Skip to content

[maestro] Default hosted runner bind address to localhost#705

Merged
haasonsaas merged 3 commits into
mainfrom
codex/propose-fix-for-unauthenticated-runner-vulnerability
Jun 1, 2026
Merged

[maestro] Default hosted runner bind address to localhost#705
haasonsaas merged 3 commits into
mainfrom
codex/propose-fix-for-unauthenticated-runner-vulnerability

Conversation

@haasonsaas
Copy link
Copy Markdown
Contributor

@haasonsaas haasonsaas commented May 30, 2026
edited
Loading

Motivation

  • Prevent accidental remote exposure of the Rust hosted-runner HTTP surface by changing the implicit default bind address to loopback after an unauthenticated RCE was discovered when the service was reachable on 0.0.0.0.

Description

  • Change the no-env hosted-runner default from 0.0.0.0 to 127.0.0.1.
  • Preserve wildcard binding for port-only deployments using PORT, MAESTRO_HOSTED_RUNNER_PORT, or port-only MAESTRO_HOSTED_RUNNER_LISTEN, so existing container ingress remains reachable unless operators opt into a host override.
  • Keep explicit host env/listen values authoritative.

Internal source PR: https://github.com/evalops/maestro-internal/pull/2417

Testing

  • cargo test hosted_runner_bind --lib
  • cargo test resolves_env_config_with_hosted_runner_contract_names --lib
  • cargo test preserves_wildcard_bind_for_port_only_hosted_runner_env --lib
  • cargo test explicit_host_env_overrides_port_only_wildcard_bind --lib

Classification: Not Kyverno.

Codex Task

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 30, 2026
edited
Loading

This PR changes mirrored Maestro source files in the public repo, but it does not link the matching private source-of-truth PR.

Add one of these to the PR body, then re-run the check:

  • https://github.com/evalops/maestro-internal/pull/<number>
  • evalops/maestro-internal#<number>
  • maestro-internal#<number>

Mirrored files touched:

  • packages/tui-rs/src/hosted_runner/config.rs
  • packages/tui-rs/src/hosted_runner/tests.rs

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5cb20ef0e9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread packages/tui-rs/src/hosted_runner.rs Outdated
@haasonsaas haasonsaas enabled auto-merge (squash) June 1, 2026 06:52
@haasonsaas haasonsaas merged commit 06eb621 into main Jun 1, 2026
13 checks passed
@haasonsaas haasonsaas deleted the codex/propose-fix-for-unauthenticated-runner-vulnerability branch June 1, 2026 06:53
@haasonsaas haasonsaas mentioned this pull request Jun 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@haasonsaas