Security: TUI mode TCP listener bypasses session key authentication (incomplete fix for #5)

[Mike-7777777]

Description

The session key authentication introduced in #5 was applied to the server (detached) mode but not to the TUI (interactive) mode. Any local process that can read ~/.psmux/*.port can connect to a TUI-mode session's TCP control port and execute commands without authentication.

Root Cause

In server mode (src/server/mod.rs), the accept loop generates a session key, writes it to a .key file, and passes it to connection::handle_connection(), which enforces AUTH <key> as the first line of every connection:

• Key generation: src/server/mod.rs:334-342
• Auth enforcement: src/server/connection.rs:38-57

In TUI mode (src/app.rs), the accept loop reads the first line directly as a command. No session key is generated, no .key file is written, and no authentication check is performed:

• Unauthenticated accept loop: src/app.rs:280-480

Impact

Commands accepted without auth in TUI mode include new-window and split-window, both of which accept an arbitrary command argument that gets passed to create_window() → build_command() → spawn_command(). This allows any local process to execute arbitrary commands as the psmux user.

source-file is also accepted unauthenticated, which can load config files containing run-shell directives.

PoC (PowerShell)

# 1. Find the port file for any running TUI session
#    (No .key file exists — TUI mode doesn't create one)
$portFile = Get-ChildItem "$env:USERPROFILE\.psmux\*.port" | Select-Object -First 1
$port = Get-Content $portFile

# 2. Send a command without authentication
$tcp = New-Object System.Net.Sockets.TcpClient("127.0.0.1", [int]$port)
$stream = $tcp.GetStream()
$writer = New-Object System.IO.StreamWriter($stream)
$writer.WriteLine('new-window "cmd /c calc.exe"')
$writer.Flush()
$tcp.Close()

Scope

The TCP listener is bound to 127.0.0.1, so this is a local-only attack surface. On single-user desktops the practical risk is limited. The concern is multi-user systems or environments with sandboxed/compromised processes that can make TCP connections and read the port file.

Suggested Fix

Apply the same authentication pattern from server/mod.rs to app.rs:

1. Generate a session key in app.rs (same logic as server/mod.rs:334-342)
2. Write the key to ~/.psmux/<session>.key
3. Route TCP connections through connection::handle_connection() instead of inline command parsing

This would unify both code paths and ensure all TCP connections are authenticated regardless of the mode.

Additional Hardening Suggestion

Session names are used directly in file paths (types.rs:774, session.rs:93) without sanitization. A name containing ../ could write .port/.key files outside ~/.psmux/. Consider rejecting path separators and .. sequences in session names. (Low severity — requires local CLI access.)

Environment

• psmux v3.3.2 (commit 3bf380d)
• Windows 11 Pro (Build 26200)
• Audited on: 2026-04-12

[psmux]

Hey @Mike-7777777, thanks for taking the time to audit the codebase and report this. I appreciate the thoroughness of your analysis.

However, after extensive practical reproduction testing, I can confirm that this vulnerability does not exist in the current codebase (v3.3.2, commit 9926b85, and also verified against commit 3bf380d which you audited).

Reproduction Results

I ran 14 targeted tests covering both TUI (attached) and server (detached) sessions. Every single one passed, proving auth is enforced in both modes.

Key findings:

1. TUI sessions DO create .key files (your report states otherwise). When you run psmux new-session -s test, the architecture is: main.rs spawns a background server process via run_server() in server/mod.rs, which writes both .port and .key files and routes all TCP through handle_connection() in connection.rs with full auth enforcement.

2. Your exact PoC was tested and fails:

   • Connecting without AUTH returns ERROR: Authentication required
   • new-window "cmd /c calc.exe" sent without auth is rejected
   • Window count remains unchanged (no window was created)

3. All dangerous commands are protected:

   • send-keys without auth: rejected
   • source-file without auth: rejected
   • new-window without auth: rejected
   • Wrong auth key: ERROR: Invalid session key

4. 20 rapid fire unauthenticated commands were all rejected with zero exceptions

Why The Code Analysis Was Misleading

The code path you identified in app.rs (lines 280 to 480) with the inline TCP handler that lacks auth is dead code. The pub fn run() in app.rs is declared via mod app; in main.rs but is never called from anywhere in the current codebase.

Here is how sessions actually work:

• psmux new-session -s name (main.rs) spawns a server process via psmux server -s name
• The server process runs run_server() in server/mod.rs
• server/mod.rs generates the session key, writes .key file, and passes it to handle_connection()
• handle_connection() in connection.rs enforces AUTH <key> on every connection
• The TUI client runs run_remote() from client.rs and connects to the server as a regular client
• The app::run() function with its unauthenticated TCP listener is a legacy code path that is never executed

Regarding the Dead Code

While the vulnerability itself is not real, you do raise a valid point that the unauthenticated TCP handler in app.rs should probably be cleaned up or removed to avoid confusion in future audits. I will consider cleaning that up.

Regarding PR #207

Since the issue is not reproducible, PR #207 is not needed as a security fix. The changes it makes would modify code that never executes. I will close the PR.

Test Evidence

Full test script committed at tests/test_issue206_tui_auth.ps1 with 14 passing assertions across 4 categories (TUI auth, server auth, consistency, rapid fire bypass attempts).

Thanks again for the security audit. Static analysis is valuable but practical reproduction is essential to confirm real impact. The dead code observation is noted and I will look into cleaning it up.

[psmux]

Closing as not reproducible. The reported code path (app.rs) is dead code that is never executed. All TCP connections in both TUI and server modes are authenticated via handle_connection() in connection.rs. See the detailed reproduction analysis above.