From 4b5514a25996b4aef33003a87283bd62611be619 Mon Sep 17 00:00:00 2001
From: Josh Palmer <joshp123@users.noreply.github.com>
Date: Thu, 29 Jan 2026 17:14:14 +0100
Subject: [PATCH 1/2] Tests: default-disable plugins in VITEST

---
 src/gateway/tools-invoke-http.ts | 39 +++++++++++++++++++
 src/plugins/config-state.ts      | 66 ++++++++++++++++++++++++++++++++
 src/plugins/loader.ts            |  3 +-
 3 files changed, 107 insertions(+), 1 deletion(-)

diff --git a/src/gateway/tools-invoke-http.ts b/src/gateway/tools-invoke-http.ts
index fa45bf3dc..bf05e2822 100644
--- a/src/gateway/tools-invoke-http.ts
+++ b/src/gateway/tools-invoke-http.ts
@@ -18,6 +18,7 @@ import {
 import { loadConfig } from "../config/config.js";
 import { resolveMainSessionKey } from "../config/sessions.js";
 import { logWarn } from "../logger.js";
+import { isTestDefaultMemorySlotDisabled } from "../plugins/config-state.js";
 import { getPluginToolMeta } from "../plugins/tools.js";
 import { isSubagentSessionKey } from "../routing/session-key.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
@@ -33,6 +34,7 @@ import {
 } from "./http-common.js";
 
 const DEFAULT_BODY_BYTES = 2 * 1024 * 1024;
+const MEMORY_TOOL_NAMES = new Set(["memory_search", "memory_get"]);
 
 type ToolsInvokeBody = {
   tool?: unknown;
@@ -47,6 +49,26 @@ function resolveSessionKeyFromBody(body: ToolsInvokeBody): string | undefined {
   return undefined;
 }
 
+function resolveMemoryToolDisableReasons(cfg: ReturnType<typeof loadConfig>): string[] {
+  if (!process.env.VITEST) return [];
+  const reasons: string[] = [];
+  const plugins = cfg.plugins;
+  const slotRaw = plugins?.slots?.memory;
+  const slotDisabled =
+    slotRaw === null || (typeof slotRaw === "string" && slotRaw.trim().toLowerCase() === "none");
+  const pluginsDisabled = plugins?.enabled === false;
+  const defaultDisabled = isTestDefaultMemorySlotDisabled(cfg);
+
+  if (pluginsDisabled) reasons.push("plugins.enabled=false");
+  if (slotDisabled) {
+    reasons.push(slotRaw === null ? "plugins.slots.memory=null" : 'plugins.slots.memory="none"');
+  }
+  if (!pluginsDisabled && !slotDisabled && defaultDisabled) {
+    reasons.push("memory plugin disabled by test default");
+  }
+  return reasons;
+}
+
 function mergeActionIntoArgsIfSupported(params: {
   toolSchema: unknown;
   action: string | undefined;
@@ -103,6 +125,23 @@ export async function handleToolsInvokeHttpRequest(
     return true;
   }
 
+  if (process.env.VITEST && MEMORY_TOOL_NAMES.has(toolName)) {
+    const reasons = resolveMemoryToolDisableReasons(cfg);
+    if (reasons.length > 0) {
+      const suffix = reasons.length > 0 ? ` (${reasons.join(", ")})` : "";
+      sendJson(res, 400, {
+        ok: false,
+        error: {
+          type: "invalid_request",
+          message:
+            `memory tools are disabled in tests${suffix}. ` +
+            'Enable by setting plugins.slots.memory="memory-core" (and ensure plugins.enabled is not false).',
+        },
+      });
+      return true;
+    }
+  }
+
   const action = typeof body.action === "string" ? body.action.trim() : undefined;
 
   const argsRaw = body.args;
diff --git a/src/plugins/config-state.ts b/src/plugins/config-state.ts
index bf44b5fe4..6b1a6c54a 100644
--- a/src/plugins/config-state.ts
+++ b/src/plugins/config-state.ts
@@ -64,6 +64,72 @@ export const normalizePluginsConfig = (
   };
 };
 
+const hasExplicitMemorySlot = (plugins?: MoltbotConfig["plugins"]) =>
+  Boolean(plugins?.slots && Object.prototype.hasOwnProperty.call(plugins.slots, "memory"));
+
+const hasExplicitMemoryEntry = (plugins?: MoltbotConfig["plugins"]) =>
+  Boolean(plugins?.entries && Object.prototype.hasOwnProperty.call(plugins.entries, "memory-core"));
+
+const hasExplicitPluginConfig = (plugins?: MoltbotConfig["plugins"]) => {
+  if (!plugins) return false;
+  if (typeof plugins.enabled === "boolean") return true;
+  if (Array.isArray(plugins.allow) && plugins.allow.length > 0) return true;
+  if (Array.isArray(plugins.deny) && plugins.deny.length > 0) return true;
+  if (plugins.load?.paths && Array.isArray(plugins.load.paths) && plugins.load.paths.length > 0)
+    return true;
+  if (plugins.slots && Object.keys(plugins.slots).length > 0) return true;
+  if (plugins.entries && Object.keys(plugins.entries).length > 0) return true;
+  return false;
+};
+
+export function applyTestPluginDefaults(
+  cfg: MoltbotConfig,
+  env: NodeJS.ProcessEnv = process.env,
+): MoltbotConfig {
+  if (!env.VITEST) return cfg;
+  const plugins = cfg.plugins;
+  const explicitConfig = hasExplicitPluginConfig(plugins);
+  if (explicitConfig) {
+    if (hasExplicitMemorySlot(plugins) || hasExplicitMemoryEntry(plugins)) {
+      return cfg;
+    }
+    return {
+      ...cfg,
+      plugins: {
+        ...plugins,
+        slots: {
+          ...plugins?.slots,
+          memory: null,
+        },
+      },
+    };
+  }
+
+  return {
+    ...cfg,
+    plugins: {
+      ...plugins,
+      enabled: false,
+      slots: {
+        ...plugins?.slots,
+        memory: null,
+      },
+    },
+  };
+}
+
+export function isTestDefaultMemorySlotDisabled(
+  cfg: MoltbotConfig,
+  env: NodeJS.ProcessEnv = process.env,
+): boolean {
+  if (!env.VITEST) return false;
+  const plugins = cfg.plugins;
+  if (hasExplicitMemorySlot(plugins) || hasExplicitMemoryEntry(plugins)) {
+    return false;
+  }
+  return true;
+}
+
 export function resolveEnableState(
   id: string,
   origin: PluginRecord["origin"],
diff --git a/src/plugins/loader.ts b/src/plugins/loader.ts
index 174441bfc..79c785f27 100644
--- a/src/plugins/loader.ts
+++ b/src/plugins/loader.ts
@@ -10,6 +10,7 @@ import { resolveUserPath } from "../utils.js";
 import { discoverMoltbotPlugins } from "./discovery.js";
 import { loadPluginManifestRegistry } from "./manifest-registry.js";
 import {
+  applyTestPluginDefaults,
   normalizePluginsConfig,
   resolveEnableState,
   resolveMemorySlotDecision,
@@ -162,7 +163,7 @@ function pushDiagnostics(diagnostics: PluginDiagnostic[], append: PluginDiagnost
 }
 
 export function loadMoltbotPlugins(options: PluginLoadOptions = {}): PluginRegistry {
-  const cfg = options.config ?? {};
+  const cfg = applyTestPluginDefaults(options.config ?? {});
   const logger = options.logger ?? defaultLogger();
   const validateOnly = options.mode === "validate";
   const normalized = normalizePluginsConfig(cfg.plugins);

From 06289b36da72a65f8d1cafd7cbab5f3d8654df98 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Thu, 29 Jan 2026 16:33:36 +0000
Subject: [PATCH 2/2] fix(security): harden SSH target handling (#4001)

Thanks @YLChen-007.

Co-authored-by: Edward-x <YLChen-007@users.noreply.github.com>
---
 CHANGELOG.md                        |  1 +
 src/commands/gateway-status.test.ts | 39 +++++++++++++++++++++++++++++
 src/commands/gateway-status.ts      |  4 ++-
 src/infra/ssh-config.test.ts        |  2 ++
 src/infra/ssh-config.ts             |  3 ++-
 src/infra/ssh-tunnel.test.ts        | 27 ++++++++++++++++++++
 src/infra/ssh-tunnel.ts             |  7 +++++-
 src/plugins/config-state.ts         |  4 +--
 8 files changed, 82 insertions(+), 5 deletions(-)
 create mode 100644 src/infra/ssh-tunnel.test.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3c5321870..1b13b7835 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ Docs: https://docs.molt.bot
 Status: beta.
 
 ### Changes
+- Security: harden SSH tunnel target parsing to prevent option injection/DoS. (#4001) Thanks @YLChen-007.
 - Rebrand: rename the npm package/CLI to `moltbot`, add a `moltbot` compatibility shim, and move extensions to the `@moltbot/*` scope.
 - Commands: group /help and /commands output with Telegram paging. (#2504) Thanks @hougangdev.
 - macOS: limit project-local `node_modules/.bin` PATH preference to debug builds (reduce PATH hijacking risk).
diff --git a/src/commands/gateway-status.test.ts b/src/commands/gateway-status.test.ts
index 09547a83d..5e816f581 100644
--- a/src/commands/gateway-status.test.ts
+++ b/src/commands/gateway-status.test.ts
@@ -192,6 +192,45 @@ describe("gateway-status command", () => {
     expect(targets.some((t) => t.kind === "sshTunnel")).toBe(true);
   });
 
+  it("skips invalid ssh-auto discovery targets", async () => {
+    const runtimeLogs: string[] = [];
+    const runtime = {
+      log: (msg: string) => runtimeLogs.push(msg),
+      error: (_msg: string) => {},
+      exit: (code: number) => {
+        throw new Error(`__exit__:${code}`);
+      },
+    };
+
+    const originalUser = process.env.USER;
+    try {
+      process.env.USER = "steipete";
+      loadConfig.mockReturnValueOnce({
+        gateway: {
+          mode: "remote",
+          remote: {},
+        },
+      });
+      discoverGatewayBeacons.mockResolvedValueOnce([
+        { tailnetDns: "-V" },
+        { tailnetDns: "goodhost" },
+      ]);
+
+      startSshPortForward.mockClear();
+      const { gatewayStatusCommand } = await import("./gateway-status.js");
+      await gatewayStatusCommand(
+        { timeout: "1000", json: true, sshAuto: true },
+        runtime as unknown as import("../runtime.js").RuntimeEnv,
+      );
+
+      expect(startSshPortForward).toHaveBeenCalledTimes(1);
+      const call = startSshPortForward.mock.calls[0]?.[0] as { target: string };
+      expect(call.target).toBe("steipete@goodhost");
+    } finally {
+      process.env.USER = originalUser;
+    }
+  });
+
   it("infers SSH target from gateway.remote.url and ssh config", async () => {
     const runtimeLogs: string[] = [];
     const runtime = {
diff --git a/src/commands/gateway-status.ts b/src/commands/gateway-status.ts
index 3a51a7886..a5a34d6e4 100644
--- a/src/commands/gateway-status.ts
+++ b/src/commands/gateway-status.ts
@@ -107,7 +107,9 @@ export async function gatewayStatusCommand(
             const base = user ? `${user}@${host.trim()}` : host.trim();
             return sshPort !== 22 ? `${base}:${sshPort}` : base;
           })
-          .filter((x): x is string => Boolean(x));
+          .filter((candidate): candidate is string =>
+            Boolean(candidate && parseSshTarget(candidate)),
+          );
         if (candidates.length > 0) sshTarget = candidates[0] ?? null;
       }
 
diff --git a/src/infra/ssh-config.test.ts b/src/infra/ssh-config.test.ts
index 8f3248e0c..48a8bf310 100644
--- a/src/infra/ssh-config.test.ts
+++ b/src/infra/ssh-config.test.ts
@@ -54,6 +54,8 @@ describe("ssh-config", () => {
     expect(config?.host).toBe("peters-mac-studio-1.sheep-coho.ts.net");
     expect(config?.port).toBe(2222);
     expect(config?.identityFiles).toEqual(["/tmp/id_ed25519"]);
+    const args = spawnMock.mock.calls[0]?.[1] as string[] | undefined;
+    expect(args?.slice(-2)).toEqual(["--", "me@alias"]);
   });
 
   it("returns null when ssh -G fails", async () => {
diff --git a/src/infra/ssh-config.ts b/src/infra/ssh-config.ts
index 037405e8c..0b0e95015 100644
--- a/src/infra/ssh-config.ts
+++ b/src/infra/ssh-config.ts
@@ -58,7 +58,8 @@ export async function resolveSshConfig(
     args.push("-i", opts.identity.trim());
   }
   const userHost = target.user ? `${target.user}@${target.host}` : target.host;
-  args.push(userHost);
+  // Use "--" so userHost can't be parsed as an ssh option.
+  args.push("--", userHost);
 
   return await new Promise<SshResolvedConfig | null>((resolve) => {
     const child = spawn(sshPath, args, {
diff --git a/src/infra/ssh-tunnel.test.ts b/src/infra/ssh-tunnel.test.ts
new file mode 100644
index 000000000..d31f25d1a
--- /dev/null
+++ b/src/infra/ssh-tunnel.test.ts
@@ -0,0 +1,27 @@
+import { describe, expect, it } from "vitest";
+
+import { parseSshTarget } from "./ssh-tunnel.js";
+
+describe("parseSshTarget", () => {
+  it("parses user@host:port targets", () => {
+    expect(parseSshTarget("me@example.com:2222")).toEqual({
+      user: "me",
+      host: "example.com",
+      port: 2222,
+    });
+  });
+
+  it("parses host-only targets with default port", () => {
+    expect(parseSshTarget("example.com")).toEqual({
+      user: undefined,
+      host: "example.com",
+      port: 22,
+    });
+  });
+
+  it("rejects hostnames that start with '-'", () => {
+    expect(parseSshTarget("-V")).toBeNull();
+    expect(parseSshTarget("me@-badhost")).toBeNull();
+    expect(parseSshTarget("-oProxyCommand=echo")).toBeNull();
+  });
+});
diff --git a/src/infra/ssh-tunnel.ts b/src/infra/ssh-tunnel.ts
index 8b3c7693b..399dc22e3 100644
--- a/src/infra/ssh-tunnel.ts
+++ b/src/infra/ssh-tunnel.ts
@@ -41,10 +41,14 @@ export function parseSshTarget(raw: string): SshParsedTarget | null {
     const portRaw = hostPart.slice(colonIdx + 1).trim();
     const port = Number.parseInt(portRaw, 10);
     if (!host || !Number.isFinite(port) || port <= 0) return null;
+    // Security: Reject hostnames starting with '-' to prevent argument injection
+    if (host.startsWith("-")) return null;
     return { user: userPart, host, port };
   }
 
   if (!hostPart) return null;
+  // Security: Reject hostnames starting with '-' to prevent argument injection
+  if (hostPart.startsWith("-")) return null;
   return { user: userPart, host: hostPart, port: 22 };
 }
 
@@ -134,7 +138,8 @@ export async function startSshPortForward(opts: {
   if (opts.identity?.trim()) {
     args.push("-i", opts.identity.trim());
   }
-  args.push(userHost);
+  // Security: Use '--' to prevent userHost from being interpreted as an option
+  args.push("--", userHost);
 
   const stderr: string[] = [];
   const child = spawn("/usr/bin/ssh", args, {
diff --git a/src/plugins/config-state.ts b/src/plugins/config-state.ts
index 6b1a6c54a..5bfff7dbc 100644
--- a/src/plugins/config-state.ts
+++ b/src/plugins/config-state.ts
@@ -99,7 +99,7 @@ export function applyTestPluginDefaults(
         ...plugins,
         slots: {
           ...plugins?.slots,
-          memory: null,
+          memory: "none",
         },
       },
     };
@@ -112,7 +112,7 @@ export function applyTestPluginDefaults(
       enabled: false,
       slots: {
         ...plugins?.slots,
-        memory: null,
+        memory: "none",
       },
     },
   };