MCPcopy Index your code
hub / github.com/codeaashu/claude-code / setNonDumpable

Function setNonDumpable

src/upstreamproxy/upstreamproxy.ts:225–252  ·  view source on GitHub ↗

* prctl(PR_SET_DUMPABLE, 0) via libc FFI. Blocks same-UID ptrace of this * process, so a prompt-injected `gdb -p $PPID` can't scrape the token from * the heap. Linux-only; silently no-ops elsewhere.

()

Source from the content-addressed store, hash-verified

223 * the heap. Linux-only; silently no-ops elsewhere.
224 */
225function setNonDumpable(): void {
226 if (process.platform !== 'linux' || typeof Bun === 'undefined') return
227 try {
228 // eslint-disable-next-line @typescript-eslint/no-require-imports
229 const ffi = require('bun:ffi') as typeof import('bun:ffi')
230 const lib = ffi.dlopen('libc.so.6', {
231 prctl: {
232 args: ['int', 'u64', 'u64', 'u64', 'u64'],
233 returns: 'int',
234 },
235 } as const)
236 const PR_SET_DUMPABLE = 4
237 const rc = lib.symbols.prctl(PR_SET_DUMPABLE, 0n, 0n, 0n, 0n)
238 if (rc !== 0) {
239 logForDebugging(
240 '[upstreamproxy] prctl(PR_SET_DUMPABLE,0) returned nonzero',
241 {
242 level: 'warn',
243 },
244 )
245 }
246 } catch (err) {
247 logForDebugging(
248 `[upstreamproxy] prctl unavailable: ${err instanceof Error ? err.message : String(err)}`,
249 { level: 'warn' },
250 )
251 }
252}
253
254async function downloadCaBundle(
255 baseUrl: string,

Callers 1

initUpstreamProxyFunction · 0.85

Calls 1

logForDebuggingFunction · 0.85

Tested by

no test coverage detected