Fix remote PTY restore probe reply leak

.github/swift-file-length-budget.tsv

@@ -1,7 +1,7 @@
 # cmux-owned Swift file length budget.
 # Format: max_lines<TAB>relative path
 # Reduce counts as files shrink. CI fails if tracked files exceed this budget.
-33285	CLI/cmux.swift
+33266	CLI/cmux.swift
 19213	Sources/ContentView.swift
 17894	Sources/AppDelegate.swift
 15182	Sources/GhosttyTerminalView.swift

CLI/SSHPTYAttachReconnectInputFilter.swift

@@ -0,0 +1,237 @@
+import Darwin
+import Foundation
+
+final class SSHPTYAttachReconnectInputFilter {
+    private enum SequenceMatch {
+        case strip(length: Int)
+        case incomplete
+        case passThrough
+    }
+
+    private static let escape: UInt8 = 0x1B
+    private static let bell: UInt8 = 0x07
+    private static let leftBracket: UInt8 = 0x5B
+    private static let rightBracket: UInt8 = 0x5D
+    private static let backslash: UInt8 = 0x5C
+    private static let semicolon: UInt8 = 0x3B
+    private static let questionMark: UInt8 = 0x3F
+    private static let dollar: UInt8 = 0x24
+    private static let maxPendingProbeBytes = 512
+
+    private var isFiltering: Bool
+    private var pending = [UInt8]()
+
+    init(enabled: Bool) {
+        isFiltering = enabled
+    }
+
+    static func startStdinPump(fd: Int32, filterEnabled: Bool) {
+        DispatchQueue.global(qos: .userInteractive).async {
+            let reconnectInputFilter = SSHPTYAttachReconnectInputFilter(enabled: filterEnabled)
+            var buffer = [UInt8](repeating: 0, count: 8192)
+            while true {
+                let count = Darwin.read(STDIN_FILENO, &buffer, buffer.count)
+                if count > 0 {
+                    let input = reconnectInputFilter.filter(Data(buffer.prefix(count)))
+                    guard !input.isEmpty else {
+                        continue
+                    }
+                    do {
+                        try Self.writeAll(fd: fd, data: input)
+                    } catch {
+                        _ = shutdown(fd, SHUT_WR)
+                        return
+                    }
+                } else if count == 0 {
+                    let input = reconnectInputFilter.finish()
+                    if !input.isEmpty {
+                        do {
+                            try Self.writeAll(fd: fd, data: input)
+                        } catch {
+                            _ = shutdown(fd, SHUT_WR)
+                            return
+                        }
+                    }
+                    _ = shutdown(fd, SHUT_WR)
+                    return
+                } else if errno != EINTR {
+                    _ = shutdown(fd, SHUT_WR)
+                    return
+                }
+            }
+        }
+    }
+
+    func filter(_ data: Data) -> Data {
+        guard isFiltering, !data.isEmpty else {
+            return data
+        }
+
+        var bytes = pending
+        pending.removeAll(keepingCapacity: true)
+        bytes.append(contentsOf: data)
+
+        var output = Data()
+        var index = 0
+        while index < bytes.count {
+            guard bytes[index] == Self.escape else {
+                isFiltering = false
+                output.append(contentsOf: bytes[index...])
+                return output
+            }
+
+            switch Self.reconnectProbeReplySequence(in: bytes, at: index) {
+            case .strip(let length):
+                index += length
+            case .incomplete:
+                let suffix = bytes[index...]
+                guard suffix.count <= Self.maxPendingProbeBytes else {
+                    isFiltering = false
+                    output.append(contentsOf: suffix)
+                    return output
+                }
+                pending.append(contentsOf: suffix)
+                return output
+            case .passThrough:
+                isFiltering = false
+                output.append(contentsOf: bytes[index...])
+                return output
+            }
+        }
+
+        return output
+    }
+
+    func finish() -> Data {
+        guard !pending.isEmpty else {
+            return Data()
+        }
+        let data = Data(pending)
+        pending.removeAll(keepingCapacity: false)
+        return data
+    }
+
+    private static func reconnectProbeReplySequence(in bytes: [UInt8], at start: Int) -> SequenceMatch {
+        guard start < bytes.count, bytes[start] == escape else {
+            return .passThrough
+        }
+        guard start + 1 < bytes.count else {
+            return .passThrough
+        }
+
+        switch bytes[start + 1] {
+        case rightBracket:
+            return oscColorReplySequence(in: bytes, at: start)
+        case leftBracket:
+            return csiProbeReplySequence(in: bytes, at: start)
+        default:
+            return .passThrough
+        }
+    }
+
+    private static func oscColorReplySequence(in bytes: [UInt8], at start: Int) -> SequenceMatch {
+        var cursor = start + 2
+        var command = [UInt8]()
+
+        while cursor < bytes.count {
+            let byte = bytes[cursor]
+            if byte == semicolon {
+                break
+            }
+            if byte < 0x30 || byte > 0x39 || command.count >= 2 {
+                return .passThrough
+            }
+            command.append(byte)
+            cursor += 1
+        }
+
+        guard cursor < bytes.count else {
+            return .passThrough
+        }
+        guard bytes[cursor] == semicolon else {
+            return .passThrough
+        }
+        guard command == [0x31, 0x30] || command == [0x31, 0x31] else {
+            return .passThrough
+        }
+
+        cursor += 1
+        while cursor < bytes.count {
+            let byte = bytes[cursor]
+            if byte == bell {
+                return .strip(length: cursor - start + 1)
+            }
+            if byte == escape {
+                guard cursor + 1 < bytes.count else {
+                    return .incomplete
+                }
+                if bytes[cursor + 1] == backslash {
+                    return .strip(length: cursor - start + 2)
+                }
+            }
+            cursor += 1
+        }
+        return .passThrough
+    }
+
+    private static func csiProbeReplySequence(in bytes: [UInt8], at start: Int) -> SequenceMatch {
+        var cursor = start + 2
+        while cursor < bytes.count {
+            let byte = bytes[cursor]
+            if byte >= 0x40, byte <= 0x7E {
+                return shouldStripCSIReply(bytes: bytes, bodyStart: start + 2, finalIndex: cursor)
+                    ? .strip(length: cursor - start + 1)
+                    : .passThrough
+            }
+            guard byte >= 0x20, byte <= 0x3F else {
+                return .passThrough
+            }
+            cursor += 1
+        }
+        return .incomplete
+    }
+
+    private static func shouldStripCSIReply(bytes: [UInt8], bodyStart: Int, finalIndex: Int) -> Bool {
+        var parameterEnd = bodyStart
+        while parameterEnd < finalIndex, bytes[parameterEnd] >= 0x30, bytes[parameterEnd] <= 0x3F {
+            parameterEnd += 1
+        }
+        guard bytes[parameterEnd..<finalIndex].allSatisfy({ $0 >= 0x20 && $0 <= 0x2F }) else {
+            return false
+        }
+
+        let parameters = bytes[bodyStart..<parameterEnd]
+        let intermediates = bytes[parameterEnd..<finalIndex]
+        let final = bytes[finalIndex]
+
+        switch final {
+        case 0x52, 0x63, 0x6E:
+            return intermediates.isEmpty
+        case 0x75:
+            return intermediates.isEmpty && parameters.first == questionMark
+        case 0x79:
+            return intermediates.elementsEqual([dollar])
+        default:
+            return false
+        }
+    }
+
+    private static func writeAll(fd: Int32, data: Data) throws {
+        try data.withUnsafeBytes { rawBuffer in
+            guard let base = rawBuffer.bindMemory(to: UInt8.self).baseAddress else { return }
+            var remaining = rawBuffer.count
+            var cursor = base
+            while remaining > 0 {
+                let written = Darwin.write(fd, cursor, remaining)
+                if written > 0 {
+                    remaining -= written
+                    cursor = cursor.advanced(by: written)
+                } else if written < 0 && errno == EINTR {
+                    continue
+                } else {
+                    throw CLIError(message: "ssh-pty-attach: bridge write failed")
+                }
+            }
+        }
+    }
+}

CLI/cmux.swift

@@ -10590,26 +10590,7 @@ struct CMUXCLI {
         )
         defer { resizeSource.cancel() }
 
-        DispatchQueue.global(qos: .userInteractive).async {
-            var buffer = [UInt8](repeating: 0, count: 8192)
-            while true {
-                let count = Darwin.read(STDIN_FILENO, &buffer, buffer.count)
-                if count > 0 {
-                    do {
-                        try self.writeAll(fd: fd, data: Data(buffer.prefix(count)))
-                    } catch {
-                        _ = shutdown(fd, SHUT_WR)
-                        return
-                    }
-                } else if count == 0 {
-                    _ = shutdown(fd, SHUT_WR)
-                    return
-                } else if errno != EINTR {
-                    _ = shutdown(fd, SHUT_WR)
-                    return
-                }
-            }
-        }
+        SSHPTYAttachReconnectInputFilter.startStdinPump(fd: fd, filterEnabled: requireExisting && command == nil)
 
         var outputBuffer = [UInt8](repeating: 0, count: 32768)
         while true {

cmux.xcodeproj/project.pbxproj

@@ -132,6 +132,7 @@
 		C0F16B000000000000000001 /* CLIRemoteShellStartupPerformanceTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0F16B000000000000000002 /* CLIRemoteShellStartupPerformanceTests.swift */; };
 		A5D41209A1B2C3D4E5F60718 /* CLIRovoDevHookPersistenceTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = A5D4120AA1B2C3D4E5F60718 /* CLIRovoDevHookPersistenceTests.swift */; };
 		B900004AA1B2C3D4E5F60719 /* CLISocketPathResolver.swift in Sources */ = {isa = PBXBuildFile; fileRef = B900004BA1B2C3D4E5F60719 /* CLISocketPathResolver.swift */; };
+		A8D837B3AA85F4353C493DE1 /* CLISSHPTYAttachProbeReplyRegressionTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8CB1737C956A80E5F98E9DC5 /* CLISSHPTYAttachProbeReplyRegressionTests.swift */; };
 		C10D51700000000000000002 /* ClosedItemHistory.swift in Sources */ = {isa = PBXBuildFile; fileRef = C10D51700000000000000001 /* ClosedItemHistory.swift */; };
 		B9000025A1B2C3D4E5F60719 /* CloseWindowConfirmDialogUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = B9000026A1B2C3D4E5F60719 /* CloseWindowConfirmDialogUITests.swift */; };
 		B9000023A1B2C3D4E5F60719 /* CloseWorkspaceCmdDUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = B9000022A1B2C3D4E5F60719 /* CloseWorkspaceCmdDUITests.swift */; };
@@ -486,6 +487,7 @@
 		C9CFB398DF94D6DDEAF42D67 /* MobileTerminalRenderObserver.swift in Sources */ = {isa = PBXBuildFile; fileRef = F51B54FAD18160281FC1C2B6 /* MobileTerminalRenderObserver.swift */; };
 		F6448F377504F33956E7E03B /* MobileWorkspaceListFidelityTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 86544CEFA1CA33CA9225FB6E /* MobileWorkspaceListFidelityTests.swift */; };
 		00C3AA443F6DA8D94E28CE17 /* MobileWorkspaceListObserver.swift in Sources */ = {isa = PBXBuildFile; fileRef = C9F14137954A34DFFA05C88C /* MobileWorkspaceListObserver.swift */; };
+		13AB1A2E5DA6AD02DCAE971D /* MockBridgeInputCapture.swift in Sources */ = {isa = PBXBuildFile; fileRef = CD3B5F249DECAB446CC71D32 /* MockBridgeInputCapture.swift */; };
 		B9000015A1B2C3D4E5F60719 /* MultiWindowNotificationsUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = B9000016A1B2C3D4E5F60719 /* MultiWindowNotificationsUITests.swift */; };
 		8B1B2AB6EC6ACDB2CD39A9BB /* NewBrowserWorkspaceShortcutUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 04698069140539D8495D6B9B /* NewBrowserWorkspaceShortcutUITests.swift */; };
 		734F49D37E543DD01C2F4FEF /* NotificationAndMenuBarTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = D2C075029771815DD5DA1332 /* NotificationAndMenuBarTests.swift */; };
@@ -653,6 +655,7 @@
 		F8000000A1B2C3D4E5F60718 /* SocketControlPasswordStoreTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = F8000001A1B2C3D4E5F60718 /* SocketControlPasswordStoreTests.swift */; };
 		C510C1E00000000000000002 /* SocketOperationTelemetry.swift in Sources */ = {isa = PBXBuildFile; fileRef = C510C1E00000000000000001 /* SocketOperationTelemetry.swift */; };
 		A5001230 /* Sparkle in Frameworks */ = {isa = PBXBuildFile; productRef = A5001231 /* Sparkle */; };
+		B816E948EC5E42AF967648AC /* SSHPTYAttachReconnectInputFilter.swift in Sources */ = {isa = PBXBuildFile; fileRef = 1E4DB33FA55F1B13C60EFFC8 /* SSHPTYAttachReconnectInputFilter.swift */; };
 		E30780000000000000000012 /* SSHPTYAttachStartupCommandBuilder.swift in Sources */ = {isa = PBXBuildFile; fileRef = E30780000000000000000011 /* SSHPTYAttachStartupCommandBuilder.swift */; };
 		F6355600A1B2C3D4E5F60718 /* SSHStartupSignalLifecycleTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = F6355601A1B2C3D4E5F60718 /* SSHStartupSignalLifecycleTests.swift */; };
 		F20F85FC5900550685FA33AD /* StackAuth in Frameworks */ = {isa = PBXBuildFile; productRef = A8BD195031FC4B82B4354297 /* StackAuth */; };
@@ -1027,6 +1030,7 @@
 		C0F16B000000000000000002 /* CLIRemoteShellStartupPerformanceTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CLIRemoteShellStartupPerformanceTests.swift; sourceTree = "<group>"; };
 		A5D4120AA1B2C3D4E5F60718 /* CLIRovoDevHookPersistenceTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CLIRovoDevHookPersistenceTests.swift; sourceTree = "<group>"; };
 		B900004BA1B2C3D4E5F60719 /* CLISocketPathResolver.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CLISocketPathResolver.swift; sourceTree = "<group>"; };
+		8CB1737C956A80E5F98E9DC5 /* CLISSHPTYAttachProbeReplyRegressionTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CLISSHPTYAttachProbeReplyRegressionTests.swift; sourceTree = "<group>"; };
 		C10D51700000000000000001 /* ClosedItemHistory.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClosedItemHistory.swift; sourceTree = "<group>"; };
 		B9000026A1B2C3D4E5F60719 /* CloseWindowConfirmDialogUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CloseWindowConfirmDialogUITests.swift; sourceTree = "<group>"; };
 		B9000022A1B2C3D4E5F60719 /* CloseWorkspaceCmdDUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CloseWorkspaceCmdDUITests.swift; sourceTree = "<group>"; };
@@ -1320,6 +1324,7 @@
 		F51B54FAD18160281FC1C2B6 /* MobileTerminalRenderObserver.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = MobileTerminalRenderObserver.swift; sourceTree = "<group>"; };
 		86544CEFA1CA33CA9225FB6E /* MobileWorkspaceListFidelityTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MobileWorkspaceListFidelityTests.swift; sourceTree = "<group>"; };
 		C9F14137954A34DFFA05C88C /* MobileWorkspaceListObserver.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = MobileWorkspaceListObserver.swift; sourceTree = "<group>"; };
+		CD3B5F249DECAB446CC71D32 /* MockBridgeInputCapture.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MockBridgeInputCapture.swift; sourceTree = "<group>"; };
 		B9000016A1B2C3D4E5F60719 /* MultiWindowNotificationsUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MultiWindowNotificationsUITests.swift; sourceTree = "<group>"; };
 		04698069140539D8495D6B9B /* NewBrowserWorkspaceShortcutUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NewBrowserWorkspaceShortcutUITests.swift; sourceTree = "<group>"; };
 		D2C075029771815DD5DA1332 /* NotificationAndMenuBarTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NotificationAndMenuBarTests.swift; sourceTree = "<group>"; };
@@ -1479,6 +1484,7 @@
 		A5001225 /* SocketControlMode+Display.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "SocketControlMode+Display.swift"; sourceTree = "<group>"; };
 		F8000001A1B2C3D4E5F60718 /* SocketControlPasswordStoreTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SocketControlPasswordStoreTests.swift; sourceTree = "<group>"; };
 		C510C1E00000000000000001 /* SocketOperationTelemetry.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SocketOperationTelemetry.swift; sourceTree = "<group>"; };
+		1E4DB33FA55F1B13C60EFFC8 /* SSHPTYAttachReconnectInputFilter.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SSHPTYAttachReconnectInputFilter.swift; sourceTree = "<group>"; };
 		E30780000000000000000011 /* SSHPTYAttachStartupCommandBuilder.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SSHPTYAttachStartupCommandBuilder.swift; sourceTree = "<group>"; };
 		F6355601A1B2C3D4E5F60718 /* SSHStartupSignalLifecycleTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SSHStartupSignalLifecycleTests.swift; sourceTree = "<group>"; };
 		D35B71010000000000000002 /* StartupBreadcrumbLog.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = App/StartupBreadcrumbLog.swift; sourceTree = "<group>"; };
@@ -2364,6 +2370,7 @@
 			isa = PBXGroup;
 			children = (
 				B9000001A1B2C3D4E5F60719 /* cmux.swift */,
+				1E4DB33FA55F1B13C60EFFC8 /* SSHPTYAttachReconnectInputFilter.swift */,
 				C0DECAFE0000000000000002 /* CodexTeamsApprovalBridge.swift */,
 				FEEDC1A50000000000000002 /* FeedEventClassifier.swift */,
 				B900004BA1B2C3D4E5F60719 /* CLISocketPathResolver.swift */,
@@ -2573,6 +2580,8 @@
 				A5D41204A1B2C3D4E5F60718 /* CLINotifyProcessIntegrationRegressionTests.swift */,
 				C0F16B000000000000000002 /* CLIRemoteShellStartupPerformanceTests.swift */,
 				A5D41206A1B2C3D4E5F60718 /* CLINotifyProcessTestSupport.swift */,
+				8CB1737C956A80E5F98E9DC5 /* CLISSHPTYAttachProbeReplyRegressionTests.swift */,
+				CD3B5F249DECAB446CC71D32 /* MockBridgeInputCapture.swift */,
 				A5D41208A1B2C3D4E5F60718 /* CLIGenericHookPersistenceTests.swift */,
 				A5D41212A1B2C3D4E5F60718 /* CLIHookNoResponseTests.swift */,
 				A5D4120AA1B2C3D4E5F60718 /* CLIRovoDevHookPersistenceTests.swift */,
@@ -3548,6 +3557,7 @@
 				B9000027A1B2C3D4E5F60719 /* RemoteRelayZshBootstrap.swift in Sources */,
 				5E2701020000000000000003 /* SentryEventScrubber.swift in Sources */,
 				C510C1E00000000000000002 /* SocketOperationTelemetry.swift in Sources */,
+				B816E948EC5E42AF967648AC /* SSHPTYAttachReconnectInputFilter.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -3647,6 +3657,7 @@
 				A5D41205A1B2C3D4E5F60718 /* CLINotifyProcessTestSupport.swift in Sources */,
 				C0F16B000000000000000001 /* CLIRemoteShellStartupPerformanceTests.swift in Sources */,
 				A5D41209A1B2C3D4E5F60718 /* CLIRovoDevHookPersistenceTests.swift in Sources */,
+				A8D837B3AA85F4353C493DE1 /* CLISSHPTYAttachProbeReplyRegressionTests.swift in Sources */,
 				C0DE31390000000000000105 /* CMUXCLIErrorOutputRegressionTests.swift in Sources */,
 				C0DEF0A40000000000000001 /* CmuxConfigContextMenuTests.swift in Sources */,
 				E30750000000000000000006 /* CmuxConfigNamedColorTests.swift in Sources */,
@@ -3717,6 +3728,7 @@
 				4C1A7E10B2D34F56A8C90013 /* MobileHostStatusVerificationLimiterTests.swift in Sources */,
 				9B08F916D7FF7626C6820727 /* MobilePairingConnectionTransitionTests.swift in Sources */,
 				F6448F377504F33956E7E03B /* MobileWorkspaceListFidelityTests.swift in Sources */,
+				13AB1A2E5DA6AD02DCAE971D /* MockBridgeInputCapture.swift in Sources */,
 				734F49D37E543DD01C2F4FEF /* NotificationAndMenuBarTests.swift in Sources */,
 				D7AB00000000000000B021 /* NotificationDismissSyncTests.swift in Sources */,
 				4E5F60720000000000000001 /* NotificationSoundSettingsTests.swift in Sources */,