Summary
PR #660 scrubs ZERO_DAEMON_REMOTE_TOKEN, but leaves ZERO_DAEMON_REMOTE_TOKEN_FILE in the inherited sandbox environment. The read-all sandbox posture lets the command read the referenced file.
Relevant code
internal/sandbox/runner.go: scrubSensitiveEnv includes ZERO_DAEMON_REMOTE_TOKEN but not ZERO_DAEMON_REMOTE_TOKEN_FILE.
internal/daemon/remote/auth.go: TokenFromEnv reads the bearer token from that path.
Observed at commit 6fc1220.
Reproduction
- Put a daemon bearer token in a file outside the workspace.
- Set
ZERO_DAEMON_REMOTE_TOKEN_FILE to its absolute path.
- Launch a sandboxed command through Zero.
- The command can read the pointer and token file.
Suggested fix
Remove the pointer from the sandbox environment and add its resolved target to DenyRead, analogous to GOOGLE_APPLICATION_CREDENTIALS. Test both env scrubbing and filesystem denial.
Summary
PR #660 scrubs
ZERO_DAEMON_REMOTE_TOKEN, but leavesZERO_DAEMON_REMOTE_TOKEN_FILEin the inherited sandbox environment. The read-all sandbox posture lets the command read the referenced file.Relevant code
internal/sandbox/runner.go:scrubSensitiveEnvincludesZERO_DAEMON_REMOTE_TOKENbut notZERO_DAEMON_REMOTE_TOKEN_FILE.internal/daemon/remote/auth.go:TokenFromEnvreads the bearer token from that path.Observed at commit
6fc1220.Reproduction
ZERO_DAEMON_REMOTE_TOKEN_FILEto its absolute path.Suggested fix
Remove the pointer from the sandbox environment and add its resolved target to
DenyRead, analogous toGOOGLE_APPLICATION_CREDENTIALS. Test both env scrubbing and filesystem denial.