Skip to content

security: harden sandbox — fix injection, env leak, cross-nav bypass#51

Merged
terraboops merged 1 commit into
mainfrom
security/sandbox-hardening
Mar 30, 2026
Merged

security: harden sandbox — fix injection, env leak, cross-nav bypass#51
terraboops merged 1 commit into
mainfrom
security/sandbox-hardening

Conversation

@terraboops

@terraboops terraboops commented Mar 30, 2026

Copy link
Copy Markdown
Owner

Summary

  • CRITICAL: Cross-nav queries now inherit target navigator's sandbox config instead of running unsandboxed
  • CRITICAL: Fix shell injection via NONO_FLAGS — flags passed via temp file, not unquoted env var
  • HIGH: Filter environment variables to allowlist (strips plugin tokens, DB creds from subprocess)
  • HIGH: Config schema validates paths (rejects .., null bytes) and commands (denies bash, sudo, rm, python, etc.)
  • MEDIUM: Wrapper script uses random UUID filename + mode 0700 (TOCTOU fix)
  • MEDIUM: isSandboxEnabled() now warns on stderr before silent degradation
  • Docs: security-model.md fully rewritten for current architecture

Test plan

  • All 157 tests pass (121 core + 45 comm-layer, 0 regressions)
  • Build clean with no type errors
  • Schema validation verified: path traversal rejected, denied commands rejected, safe commands accepted
  • CI passes on ubuntu + macOS matrix

@terraboops
security: harden sandbox — fix injection, env leak, cross-nav bypass
e8ac7a5 
CRITICAL fixes:
- Cross-nav queries now inherit target navigator's sandbox config
  instead of running completely unsandboxed (cross-nav.ts, related-navs.ts)
- Shell injection via NONO_FLAGS fixed: flags now passed via temp file
  (one per line) read with `while read`, not unquoted env var expansion

HIGH fixes:
- Environment variable filtering: subprocess gets allowlisted vars only,
  not full process.env (strips plugin tokens, DB creds, etc.)
- Path validation: config schema rejects traversal (..), null bytes
- Command deny-list: bash, sudo, rm, python, etc. blocked in config schema
- Wrapper script uses random UUID filename + mode 0700 (TOCTOU fix)

MEDIUM fixes:
- isSandboxEnabled() now warns on stderr before silent degradation
- Shared buildSandboxConfigForOperation() eliminates duplicated logic

Docs: security-model.md fully rewritten to reflect 3-provider model,
nono wrapper architecture, env filtering, config validation, and
sandbox_query diagnostic tool.
@terraboops terraboops merged commit fd90f7a into main Mar 30, 2026
5 checks passed
@terraboops terraboops deleted the security/sandbox-hardening branch March 30, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@terraboops