fix: harden path traversal, trust proxy, and image src allowlist

1. /api/opencode/models: validate workingDir with realpath + allowed-roots
   check, matching the existing guard in /api/sessions/create.

2. Express trust proxy: set app.set('trust proxy', true) when TRUST_PROXY
   is enabled so req.ip returns the real client IP for all rate limiters.

3. Markdown img renderer: restrict src to https: and data:image/ protocols
   to prevent tracking beacons and arbitrary protocol access from model output.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: alari76

server/session-routes.ts

@@ -53,8 +53,22 @@ export function createSessionRouter(
   router.get('/api/opencode/models', async (req, res) => {
     const token = extractToken(req)
     if (!verifyToken(token)) return res.status(401).json({ error: 'Unauthorized' })
-    const workingDir = (req.query.workingDir as string) || osHomedir()
-    const result = await fetchOpenCodeModels(workingDir)
+    const rawDir = (req.query.workingDir as string) || osHomedir()
+
+    // Bounds-check: workingDir must be under home or REPOS_ROOT (same as /api/sessions/create)
+    const home = osHomedir()
+    const allowedRoots = [home, REPOS_ROOT]
+    let resolvedDir: string
+    try {
+      resolvedDir = fsRealpathSync(pathResolve(rawDir))
+    } catch {
+      return res.status(400).json({ error: 'workingDir could not be resolved (path does not exist or is inaccessible)' })
+    }
+    if (!allowedRoots.some(root => resolvedDir === root || resolvedDir.startsWith(root + '/'))) {
+      return res.status(403).json({ error: 'workingDir is outside allowed directories' })
+    }
+
+    const result = await fetchOpenCodeModels(resolvedDir)
     res.json(result)
   })
 

server/ws-server.ts

@@ -195,6 +195,12 @@ const commitEventState: { handler: CommitEventHandler | undefined } = { handler:
 // ---------------------------------------------------------------------------
 const app = express()
 
+// Trust X-Forwarded-For headers when behind a reverse proxy so that
+// req.ip returns the real client IP for rate limiters and logging.
+if (TRUST_PROXY) {
+  app.set('trust proxy', true)
+}
+
 // In Docker / standalone mode (FRONTEND_DIST set), the server is reached directly without nginx.
 // nginx normally strips the /cc prefix before proxying; we replicate that here so the frontend
 // (which hardcodes BASE = '/cc') works against the Node server without modification.

src/components/ChatView.tsx

@@ -213,9 +213,12 @@ function AssistantMessage({ msg, fontSize, variant = 'default', repeatCount }: {
               return <a href={safeHref} target="_blank" rel="noopener noreferrer" {...props}>{children}</a>
             },
             img({ src, alt, ...props }) {
+              // Only allow https: and data: URIs to prevent tracking beacons and arbitrary protocol access
+              const safeSrc = src && /^(https:|data:image\/)/i.test(src) ? src : undefined
+              if (!safeSrc) return <span className="text-neutral-5">[image blocked: untrusted source]</span>
               return (
                 <img
-                  src={src}
+                  src={safeSrc}
                   alt={alt || 'Image'}
                   className="max-w-full max-h-96 rounded-lg border border-neutral-8 my-2"
                   loading="lazy"