Security hardening (round-5): proxy loopback, wallet-key guard, bash-guard, SSRF, untrusted web (3.29.9)#92
Merged
Merged
Conversation
…bash-guard, SSRF, untrusted web (3.29.9) A fifth review round (non-money angle: correctness/security/data-integrity) surfaced 13 adversarially-verified issues; 4 are HIGH security holes around the wallet. All fixed. Security (HIGH): - proxy.ts binds 127.0.0.1 (was 0.0.0.0 — x402 payment proxy exposed to the LAN). - Write/Edit/Read refuse the wallet key store (~/.blockrun/.session, .solana-session, solana-wallet.json) — a steered model could overwrite/substitute the private key. - bash-guard: wallet-key reads (`cat ~/.blockrun/.solana-session`) and `xargs` are no longer auto-"safe"; `gh api -X DELETE/POST/PUT` prompts (only GET stays safe). Added a labeled-base58 key pattern to the secret redactor. Security (defense-in-depth): - Web/search output (WebFetch/WebSearch/Exa/Surf/BrowserX) framed as UNTRUSTED data-not-instructions (parity with MCP/skills containment). - SSRF guard on WebFetch + reference-image fetch (blocks loopback/private/metadata; opt out with FRANKLIN_ALLOW_PRIVATE_FETCH=1). Correctness / data-integrity: - sanitizeHistory adopted on reference-diff (orphan guardrail tool_results no longer reach the wire / 400 on strict mode). - stats writer atomic + .bak + shape coercion (crash no longer wipes/poisons it). - migrate carries url/headers/oauth for http/sse MCP servers. - MCP connect-timeout teardown; task cancel recycled-PID guard; brain concurrent merge before save. New security regression tests. Suite 484/484.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fifth review round — a fresh non-money angle (correctness / security / data-integrity). 13 adversarially-verified findings, 4 HIGH security holes around the wallet. All fixed; local suite 484/484.
🔴 Security — wallet exposure (HIGH)
franklin proxybinds loopback only — was0.0.0.0, exposing the x402 payment proxy (signs USDC from the wallet on every request) to the whole LAN.~/.blockrun/.session/.solana-session/solana-wallet.jsonwere missing from the blocklist; Write/Edit/Read now refuse them (a steered model could overwrite/substitute the private key).bash-guardno longer auto-approvescat ~/.blockrun/.solana-session(key dump) or… | xargs rm -f(arbitrary exec); both prompt now.gh api -X DELETE/POST/PUTprompts (only GET stays safe). Added a labeled-base58 key pattern to the redactor.🟡 Security — defense in depth
FRANKLIN_ALLOW_PRIVATE_FETCH=1to opt out for local dev servers).🟢 Correctness & data integrity
sanitizeHistoryadopted on reference-diff → orphanguardrail-*tool_results no longer reach the wire (400 on strict Anthropic/proxy mode).tmp+fsync+rename+.bak) + shape coercion — a crash no longer wipes usage history; a malformed file no longer crashes the paid turn.franklin migratecarriesurl/headers/oauthfor http/sse MCP servers (were dropped → dead configs).task cancelrecycled-PID guard; brain concurrent-merge before save.New no-spend security regression tests: key-path guard, bash-guard (key-read/xargs/gh-api), SSRF, untrusted frame, redactor.
🤖 Generated with Claude Code