Files
executus/tools/create_file_url.go
T
steve d0bd3ec3d9
executus CI / test (push) Has been cancelled
fix: address verified gadfly P3 review (3-cloud fleet)
All 3 cloud models converged on a real access-control bug; fixed it + the
other genuine findings (the false-positives were dropped):

Security (HIGH — all 3 models):
- create_file_url skipped ValidateScope: a same-skill caller could mint a
  PUBLIC url for a file scoped to another user/run. Now runs ValidateScope
  (admin-aware), skipped only for the descendant-grant case — mirroring the
  read tools.

Other real fixes:
- ValidateScope hard-coded `false` at every call site (admin branch dead) ->
  pass inv.CallerIsAdmin (the executor sets it via the host AdminPolicy; still
  false/fail-closed when no admin). Stale "no admin flag" comment corrected.
- create_file_url: ExpiresInSeconds clamped BEFORE the *time.Second multiply
  (huge values overflowed to a negative duration that slipped under the cap,
  minting already-expired tokens); swallowed json.Marshal error now returned.
- RegisterMeta: build the default budget WITH the configured MaxPerRun (was
  NewInMemorySearchBudget(nil) -> hardcoded 10, ignoring MetaDeps.MaxPerRun).
- classify: all-zero scores no longer return a false-positive top-1 winner;
  coerceClassifyScore uses strconv.ParseFloat (rejects trailing garbage like
  "50extra" that fmt.Sscanf silently accepted).
- file_delete: honor the descendant grant (parent can clean up a worker's
  artifacts) — was the lone cross-skill-reject-outright file tool.
- meta tools: input caps truncate at a UTF-8 rune boundary (truncateUTF8), not
  mid-rune.
- think: removed the dead `var _ = fmt.Errorf` import-keeper; file_save default
  aligned to 16 MiB (matched RegisterStore).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 00:11:54 -04:00

223 lines
8.2 KiB
Go

// create_file_url mints a public-token URL (mort.sh/files/<token>)
// that resolves to a saved file_id. Use it for artifacts that are too
// large for Discord (>25 MiB), need a stable link to share outside
// Discord, or where the recipient is not in mort's auth domain.
//
// Why a separate tool (vs always returning a URL from file_save):
// most files are private working state — only some need a public URL,
// and minting one is a deliberate act. Decoupling save from
// publication keeps the storage layer cheap (no token row per file)
// and the audit clean (you can grep skill_file_tokens for "who
// published what").
//
// Cycle-break: this tool can't import pkg/logic/skills directly
// (pkg/logic/skills imports pkg/skilltools). The narrow interface
// FileTokenMinter is declared here; mort.go bridges to
// *skills.System.Storage() at wiring time.
package tools
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"strings"
"time"
"gitea.stevedudenhoeffer.com/steve/executus/tool"
)
// FileToken is the wire-shape of the storage row that backs the
// public /files/<token> URL. Mirrors pkg/logic/skills.FileToken
// field-for-field; the adapter in mort.go is a struct copy.
//
// Why mirror (vs import skills.FileToken): same cycle constraint as
// FileDomainMeta / KVDomainEntry — the tool layer cannot import
// pkg/logic/skills.
type FileToken struct {
Token string
FileID string
SkillID string
CallerID string
CreatedAt time.Time
ExpiresAt *time.Time
MaxViews *int
Views int
}
// FileTokenMinter is the narrow interface the create_file_url tool
// needs to persist a new token. Production wires to
// *skills.gormStorage via a thin adapter in mort.go.
type FileTokenMinter interface {
SaveFileToken(ctx context.Context, t FileToken) error
}
// Caps for create_file_url. Public so tests can assert against them.
const (
// DefaultFileURLExpiry is the default lifetime applied when the
// caller doesn't supply expires_in_seconds.
DefaultFileURLExpiry = 24 * time.Hour
// MaxFileURLExpiry is the per-tool hard cap. 30 days is generous
// enough for "share this report with someone" without becoming
// effectively-permanent. Operators can lower via the
// SkillFileURLConfigProvider; this is the floor below which the
// admin gate doesn't apply.
MaxFileURLExpiry = 30 * 24 * time.Hour
// MaxFileURLViews is the per-tool hard cap on max_views. 1000 is
// the largest value an LLM might plausibly set; anything beyond
// is "unlimited" semantically and the caller should leave the
// field absent.
MaxFileURLViews = 1000
)
type createFileURLArgs struct {
FileID string `json:"file_id" description:"file_id previously saved by this skill (from file_save, code_exec, etc)."`
ExpiresInSeconds int `json:"expires_in_seconds,omitempty" description:"How long the URL stays valid in seconds. Default 86400 (24h). Max 2592000 (30 days)."`
MaxViews int `json:"max_views,omitempty" description:"Optional cap on the number of times the URL can be fetched. Max 1000. Omit (or 0) for unlimited within the lifetime."`
}
type createFileURLResult struct {
URL string `json:"url"`
Token string `json:"token"`
ExpiresAt string `json:"expires_at,omitempty"` // RFC3339
MaxViews int `json:"max_views,omitempty"`
Note string `json:"note,omitempty"`
}
// NewCreateFileURL constructs the create_file_url tool. nil minter →
// "not configured" at execute time; nil fileStorage same. baseURL is
// the public site (e.g. "https://mort.sh"); the path "/files/<token>"
// is appended.
//
// Permission shape: anyone-authoring + caller-scope + share-safe +
// files/discord/composition. The "publishing" act is a tool call,
// not a save-time / share-time concern — every caller of a shared
// skill mints into their own audit trail.
func NewCreateFileURL(minter FileTokenMinter, fileStorage FileStorage, baseURL string) tool.Tool {
baseURL = strings.TrimRight(baseURL, "/")
return tool.NewGatedTool[createFileURLArgs](
"create_file_url",
"Mint a public URL (mort.sh/files/<token>) for a saved file_id. Use for files too large for Discord (>25 MiB) or when a stable link is preferred over an attachment. Default expiry 24h; max 30 days. Optional view-count cap (max 1000).",
tool.Permission{
AuthoringRequirement: tool.RequirementAnyone,
OperatesOn: tool.ScopeCaller,
SafeForShare: true,
Categories: []string{"files", "discord"},
},
func(ctx context.Context, inv tool.Invocation, args createFileURLArgs) (string, error) {
if minter == nil || fileStorage == nil {
return "", fmt.Errorf("create_file_url: not configured")
}
if strings.TrimSpace(args.FileID) == "" {
return "", fmt.Errorf("create_file_url: file_id required")
}
// Cross-skill rejection: the file MUST belong to the
// calling skill. Without this, a hostile skill could mint
// a URL for ANY file by file_id.
meta, _, err := fileStorage.FileGet(ctx, args.FileID)
if err != nil {
if errors.Is(err, ErrFileNotFound) {
return "", fmt.Errorf("create_file_url: file_id %q not found", args.FileID)
}
return "", fmt.Errorf("create_file_url: %w", err)
}
grantedViaDescendant := false
if meta.SkillID != inv.SkillID {
if !descendantFileGrant(ctx, fileStorage, inv, meta.SkillID) {
return "", fmt.Errorf("create_file_url: file_id %q does not belong to this skill (cross-skill refs rejected)", args.FileID)
}
grantedViaDescendant = true
}
// Scope gate — this is a PUBLICATION primitive (it mints an
// unauthenticated link), so it must enforce the same per-user/per-run
// scope isolation the read tools do: a same-skill caller must not be
// able to publish a file scoped to another user/run. Skipped only for
// the descendant-grant case (the worker's file scope is the worker's
// run, not the caller's).
if !grantedViaDescendant {
if err := ValidateScope(inv, meta.Scope, inv.CallerIsAdmin); err != nil {
return "", fmt.Errorf("create_file_url: %w", err)
}
}
// Resolve expiry. Clamp the caller's seconds BEFORE the multiply so a
// huge value can't overflow int64 nanoseconds into a negative
// duration that slips under the max-expiry cap (minting an
// already-expired token).
expiry := DefaultFileURLExpiry
if args.ExpiresInSeconds > 0 {
maxSecs := int(MaxFileURLExpiry / time.Second)
secs := args.ExpiresInSeconds
if secs > maxSecs {
secs = maxSecs
}
expiry = time.Duration(secs) * time.Second
}
if expiry > MaxFileURLExpiry {
expiry = MaxFileURLExpiry
}
expiresAt := time.Now().Add(expiry)
// Resolve max_views.
var maxViews *int
if args.MaxViews > 0 {
mv := args.MaxViews
if mv > MaxFileURLViews {
mv = MaxFileURLViews
}
maxViews = &mv
}
// Mint a 32-byte random token, base64url-encoded
// (padless). 43 chars long; the storage column is 64 so
// there's room to grow without a migration.
token, err := mintFileURLToken()
if err != nil {
return "", fmt.Errorf("create_file_url: token generation: %w", err)
}
// Persist.
if err := minter.SaveFileToken(ctx, FileToken{
Token: token,
FileID: args.FileID,
SkillID: inv.SkillID,
CallerID: inv.CallerID,
ExpiresAt: &expiresAt,
MaxViews: maxViews,
}); err != nil {
return "", fmt.Errorf("create_file_url: save: %w", err)
}
url := baseURL + "/files/" + token
res := createFileURLResult{
URL: url,
Token: token,
ExpiresAt: expiresAt.UTC().Format(time.RFC3339),
Note: "URL is public — anyone with the link can fetch this file until it expires or the view cap is reached.",
}
if maxViews != nil {
res.MaxViews = *maxViews
}
b, err := json.Marshal(res)
if err != nil {
return "", fmt.Errorf("create_file_url: marshal: %w", err)
}
return string(b), nil
},
)
}
// mintFileURLToken returns a 32-byte random token, base64url-encoded
// without padding. ~190 bits of entropy, well above the
// collision-resistance threshold for the 64-char storage column.
func mintFileURLToken() (string, error) {
var b [32]byte
if _, err := rand.Read(b[:]); err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(b[:]), nil
}