fix(sync): address code review findings

StackMemory Bot (CLI) · StackMemory Bot (CLI) · commit 79cd25e1cb2b · 2026-05-04T12:12:41.000-04:00
- C2: Whitelist valid columns per table in upsertRow to prevent SQL
  injection from remote data keys
- C4: Restrict CORS to known origins instead of wildcard
- W1: Add conflict target column to ON CONFLICT clause
- W3: Register cloud sync tools in getAvailableTools()
- W5: Validate sync table names in MCP handler
- W6: Merge duplicate os imports
- W8: Use actual pushed_at for pull cursor instead of approximate time
diff --git a/packages/provenant-api/src/index.js b/packages/provenant-api/src/index.js
@@ -29,7 +29,7 @@ export default {
     if (request.method === 'OPTIONS') {
       return new Response(null, {
         status: 204,
-        headers: corsHeaders(),
+        headers: corsHeaders(request),
       });
     }
 
@@ -152,7 +152,7 @@ async function handlePull(request, sql, projectId, clientId) {
   let rows;
   if (tables && tables.length > 0) {
     rows = await sql`
-      SELECT id, table_name, version, tier, data
+      SELECT id, table_name, version, tier, data, pushed_at
       FROM sync_entities
       WHERE project_id = ${projectId}
         AND pushed_at > ${since}::timestamptz
@@ -163,7 +163,7 @@ async function handlePull(request, sql, projectId, clientId) {
     `;
   } else {
     rows = await sql`
-      SELECT id, table_name, version, tier, data
+      SELECT id, table_name, version, tier, data, pushed_at
       FROM sync_entities
       WHERE project_id = ${projectId}
         AND pushed_at > ${since}::timestamptz
@@ -182,11 +182,12 @@ async function handlePull(request, sql, projectId, clientId) {
     data: typeof r.data === 'string' ? JSON.parse(r.data) : r.data,
   }));
 
-  // Server cursor = pushed_at of last returned entity, or `since` if empty
-  const serverCursor =
-    entities.length > 0
-      ? new Date().toISOString() // approximate — good enough for alpha
-      : since;
+  // Server cursor = pushed_at of last returned row (not approximate)
+  const lastRow =
+    rows.length > 0 ? rows[Math.min(rows.length, limit) - 1] : null;
+  const serverCursor = lastRow?.pushed_at
+    ? new Date(lastRow.pushed_at).toISOString()
+    : since;
 
   // Update pull cursor
   await sql`
@@ -227,19 +228,27 @@ async function handleStatus(sql, projectId, clientId) {
 
 // --- Helpers ---
 
-function json(data, status = 200) {
+function json(data, status = 200, request = null) {
   return new Response(JSON.stringify(data), {
     status,
     headers: {
       'Content-Type': 'application/json',
-      ...corsHeaders(),
+      ...corsHeaders(request),
     },
   });
 }
 
-function corsHeaders() {
+const ALLOWED_ORIGINS = [
+  'https://app.stackmemory.ai',
+  'https://stackmemory.ai',
+  'http://localhost:3456',
+];
+
+function corsHeaders(request) {
+  const origin = request?.headers?.get('Origin');
   return {
-    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Origin':
+      origin && ALLOWED_ORIGINS.includes(origin) ? origin : ALLOWED_ORIGINS[0],
     'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
     'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Client-Id',
   };
diff --git a/src/cli/commands/sync.ts b/src/cli/commands/sync.ts
@@ -5,8 +5,7 @@
 
 import { Command } from 'commander';
 import chalk from 'chalk';
-import { homedir } from 'os';
-import { hostname } from 'os';
+import { homedir, hostname } from 'os';
 import { join } from 'path';
 import { existsSync, readFileSync } from 'fs';
 import { createHash } from 'crypto';
diff --git a/src/core/storage/cloud-sync.ts b/src/core/storage/cloud-sync.ts
@@ -72,6 +72,91 @@ const PK_COLUMN: Record<SyncTable, string> = {
   entity_states: 'id',
 };
 
+// Valid columns per table — whitelist for SQL injection prevention on pull/upsert
+const VALID_COLUMNS: Record<SyncTable, Set<string>> = {
+  frames: new Set([
+    'frame_id',
+    'run_id',
+    'project_id',
+    'parent_frame_id',
+    'depth',
+    'type',
+    'name',
+    'state',
+    'inputs',
+    'outputs',
+    'digest_text',
+    'digest_json',
+    'created_at',
+    'closed_at',
+    'retention_policy',
+    'importance_score',
+    'prov_source',
+    'prov_derivation',
+    'prov_confidence',
+    'prov_superseded_by',
+    'prov_program_version',
+    'access_count',
+    'last_accessed',
+  ]),
+  events: new Set([
+    'event_id',
+    'frame_id',
+    'run_id',
+    'seq',
+    'event_type',
+    'payload',
+    'ts',
+  ]),
+  anchors: new Set([
+    'anchor_id',
+    'frame_id',
+    'project_id',
+    'type',
+    'text',
+    'priority',
+    'created_at',
+    'metadata',
+    'prov_source',
+    'prov_confidence',
+    'prov_superseded_by',
+  ]),
+  trace_events: new Set([
+    'id',
+    'timestamp',
+    'session_id',
+    'trace_id',
+    'parent_trace_id',
+    'tenant_id',
+    'actor_host',
+    'actor_agent',
+    'actor_user',
+    'operation',
+    'inputs',
+    'outputs',
+    'tokens_in',
+    'tokens_out',
+    'cost_usd',
+    'duration_ms',
+    'score',
+    'feedback',
+    'provenance',
+    'error',
+    'tags',
+  ]),
+  entity_states: new Set([
+    'id',
+    'project_id',
+    'entity_name',
+    'relation',
+    'value',
+    'context',
+    'source_frame_id',
+    'valid_from',
+    'superseded_at',
+  ]),
+};
+
 export class CloudSyncEngine {
   private db: Database.Database;
   private config: CloudSyncConfig;
@@ -458,19 +543,28 @@ export class CloudSyncEngine {
   private upsertRow(
     table: SyncTable,
     data: Record<string, unknown>,
-    _pk: string
+    pk: string
   ): void {
-    const keys = Object.keys(data);
+    // Whitelist columns to prevent SQL injection from remote data keys
+    const valid = VALID_COLUMNS[table];
+    const safeEntries = Object.entries(data).filter(([k]) => valid.has(k));
+    if (safeEntries.length === 0) return;
+
+    const keys = safeEntries.map(([k]) => k);
+    const values = safeEntries.map(([, v]) => v);
     const placeholders = keys.map(() => '?').join(', ');
     const columns = keys.join(', ');
-    const updates = keys.map((k) => `${k} = excluded.${k}`).join(', ');
+    const updates = keys
+      .filter((k) => k !== pk)
+      .map((k) => `${k} = excluded.${k}`)
+      .join(', ');
 
     this.db
       .prepare(
         `INSERT INTO ${table} (${columns}) VALUES (${placeholders})
-         ON CONFLICT DO UPDATE SET ${updates}`
+         ON CONFLICT(${pk}) DO UPDATE SET ${updates}`
       )
-      .run(...keys.map((k) => data[k]));
+      .run(...values);
   }
 
   // --- Internal: Sync state management ---
diff --git a/src/integrations/mcp/handlers/cloud-sync-handlers.ts b/src/integrations/mcp/handlers/cloud-sync-handlers.ts
@@ -6,6 +6,14 @@
 import type { CloudSyncManager } from '../../../core/storage/cloud-sync-manager.js';
 import type { SyncTable } from '../../../core/storage/cloud-sync-types.js';
 
+const VALID_SYNC_TABLES = new Set<string>([
+  'frames',
+  'events',
+  'anchors',
+  'trace_events',
+  'entity_states',
+]);
+
 export interface CloudSyncHandlerDependencies {
   syncManager: CloudSyncManager | null;
 }
@@ -56,7 +64,9 @@ export class CloudSyncHandlers {
     tables?: string[];
   }): Promise<{ content: Array<{ type: string; text: string }> }> {
     const manager = this.ensureManager();
-    const tables = args.tables as SyncTable[] | undefined;
+    const tables = args.tables?.filter((t) => VALID_SYNC_TABLES.has(t)) as
+      | SyncTable[]
+      | undefined;
     const result = await manager.performPull('manual', tables);
 
     return {
diff --git a/src/integrations/mcp/handlers/index.ts b/src/integrations/mcp/handlers/index.ts
@@ -307,6 +307,11 @@ export class MCPHandlerFactory {
       'sm_cross_discover',
       'sm_cross_register',
       'sm_cross_list',
+
+      // Cloud sync tools
+      'cloud_sync_push',
+      'cloud_sync_pull',
+      'cloud_sync_status',
     ];
   }
 
