perplexity/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Issues Pull Requests 1 Activity

Merge pull request #23 from AlexanderWhitestone/security/macaroon-forgery-and-xss-1771955896

Browse Source
This commit is contained in:
Alexander Whitestone
2026-02-24 13:00:52 -05:00
committed by GitHub
parent 1e9e0748a9 4daf382819
commit 03ff505c4b
9 changed files with 2522 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/dashboard/templates/briefing.html
View File

@@ -22,7 +22,7 @@
<div class="card mc-panel briefing-summary mb-5">
<div class="card-header mc-panel-header">// TIMMY&rsquo;S REPORT</div>
<div class="card-body p-4">
<div class="briefing-prose">{{ briefing.summary }}</div>
<div class="briefing-prose">{{ briefing.summary | e }}</div>
</div>
</div>

8
src/dashboard/templates/marketplace.html
View File

@@ -20,13 +20,13 @@
<div class="agent-avatar">{{ agent.name[0] }}</div>
<div class="agent-info">
<div class="agent-name">
{{ agent.name }}
{{ agent.name | e }}
<span style="font-size: 0.75rem; font-weight: 400;
color: var(--text-muted); margin-left: 8px;">
{{ agent.role }}
{{ agent.role | e }}
</span>
</div>
<div class="agent-meta">{{ agent.description or 'No description' }}</div>
<div class="agent-meta">{{ (agent.description or 'No description') | e }}</div>
<div class="agent-meta" style="margin-top: 4px;">
<span class="badge badge-{{ 'success' if agent.status == 'idle'
else 'warning' if agent.status == 'busy'
@@ -36,7 +36,7 @@
</span>
{% if agent.capabilities %}
{% for cap in agent.capabilities.split(',') %}
<span class="badge badge-secondary" style="margin-left: 4px;">{{ cap.strip() }}</span>
<span class="badge badge-secondary" style="margin-left: 4px;">{{ cap.strip() | e }}</span>
{% endfor %}
{% endif %}
</div>

6
src/dashboard/templates/partials/approval_card_single.html
View File

@@ -1,10 +1,10 @@
<div class="approval-card {{ item.status }}" id="approval-{{ item.id }}">
<div class="d-flex justify-content-between align-items-start mb-1">
<div class="approval-card-title">{{ item.title }}</div>
<div class="approval-card-title">{{ item.title | e }}</div>
<span class="impact-badge impact-{{ item.impact }}">{{ item.impact }}</span>
</div>
<div class="approval-card-desc">{{ item.description }}</div>
<div class="approval-card-action">&#x25B6; {{ item.proposed_action }}</div>
<div class="approval-card-desc">{{ item.description | e }}</div>
<div class="approval-card-action">&#x25B6; {{ item.proposed_action | e }}</div>
{% if item.status == "pending" %}
<div class="approval-actions">

6
src/dashboard/templates/partials/chat_message.html
View File

@@ -1,15 +1,15 @@
<div class="chat-message user">
<div class="msg-meta">YOU // {{ timestamp }}</div>
<div class="msg-body">{{ user_message }}</div>
<div class="msg-body">{{ user_message | e }}</div>
</div>
{% if response %}
<div class="chat-message agent">
<div class="msg-meta">TIMMY // {{ timestamp }}</div>
<div class="msg-body">{{ response }}</div>
<div class="msg-body">{{ response | e }}</div>
</div>
{% elif error %}
<div class="chat-message error-msg">
<div class="msg-meta">SYSTEM // {{ timestamp }}</div>
<div class="msg-body">{{ error }}</div>
<div class="msg-body">{{ error | e }}</div>
</div>
{% endif %}

6
src/dashboard/templates/partials/history.html
View File

@@ -3,17 +3,17 @@
{% if msg.role == "user" %}
<div class="chat-message user">
<div class="msg-meta">YOU // {{ msg.timestamp }}</div>
<div class="msg-body">{{ msg.content }}</div>
<div class="msg-body">{{ msg.content | e }}</div>
</div>
{% elif msg.role == "agent" %}
<div class="chat-message agent">
<div class="msg-meta">TIMMY // {{ msg.timestamp }}</div>
<div class="msg-body">{{ msg.content }}</div>
<div class="msg-body">{{ msg.content | e }}</div>
</div>
{% else %}
<div class="chat-message error-msg">
<div class="msg-meta">SYSTEM // {{ msg.timestamp }}</div>
<div class="msg-body">{{ msg.content }}</div>
<div class="msg-body">{{ msg.content | e }}</div>
</div>
{% endif %}
{% endfor %}

38
src/timmy_serve/l402_proxy.py
View File

@@ -26,10 +26,14 @@ _MACAROON_SECRET_DEFAULT = "timmy-macaroon-secret"
_MACAROON_SECRET_RAW = os.environ.get("L402_MACAROON_SECRET", _MACAROON_SECRET_DEFAULT)
_MACAROON_SECRET = _MACAROON_SECRET_RAW.encode()
if _MACAROON_SECRET_RAW == _MACAROON_SECRET_DEFAULT:
_HMAC_SECRET_DEFAULT = "timmy-hmac-secret"
_HMAC_SECRET_RAW = os.environ.get("L402_HMAC_SECRET", _HMAC_SECRET_DEFAULT)
_HMAC_SECRET = _HMAC_SECRET_RAW.encode()
if _MACAROON_SECRET_RAW == _MACAROON_SECRET_DEFAULT or _HMAC_SECRET_RAW == _HMAC_SECRET_DEFAULT:
logger.warning(
"SEC: L402_MACAROON_SECRET is using the default value — set a unique "
"secret in .env before deploying to production."
"SEC: L402 secrets are using default values — set L402_MACAROON_SECRET "
"and L402_HMAC_SECRET in .env before deploying to production."
)
@@ -40,10 +44,11 @@ class Macaroon:
signature: str # HMAC signature
location: str = "timmy-time"
version: int = 1
hmac_secret: str = "" # Added for multi-key support
def serialize(self) -> str:
"""Encode the macaroon as a base64 string."""
raw = f"{self.version}:{self.location}:{self.identifier}:{self.signature}"
raw = f"{self.version}:{self.location}:{self.identifier}:{self.signature}:{self.hmac_secret}"
return base64.urlsafe_b64encode(raw.encode()).decode()
@classmethod
@@ -52,21 +57,32 @@ class Macaroon:
try:
raw = base64.urlsafe_b64decode(token.encode()).decode()
parts = raw.split(":")
if len(parts) != 4:
if len(parts) < 4:
return None
return cls(
version=int(parts[0]),
location=parts[1],
identifier=parts[2],
signature=parts[3],
hmac_secret=parts[4] if len(parts) > 4 else "",
)
except Exception:
return None
def _sign(identifier: str) -> str:
"""Create an HMAC signature for a macaroon identifier."""
return hmac.new(_MACAROON_SECRET, identifier.encode(), hashlib.sha256).hexdigest()
def _sign(identifier: str, hmac_secret: Optional[str] = None) -> str:
"""Create an HMAC signature for a macaroon identifier using two-key derivation.
The base macaroon secret is used to derive a key-specific secret from the
hmac_secret, which is then used to sign the identifier. This prevents
macaroon forgery if the hmac_secret is known but the base secret is not.
"""
key = hmac.new(
_MACAROON_SECRET,
(hmac_secret or _HMAC_SECRET_RAW).encode(),
hashlib.sha256
).digest()
return hmac.new(key, identifier.encode(), hashlib.sha256).hexdigest()
def create_l402_challenge(amount_sats: int, memo: str = "API access") -> dict:
@@ -78,10 +94,12 @@ def create_l402_challenge(amount_sats: int, memo: str = "API access") -> dict:
- payment_hash: for tracking payment status
"""
invoice = payment_handler.create_invoice(amount_sats, memo)
signature = _sign(invoice.payment_hash)
hmac_secret = _HMAC_SECRET_RAW
signature = _sign(invoice.payment_hash, hmac_secret)
macaroon = Macaroon(
identifier=invoice.payment_hash,
signature=signature,
hmac_secret=hmac_secret,
)
logger.info("L402 challenge created: %d sats — %s", amount_sats, memo)
return {
@@ -104,7 +122,7 @@ def verify_l402_token(token: str, preimage: Optional[str] = None) -> bool:
return False
# Check HMAC signature
expected_sig = _sign(macaroon.identifier)
expected_sig = _sign(macaroon.identifier, macaroon.hmac_secret)
if not hmac.compare_digest(macaroon.signature, expected_sig):
logger.warning("L402: signature mismatch")
return False