Skip to content

fix: remediate 9 security findings from external audit (OS-15 through OS-23)#744

Open
johntmyers wants to merge 10 commits intomainfrom
fix/security-audit-batch-1
Open

fix: remediate 9 security findings from external audit (OS-15 through OS-23)#744
johntmyers wants to merge 10 commits intomainfrom
fix/security-audit-batch-1

Conversation

@johntmyers
Copy link
Copy Markdown
Collaborator

@johntmyers johntmyers commented Apr 2, 2026

Summary

Addresses 9 findings from the external security audit, delivered as one commit per finding for clean bisect/revert:

  • OS-20: Restrict tar extraction in install.sh to expected binary (path traversal, CWE-22)
  • OS-23: Quote registry credentials in cluster-entrypoint.sh YAML heredocs (injection, CWE-94)
  • OS-18: Redact session tokens in SSH tunnel rate-limit logs (credential exposure, CWE-532)
  • OS-17: HTML-escape Host header in auth connect page (XSS, CWE-79)
  • OS-16: Validate confirmation code format, use serde_json for JS embedding, add CSP header (XSS, CWE-79)
  • OS-21: Add 32 MiB byte cap and 30s idle timeout to streaming inference relay (DoS, CWE-400)
  • OS-22: Narrow policy port field from u32 to u16, validate at API boundary (input validation)
  • OS-19: Replace archived serde_yaml with serde_yml (RUSTSEC-2024-0320, CWE-1104)
  • OS-15: Gateway re-validates security_notes, caps hit_count; TUI approve-all uses bulk RPC (confused deputy, CWE-284)

Related Issues

Closes OS-15, OS-16, OS-17, OS-18, OS-19, OS-20, OS-21, OS-22, OS-23

Changes

Commit Issue CWE Files
721f4bdc OS-20 CWE-22 install.sh
b8307dc7 OS-23 CWE-94 deploy/docker/cluster-entrypoint.sh
77541a11 OS-18 CWE-532 crates/openshell-server/src/ssh_tunnel.rs
21646778 OS-17 CWE-79 crates/openshell-server/src/auth.rs
3c0d7e8d OS-16 CWE-79 crates/openshell-server/src/auth.rs
1a961133 OS-21 CWE-400 crates/openshell-sandbox/src/proxy.rs
f95590f7 OS-22 crates/openshell-policy/src/lib.rs
71329fbd OS-19 CWE-1104 7 files (Cargo.toml + crate deps + import sites)
04825ee1 OS-15 CWE-284 crates/openshell-server/src/grpc.rs, crates/openshell-tui/src/lib.rs

Testing

  • cargo fmt --check — clean
  • cargo clippy — clean (pre-existing warnings only)
  • cargo test --workspace — all tests pass (new tests added for code validation and port rejection)
  • mise run pre-commit — all checks pass (only pre-existing license header issue on untracked local file)

Checklist

  • One commit per finding for clean bisect/revert
  • No secrets or credentials committed
  • Conventional commit messages
  • Tests added for new validation logic
  • Scoped to security audit remediation only

johntmyers added 10 commits April 2, 2026 15:28
@johntmyers
fix(install): restrict tar extraction to expected binary member
721f4bd 
Prevents CWE-22 path traversal by extracting only the expected APP_NAME
member instead of the full archive contents. Adds --no-same-owner and
--no-same-permissions for defense-in-depth.

OS-20
@johntmyers
fix(deploy): quote registry credentials in YAML heredocs
b8307dc 
Wraps username/password values with a yaml_quote helper to prevent YAML
injection from special characters in registry credentials (CWE-94).
Applied to all three heredoc blocks that emit registries.yaml auth.

OS-23
@johntmyers
fix(server): redact session token in SSH tunnel rate-limit log
77541a1 
Logs only the last 4 characters of bearer tokens to prevent credential
exposure in log aggregation systems (CWE-532).

OS-18
@johntmyers
fix(server): escape gateway_display in auth connect page
2164677 
Applies html_escape() to the Host/X-Forwarded-Host header value before
rendering it into the HTML template, preventing HTML injection (CWE-79).

OS-17
@johntmyers
fix(server): prevent XSS via code param with validation and proper JS…
3c0d7e8 
… escaping

Adds server-side validation rejecting confirmation codes that do not
match the CLI-generated format, replaces manual JS string escaping with
serde_json serialization (handling U+2028/U+2029 line terminators), and
adds a Content-Security-Policy header with nonce-based script-src.

OS-16
@johntmyers
fix(sandbox): add byte cap and idle timeout to streaming inference relay
1a96113 
Prevents resource exhaustion from upstream inference endpoints that stream
indefinitely or hold connections open. Adds a 32 MiB total body limit
and 30-second per-chunk idle timeout (CWE-400).

OS-21
@johntmyers
fix(policy): narrow port field from u32 to u16 to reject invalid values
f95590f 
Prevents meaningless port values >65535 from being accepted in policy
YAML definitions. The proto field remains uint32 (protobuf has no u16)
with validation at the conversion boundary.

OS-22
@johntmyers
fix(deps): migrate from archived serde_yaml to serde_yml
71329fb 
Replaces serde_yaml 0.9 (archived, RUSTSEC-2024-0320) with serde_yml
0.0.12, a maintained API-compatible fork. All import sites updated
across openshell-policy, openshell-sandbox, and openshell-router.

OS-19
@johntmyers
fix(server): re-validate sandbox-submitted security_notes and cap hit…
04825ee 
…_count

The gateway now re-runs security heuristics on proposed policy chunks
instead of trusting sandbox-provided security_notes, validates host
wildcards, caps hit_count at 100, and clamps confidence to [0,1]. The
TUI approve-all path is updated to use ApproveAllDraftChunks RPC which
respects the security_notes filtering gate (CWE-284, confused deputy).

OS-15
@johntmyers
chore: apply cargo fmt and update Cargo.lock for serde_yml
938a2b2
@johntmyers johntmyers requested a review from a team as a code owner April 2, 2026 23:02
@johntmyers johntmyers added the test:e2e Requires end-to-end coverage label Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew approved these changes

Assignees

No one assigned

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johntmyers @drew