Disagreement · 44bd7a66-anthropic-10

loadSession does not validate history element shape — corrupted/foreign data passes through as Message[]

solo Opus

repo 56f59a0d·PR #1·reviewed 4 days ago

Opus finding

loadSession does not validate history element shape — corrupted/foreign data passes through as Message[]

lowapi-contracthigh

src/session.ts:63-68

loadSession checks that history is an array but never validates each element conforms to the Message shape, nor that budget has the three numeric fields. An attacker (or a downgraded build) that drops a crafted latest.json can inject arbitrary objects into the chat history when resumed, which then get sent to the model provider. Lower risk because the file lives under the user's homedir, but the type-cast `as SessionData` masks the unsafe deserialization.

Recommendation

Add per-element validation (role in {user,assistant,system,tool}, content present), validate budget numeric fields, and reject if any field is invalid (with backup, see related finding).

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highsecurity
Security policy can be bypassed by placing sensitive files in subdirectories (anchored patterns only match repo root)
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗