Skip to content

Security hardening: fix RCE, persist spend guard, validate inputs#2

Merged
AaronUppal-AI merged 1 commit into
mainfrom
security-hardening
May 23, 2026
Merged

Security hardening: fix RCE, persist spend guard, validate inputs#2
AaronUppal-AI merged 1 commit into
mainfrom
security-hardening

Conversation

@AaronUppal-AI

@AaronUppal-AI AaronUppal-AI commented May 23, 2026

Copy link
Copy Markdown
Owner
  • publish.js: replace execSync shell interpolation with spawnSync argv array, eliminating command injection / RCE surface (CRITICAL)
  • payment.js: validate payTo is a real Ethereum address via isAddress() before sending funds; validate amount is a positive finite number before spend limit check; strip non-numeric chars from price string
  • memory.js: add agent_spend table + recordSpend/getSpendToday so the $10/day limit persists across process restarts
  • payment.js: use ClickHouse-backed spend tracking instead of in-memory
  • index.js: fail fast at startup if any required env var is missing
  • server.js: verify x-payment-proof tx is confirmed on Base Sepolia before serving search results (not just regex format check)

Summary

Describe the changes introduced by this PR.

Related issues

  • Fixes: #

Checklist

  • I updated the documentation if necessary
  • I added tests that prove my fix is effective or that my feature works
  • All new and existing tests pass

@AaronUppal-AI @claude
Security hardening: fix RCE, persist spend guard, validate inputs
4f76b3d 
- publish.js: replace execSync shell interpolation with spawnSync argv
  array, eliminating command injection / RCE surface (CRITICAL)
- payment.js: validate payTo is a real Ethereum address via isAddress()
  before sending funds; validate amount is a positive finite number
  before spend limit check; strip non-numeric chars from price string
- memory.js: add agent_spend table + recordSpend/getSpendToday so the
  $10/day limit persists across process restarts
- payment.js: use ClickHouse-backed spend tracking instead of in-memory
- index.js: fail fast at startup if any required env var is missing
- server.js: verify x-payment-proof tx is confirmed on Base Sepolia
  before serving search results (not just regex format check)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@AaronUppal-AI AaronUppal-AI merged commit fc4df58 into main May 23, 2026
1 check failed
This was referenced May 23, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Cooldeepcode Cooldeepcode Awaiting requested review from Cooldeepcode Cooldeepcode is a code owner
@wd7zfpysvs-ui wd7zfpysvs-ui Awaiting requested review from wd7zfpysvs-ui wd7zfpysvs-ui is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AaronUppal-AI