polymech/zeroclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): validate command before rate-limiting in cron once (#3699) (#3719)

Browse Source
This commit is contained in:
Argenis 2026-03-16 14:21:45 -04:00 committed by Roman Tataurov
parent 905cc75f2b
commit 1dddc8b2a2
No known key found for this signature in database
GPG Key ID: 70A51EF3185C334B
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/tools/schedule.rs
View File

@ -88,9 +88,6 @@ impl Tool for ScheduleTool {
self.handle_get(id)
}
"create" | "add" | "once" => {
if let Some(blocked) = self.enforce_mutation_allowed(action) {
return Ok(blocked);
}
let approved = args
.get("approved")
.and_then(serde_json::Value::as_bool)
@ -301,6 +298,12 @@ impl ScheduleTool {
}
}
// Enforce rate-limiting AFTER command/args validation so that invalid
// requests do not consume the action budget. (Fixes #3699)
if let Some(blocked) = self.enforce_mutation_allowed(action) {
return Ok(blocked);
}
// All job creation routes through validated cron helpers, which enforce
// the full security policy (allowlist + risk gate) before persistence.
if let Some(value) = expression {