agent-kanban: validate artifact media Content-Type before forwarding#11
Open
rushitgit wants to merge 1 commit into
Open
agent-kanban: validate artifact media Content-Type before forwarding#11rushitgit wants to merge 1 commit into
rushitgit wants to merge 1 commit into
Conversation
The artifact media proxy mirrored the upstream CDN's Content-Type into the response. Opening an SVG artifact via the existing thumbnail link (<a target="_blank"> in ArtifactTile) renders it as a top-level document in the app origin and executes embedded scripts. Allowlist the MIME types the proxy can claim, fall back to the path-based guess otherwise, and drop image/svg+xml from that fallback so SVG artifacts are served as application/octet-stream.
Author
Author
|
Bumping this after two months with no response. The vulnerability is still present on current HEAD (checked 2026-06-25):
An agent (or a compromised artifact CDN) can plant an SVG with The fix in this PR is two lines: remove If you'd prefer a private report channel, I can refile this as a GitHub private vulnerability report. Otherwise I'll treat the 90-day window as starting from the original submission date (2026-04-29) and plan to disclose publicly around 2026-07-28. cc @cursor |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The artifact media proxy in
sdk/agent-kanbanjust pipes whateverContent-Typethe upstream CDN sends straight to the browser. Normally fine, butArtifactTilewraps every preview in<a href={mediaUrl} target="_blank">— so if a CDN serves an artifact withContent-Type: image/svg+xml, clicking the thumbnail opens it as a top-level SVG document on the app's own origin, where<script>tags run freely.SVG-as-image (inside
<img>) is sandboxed. SVG-as-document is not. That distinction is what makes this worth closing.What the fix does:
Adds a small allowlist of image/video MIME types that are actually safe to reflect. Anything not on the list falls back to
contentTypeForArtifactPath()extension sniffing — andimage/svg+xmlis intentionally left out of both so SVGs land asapplication/octet-streaminstead of executing. Both the URL-fetch path and the Blob path inreadArtifactContentgo through the same sanitizer.No behaviour change for normal PNG/JPEG/GIF/WebP/AVIF/MP4/WebM artifacts.