fix(security): address HIGH findings from security audit#830
Merged
Conversation
- Categorically deny privilege escalation commands (sudo, su, doas) in ShellCommandPolicy. Previously, prepending sudo to any denied command bypassed all deny patterns because matching operated on tokens[0]. - Move SecretOutputRedactor.Redact() to DispatchingToolExecutor so all tool outputs are redacted before reaching the LLM, not just shell and background job outputs. - Gate raw OAuth token values in provider status endpoint to loopback connections only. Remote paired devices see boolean flags instead of raw access/refresh tokens. Closes finding S4-20, S5-01, S7-5.5 from the 2026-04-29 audit.
…t safe-list tools User-facing subagents are now restricted to the SubAgentToolPolicy safe list (attach_file, file_read, web_fetch, web_search) at tool resolution time. Tools on the safe list are auto-granted in non-interactive contexts instead of being denied by the approval gate, fixing subagents that had zero usable tools. Closes #831
4efd224 to
6d2be97
Compare
…crets Add redaction patterns for AWS access keys (AKIA...), JWT tokens (eyJ...three-segment), and ADO.NET connection string passwords (Password=/Pwd=). Expand JSON key name list to catch client_secret, signing_key, private_key, connection_string, and credential. Stop env regex at semicolons to avoid clobbering connection string structure. Reorganize tests into Theory/InlineData patterns for consistency.
…t for loopback gate Add redaction patterns for AWS access keys (AKIA...), JWT tokens, and ADO.NET connection string passwords (Password=/Pwd=). Expand JSON key name list to catch client_secret, signing_key, credential, etc. Fix ProviderOAuthEndpointTests to set RemoteIpAddress on TestServer (defaults to null, not loopback). Add test verifying tokens are hidden for non-loopback requests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the 4 HIGH-severity findings from the 2026-04-29 security audit (OpenProse
security-audit.proseworkflow).sudo/su/doasinShellCommandPolicy— previously, prependingsudoto any denied command bypassed all deny patterns because verb-chain matching operated ontokens[0]. NewPrivilegeEscalationDenyPatternblocks these as first-token verbs.SecretOutputRedactor.Redact()toDispatchingToolExecutor— previously onlyShellToolandBackgroundJobExecutionActorapplied redaction. Now all tool outputs (FileReadTool, WebFetchTool, McpToolAdapter, etc.) are redacted before reaching the LLM./api/provider/oauth/status/{state}— remote paired devices now seenullforaccessToken/refreshTokeninstead of raw provider credentials. The CLI (always loopback) continues to receive tokens for provider setup.Related: #829 (Roslyn analyzer for enforcing pipeline-level redaction)
Test plan
ShellCommandPolicyTestspass