security: remove unnecessary sanitization from chat.inject

chat.inject is a privileged operation that injects assistant messages into
transcripts. The injection sanitization was being called but its result was
ignored - the original message was used anyway.

Rather than using the sanitized text (which would be identical since
useBoundaries=false for assistant content), remove the sanitization entirely
because:
1. This injects assistant content, not user input - boundary markers are inappropriate
2. Injection patterns detect user prompt manipulations, not assistant responses
3. This is a privileged gateway operation requiring authenticated access

This addresses the new finding in the post-fix audit.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
ronitchidara 2026-01-27 21:38:54 +05:30
parent 56926e73ec
commit 01b5a757d9

View File

@ -655,21 +655,10 @@ export const chatHandlers: GatewayRequestHandlers = {
return; return;
} }
// Sanitize injected message // Note: No injection sanitization for chat.inject because:
const sanitized = sanitizeIncomingMessage(p.message, { // 1. This injects assistant content (not user input), so user boundary markers are inappropriate
stripEnvelopes: false, // Don't strip envelopes from injected content // 2. Injection patterns detect user prompt manipulations, not assistant responses
blockCritical: false, // Default: warn but don't block critical injection attempts // 3. This is a privileged gateway operation requiring authenticated access
logAttempts: true,
useBoundaries: false, // Don't wrap injected assistant messages
});
if (sanitized.blocked) {
respond(
false,
undefined,
errorShape(ErrorCodes.INVALID_REQUEST, "message blocked by security policy"),
);
return;
}
// Resolve transcript path // Resolve transcript path
const transcriptPath = entry?.sessionFile const transcriptPath = entry?.sessionFile