security: fix workspace sandbox bypass, env race condition, and unsafe SAFETY docs#1244
Open
BunnyMoth wants to merge 2 commits into
Open
security: fix workspace sandbox bypass, env race condition, and unsafe SAFETY docs#1244BunnyMoth wants to merge 2 commits into
BunnyMoth wants to merge 2 commits into
Conversation
- tool_media_describe/transcribe now route through workspace sandbox - API keys moved from process env to RwLock<HashMap> in AppState - Add SAFETY comment to libc::kill in kernel.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three security fixes identified during a code-level audit of the codebase.
Changes
HIGH: Workspace sandbox bypass in media tools
tool_media_describeandtool_media_transcribebypassed the workspacesandbox entirely, allowing agents to read arbitrary host files regardless
of the configured workspace root. Both now use
resolve_file_paththesame way all other file tools do, with
workspace_rootthreaded in fromexecute_tool.HIGH: std::env::set_var/remove_var in async Axum handlers
Six call sites in
routes.rsused the process environment as a liveconfig store from multi-threaded request handlers — undefined behaviour
under concurrent requests and a hard compile error on Rust 1.81+.
Replaced with
RwLock<HashMap<String, String>>inAppState,pre-populated from
resolve_credentialat startup. New methoddetect_auth_with_keysadded tomodel_catalog.rs.LOW: Missing SAFETY comment on unsafe libc::kill
Documented the three invariants: PID origin, Mutex guard held, and
ESRCH no-op case.
Testing
cargo fmt --all --check— cleancargo clippy --workspace --all-targets -- -D warnings— zero warningscargo test --workspace— 2,074 tests, 0 failures