Skip to content

Harden gateway: insecure-mode guard, cross-sandbox credential theft fix#5

Merged
persimmon16 merged 3 commits intofeat/apple-containerfrom
security/gateway-auth
Apr 1, 2026
Merged

Harden gateway: insecure-mode guard, cross-sandbox credential theft fix#5
persimmon16 merged 3 commits intofeat/apple-containerfrom
security/gateway-auth

Conversation

@persimmon16
Copy link
Copy Markdown
Owner

@persimmon16 persimmon16 commented Apr 1, 2026

Summary

  • F07: --disable-tls now requires OPENSHELL_ALLOW_INSECURE=1 environment variable to prevent accidental plaintext operation
  • F03: GetSandboxProviderEnvironment RPC verifies that the caller's x-sandbox-id header matches the requested sandbox, preventing cross-sandbox credential theft

Test plan

  • cargo build --release -p openshell-server succeeds
  • Server with --disable-tls exits with error unless OPENSHELL_ALLOW_INSECURE=1 is set
  • Sandbox A cannot retrieve Sandbox B's provider credentials

@persimmon16
Require OPENSHELL_ALLOW_INSECURE=1 to confirm --disable-tls
44e2ab6
@persimmon16
Verify sandbox identity on GetSandboxProviderEnvironment calls
6a2d580
@persimmon16
Require x-sandbox-id header; reject requests without it
56c8d4e 
The previous check silently skipped authorization when the header
was absent, allowing any caller to read any sandbox's credentials.
@persimmon16 persimmon16 merged commit 447c6d5 into feat/apple-container Apr 1, 2026
4 of 10 checks passed
persimmon16 added a commit that referenced this pull request Apr 1, 2026
@persimmon16
Fix SSH host key verification: hostname format, tempfile dep, TempDir…
eaea3ed 
… leak

Three bugs from the initial SSH host-key PR (#4):

1. known_hosts wrote [sandbox]:2222 but SSH connects to "sandbox" at
   default port 22 — entry never matched, defeating StrictHostKeyChecking.
   Fixed to use bare "sandbox" hostname.

2. tempfile crate was only in [dev-dependencies] for openshell-cli,
   breaking release builds. Moved to [dependencies].

3. TempDir::into_path() disabled automatic cleanup, leaking temp
   directories. Changed to return the TempDir guard so callers keep it
   alive until SSH exits, then cleanup runs on drop.

Also fixes borrow-checker error in grpc.rs auth check (PR #5) where
.ok_or_else() borrowed request while into_inner() tried to move it.
@persimmon16 persimmon16 mentioned this pull request Apr 1, 2026
Merged
5 tasks
persimmon16 added a commit that referenced this pull request Apr 1, 2026
@persimmon16
Fix SSH host key verification and install Apple Container in CI
f0af033 
* Fix SSH host key verification: hostname format, tempfile dep, TempDir leak

Three bugs from the initial SSH host-key PR (#4):

1. known_hosts wrote [sandbox]:2222 but SSH connects to "sandbox" at
   default port 22 — entry never matched, defeating StrictHostKeyChecking.
   Fixed to use bare "sandbox" hostname.

2. tempfile crate was only in [dev-dependencies] for openshell-cli,
   breaking release builds. Moved to [dependencies].

3. TempDir::into_path() disabled automatic cleanup, leaking temp
   directories. Changed to return the TempDir guard so callers keep it
   alive until SSH exits, then cleanup runs on drop.

Also fixes borrow-checker error in grpc.rs auth check (PR #5) where
.ok_or_else() borrowed request while into_inner() tried to move it.

* Install Apple Container in macOS e2e workflow

The macos-15 runner doesn't ship with Apple Container pre-installed.
Download the signed .pkg installer from the GitHub release and install
it before running container system info.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@persimmon16