-methods/chat.ts b/src/gateway/server-methods/chat.ts index ce27f372f..cca5c7e53 100644 --- a/src/gateway/server-methods/chat.ts +++ b/src/gateway/server-methods/chat.ts @@ -655,21 +655,10 @@ export const chatHandlers: GatewayRequestHandlers = { return; } - // Sanitize injected message - const sanitized = sanitizeIncomingMessage(p.message, { - stripEnvelopes: false, // Don't strip envelopes from injected content - blockCritical: false, // Default: warn but don't block critical injection attempts - logAttempts: true, - useBoundaries: false, // Don't wrap injected assistant messages - }); - if (sanitized.blocked) { - respond( - false, - undefined, - errorShape(ErrorCodes.INVALID_REQUEST, "message blocked by security policy"), - ); - return; - } + // Note: No injection sanitization for chat.inject because: + // 1. This injects assistant content (not user input), so user boundary markers are inappropriate + // 2. Injection patterns detect user prompt manipulations, not assistant responses + // 3. This is a privileged gateway operation requiring authenticated access // Resolve transcript path const transcriptPath = entry?.sessionFile