Skip to content

ZERO_DAEMON_REMOTE_TOKEN_FILE leaks the daemon bearer token into sandboxed commands #677

Description

@PierrunoYT

Summary

PR #660 scrubs ZERO_DAEMON_REMOTE_TOKEN, but leaves ZERO_DAEMON_REMOTE_TOKEN_FILE in the inherited sandbox environment. The read-all sandbox posture lets the command read the referenced file.

Relevant code

  • internal/sandbox/runner.go: scrubSensitiveEnv includes ZERO_DAEMON_REMOTE_TOKEN but not ZERO_DAEMON_REMOTE_TOKEN_FILE.
  • internal/daemon/remote/auth.go: TokenFromEnv reads the bearer token from that path.

Observed at commit 6fc1220.

Reproduction

  1. Put a daemon bearer token in a file outside the workspace.
  2. Set ZERO_DAEMON_REMOTE_TOKEN_FILE to its absolute path.
  3. Launch a sandboxed command through Zero.
  4. The command can read the pointer and token file.

Suggested fix

Remove the pointer from the sandbox environment and add its resolved target to DenyRead, analogous to GOOGLE_APPLICATION_CREDENTIALS. Test both env scrubbing and filesystem denial.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions