fix(security): resolve all open code-scanning alerts (regex/path sanitizers, workflow perms, docker digest pins)#94
Merged
Conversation
…flow perms, docker pins) - auth_checks.py: re.escape() the wildcard pattern in is_model_allowed_by_pattern before building the match regex (py/regex-injection, BerriAI#1024). - content_filter.py: add a realpath/commonpath containment re-check on the resolved category_file_path immediately before use, as defense-in-depth alongside the existing category_name regex validation (py/path-injection, BerriAI#1025). - Dockerfile / docker/Dockerfile.database / docker/Dockerfile.non_root: pin the remaining ARG-variable FROM lines (uvbin, ui-builder, runtime) to their already-known-good literal image@sha256 digests, matching the pattern already used for the other stages in these files (PinnedDependencies BerriAI#1009, BerriAI#1010, BerriAI#1011, BerriAI#1012, BerriAI#1013, BerriAI#1014, BerriAI#1020). Verified with `docker build --check`. - .github/fork-patches.txt: track the above as fork patches to reapply after upstream syncs. Workflow TokenPermissions alerts (BerriAI#1021, BerriAI#1022, BerriAI#1023) and the ai-gateway Dockerfile pip install (BerriAI#1019) were reviewed and left as-is; see PR description for per-alert MUST-DISMISS reasoning.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the 13 open code-scanning alerts on this fork:
contents: read, job-levelcontents: writeonly on jobs gated togithub.repository == 'rayward-external/litellm'that genuinely push a branch). No change needed; recorded as MUST-DISMISS.FROM $ARG_VARlines whose ARG default was already a literalimage@sha256:...digest (CodeQL doesn't resolve ARG-indirected FROM); fixed by inlining the already-correct digest, matching the pattern already used for the other stages in the same files. The 8th is apip install ".[proxy]"line (not aFROM), left as MUST-DISMISS (impractical to hash-pin a local source install).All digest pins were verified with
docker build --checkagainst the real registries (not fabricated) — see test plan.Per-alert table
litellm/proxy/auth/auth_checks.py:4290is_model_allowed_by_patternnow builds the match regex viare.escape(allowed_model_pattern).replace(re.escape("*"), ".*")instead of raw f-string interpolation. Verified"bedrock/*"still matches"bedrock/anthropic.claude-3-5-sonnet","*"still matches anything, and metacharacters in the pattern no longer alter regex semantics.litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/content_filter.py:448os.path.realpath+os.path.commonpathcontainment check on the resolvedcategory_file_pathimmediately beforeos.path.exists/load, logging a warning and skipping the category (not raising) if it escapescategories_dir. Defense-in-depth alongside the pre-existingcategory_nameregex validation..github/workflows/create_daily_oss_agent_shin_branch.yml:16create-oss-agent-shin-branchis gatedif: github.repository == 'rayward-external/litellm'and genuinely pushes the daily branch on this fork; top-level permissions are alreadycontents: read, this job-levelcontents: writeis the minimal scope required for its actual write operation..github/workflows/create_daily_staging_branch.yml:16create-staging-branchjob is fork-gated and pushes the daily staging branch; write is required..github/workflows/create_daily_staging_branch.yml:58create-internal-dev-branchjob is fork-gated and pushes the daily dev branch; write is required.Dockerfile:17ui-builderstageFROM --platform=$BUILDPLATFORM $UI_BUILD_IMAGE→ literalnode:20.18-alpine3.20@sha256:3488b...(the ARG's own already-correct default), matching the other 3 stages in this file.Dockerfile:34ui-builderstage, same fix as BerriAI#1009.docker/Dockerfile.database:12uvbinstageFROM $UV_IMAGE→ literalghcr.io/astral-sh/uv:0.11.7@sha256:240fb8....docker/Dockerfile.database:17ui-builderstage, same fix as BerriAI#1009.docker/Dockerfile.database:93runtimestageFROM $LITELLM_RUNTIME_IMAGE→ literalcgr.dev/chainguard/wolfi-base@sha256:c61ac69....docker/Dockerfile.non_root:11uvbinstage, same fix as BerriAI#1010.docker/Dockerfile.non_root:16ui-builderstage, same fix as BerriAI#1009.litellm-rust/crates/ai-gateway/Dockerfile:63RUN pip install --no-cache-dir ".[proxy]"installs this repo's own source tree (copied in viaCOPY litellm/ ./litellm/above), not a versioned PyPI release; impractical/meaningless to hash-pin.Test plan
python3 -m py_compile litellm/proxy/auth/auth_checks.py litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/content_filter.py— cleanpython3 -c "import yaml; ..."over both flagged workflow files — clean (no edits made, since both were already minimally-scoped)docker build --check -f Dockerfile .— 1 pre-existing unrelated warning (DuplicateStageNameon theui-builderstage, present before this PR), no errors; both new digests resolved against the real registriesdocker build --check -f docker/Dockerfile.database .— cleandocker build --check -f docker/Dockerfile.non_root .— cleanis_model_allowed_by_patternbehavior spot-check:"bedrock/*"still matches"bedrock/anthropic.claude-3-5-sonnet","*"still matches anything, unrelated model strings still rejected🤖 Generated with Claude Code