Summary
In process_pending_secret_requests() (crates/zeph-core/src/agent/mod.rs), req.secret_key is embedded directly in the confirmation prompt with no length bound:
let prompt = format!(
"Sub-agent requests secret '{}'. Allow?{}",
req.secret_key, // no length cap
...
);secret_key is pre-validated to [a-zA-Z0-9_-] (ASCII-only, see manager.rs comment), so there is no panic risk on UTF-8 char boundaries. However, there is no upper length limit enforced, so a malicious or buggy sub-agent could supply an arbitrarily long key name and produce an oversized prompt string.
Severity
Low. The key is ASCII-validated so no panic. The oversized prompt is only shown to the operator for confirmation. No data loss or security bypass possible.
Steps to Reproduce
- Spawn a sub-agent that sends a
SecretRequest with a secret_key of e.g. 10,000 ASCII characters.
- Observe that the confirmation prompt displayed to the operator is extremely long.
Expected Behavior
secret_key should be bounded (e.g., to 100 chars) before being embedded in the prompt, consistent with how reason is now bounded.
Related
Summary
In
process_pending_secret_requests()(crates/zeph-core/src/agent/mod.rs),req.secret_keyis embedded directly in the confirmation prompt with no length bound:secret_keyis pre-validated to[a-zA-Z0-9_-](ASCII-only, see manager.rs comment), so there is no panic risk on UTF-8 char boundaries. However, there is no upper length limit enforced, so a malicious or buggy sub-agent could supply an arbitrarily long key name and produce an oversized prompt string.Severity
Low. The key is ASCII-validated so no panic. The oversized prompt is only shown to the operator for confirmation. No data loss or security bypass possible.
Steps to Reproduce
SecretRequestwith asecret_keyof e.g. 10,000 ASCII characters.Expected Behavior
secret_keyshould be bounded (e.g., to 100 chars) before being embedded in the prompt, consistent with howreasonis now bounded.Related
reasonfield is now truncated to 200 chars viatruncate_to_chars.