Security hardening: debug-RCE, auth, denial-of-wallet, sim deadline, XSS, path traversal, CSP#694
Open
yocyber-code wants to merge 4 commits into
Open
Security hardening: debug-RCE, auth, denial-of-wallet, sim deadline, XSS, path traversal, CSP#694yocyber-code wants to merge 4 commits into
yocyber-code wants to merge 4 commits into
Conversation
Closes the four CRITICAL findings from the 2026-06-13 review.
C1 — Werkzeug debug RCE / dev server in prod:
- FLASK_DEBUG defaults False (kills interactive-debugger network RCE)
- production runs gunicorn (-w 1 --threads 8) via `npm run start`; Dockerfile
builds the frontend and serves it with `vite preview` (host 0.0.0.0); gunicorn
+ uv.lock updated
- Config.validate() now runs inside create_app() so the gunicorn path enforces
SECRET_KEY (prod) / API_KEY / LLM / ZEP at boot
C2 — zero auth on all /api/* routes:
- before_request API-key guard (X-API-Key / Bearer), constant-time bytes compare,
/health + OPTIONS exempt
- AUTH_ENABLED fail-closed parse (only explicit false/0/no/off disables)
- frontend axios injects X-API-Key from build-time VITE_API_KEY, wired through
docker compose build-arg -> Dockerfile ARG -> vite build (+ frontend/.env.example)
C3 — denial-of-wallet (no cost ceiling; OASIS_DEFAULT_MAX_ROUNDS was dead config):
- OASIS_DEFAULT_MAX_ROUNDS now applied when max_rounds omitted (default 150, covers
the 144-round demo); hard ceilings OASIS_MAX_ROUNDS_CAP / OASIS_MAX_AGENTS_CAP;
runner always forwards the clamped rounds to the subprocess
C4 — no simulation deadline; env.step could wedge forever:
- every env.step (initial / round-loop / interview) wrapped in asyncio.wait_for
(OASIS_ROUND_TIMEOUT_SEC) across all 3 run scripts; per-loop total-deadline
(OASIS_RUN_TIMEOUT_SEC); gather(return_exceptions=True) + single-platform
try/except so one platform's failure can't skip env.close
New env vars documented in .env.example + README security section.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…leak) H1 — stored XSS via v-html / innerHTML of unsanitized LLM/agent/interview/report content: add DOMPurify; both renderMarkdown() now return DOMPurify.sanitize(html) (Step4Report.vue, Step5Interaction.vue), and the formatAnswer innerHTML sink is wrapped in DOMPurify.sanitize. All 8 HTML-injection sinks now sanitized; markdown rendering preserved (DOMPurify secure defaults keep the md-* tags/classes). H4 — wildcard CORS: CORS origins now Config.ALLOWED_ORIGINS (comma-separated env, default localhost:3000) instead of '*'. H5 — request bodies written to disk in cleartext: logger file level now follows FLASK_DEBUG (INFO in prod), so the before_request body-debug log is suppressed in production. (traceback-in-response across 53 handlers deferred to a separate refactor.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…, CSP)
H5 (traceback leak, completing the prior log-level fix): new app/utils/security.py
safe_traceback() logs the full stack server-side and returns it to clients only when
FLASK_DEBUG; all 53 traceback.format_exc() in api/{graph,report,simulation}.py now call
it (import traceback removed).
Upload content sniff: upload_content_ok() magic-byte check — pdf must start %PDF-,
txt/md/markdown rejected if they contain NUL bytes (BOM-prefixed UTF-16/32/8 text
allowed). Wired into the graph.py upload loop so a renamed binary can't pass the
extension whitelist.
Path validation: validate_id() (^[A-Za-z0-9_-]{1,64}$) blocks traversal before every
id->filesystem sink — ProjectManager._get_project_dir, SimulationManager._get_simulation_dir,
ReportManager._get_report_folder + the two Report*Logger __init__, and a new
SimulationRunner._run_dir() that all RUN_STATE_DIR joins route through.
CSP / security headers: CSP <meta> in index.html, vite preview.headers
(X-Frame-Options/nosniff/Referrer-Policy + CSP frame-ancestors), and a Flask
after_request that sets the same headers on API responses.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Follow-up to the traceback gate: client-facing exception detail is now gated too.
- safe_error(e) (app/utils/security.py): returns the exception string only when
FLASK_DEBUG, otherwise a generic message. Full detail stays in server logs.
- All catch-all `except Exception` handlers in api/{graph,report,simulation}.py now
return safe_error(e) instead of str(e); same for the persisted error fields
(project.error / state.error / task fail messages). Typed `except ValueError`
validation handlers (404/400) keep str(e) — those are intentional, actionable
user messages that echo only user-supplied ids.
- graph_builder no longer puts a full traceback into the task error (logs it
server-side with exc_info, surfaces safe_error to the client); the batch-failure
progress message is gated too.
- README documents the CSP connect-src ↔ VITE_API_BASE_URL coupling.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the backend + frontend against a set of issues found in a security review. Each fix is independently verified and the project still builds (
npm run build+py_compileclean). Changes are backward-compatible via env gates; new variables are documented in.env.example/frontend/.env.example/ README.Critical
FLASK_DEBUGnow defaults tofalse; production runs under gunicorn (npm run start), frontend is served from a staticvite build.Config.validate()runs insidecreate_app()so the gunicorn path also enforces required config at boot./api/*route now requires an API key (X-API-Key/Authorization: Bearer), constant-time compare,AUTH_ENABLEDfail-closed. The bundled UI sends the key from a build-timeVITE_API_KEY(wired through the Docker build-arg)./health+ CORS preflight exempt.OASIS_DEFAULT_MAX_ROUNDSis now actually applied when the client omitsmax_rounds, plus hard ceilingsOASIS_MAX_ROUNDS_CAP/OASIS_MAX_AGENTS_CAP, enforced end-to-end (runner forwards the clamped value to the subprocess).env.step(initial / round loop / interview, all 3 run scripts) is wrapped inasyncio.wait_forwith a per-round timeout, plus a total wall-clock deadline;asyncio.gather(return_exceptions=True)+ per-platform isolation so one platform's failure can't skipenv.close().High / Medium
v-html/innerHTMLis now run throughDOMPurify.sanitize(all sinks).ALLOWED_ORIGINS(env) instead of*.FLASK_DEBUG); tracebacks are returned to clients only in debug, otherwise logged server-side (safe_traceback()).validate_id()guards every id→filesystem boundary (project / simulation / report dir-builders, runner run-state dir, report loggers) beforejoin/makedirs/rmtree.<meta>+vite previewheaders (X-Frame-Options,X-Content-Type-Options,Referrer-Policy,frame-ancestors) + a Flaskafter_requestthat sets the same on API responses.Notes
SECRET_KEY,API_KEY/AUTH_ENABLED,ALLOWED_ORIGINS,OASIS_*_CAP/OASIS_*_TIMEOUT_SEC,VITE_API_KEY.-w 1 --threads N); simulation run-state is held in-process.VITE_API_KEYbaked into the client bundle is extractable by design — fine for single-host / internal / gateway-fronted deployments; for multi-tenant exposure replace with session auth.🤖 Generated with Claude Code