Skip to content

fix: remediate 9 security findings from external audit (OS-15 through OS-23)#744

Merged
johntmyers merged 10 commits intomainfrom
fix/security-audit-batch-1
Apr 3, 2026
Merged

fix: remediate 9 security findings from external audit (OS-15 through OS-23)#744
johntmyers merged 10 commits intomainfrom
fix/security-audit-batch-1

Conversation

@johntmyers
Copy link
Copy Markdown
Collaborator

@johntmyers johntmyers commented Apr 2, 2026

Summary

Addresses 9 findings from the external security audit, delivered as one commit per finding for clean bisect/revert:

  • OS-20: Restrict tar extraction in install.sh to expected binary (path traversal, CWE-22)
  • OS-23: Quote registry credentials in cluster-entrypoint.sh YAML heredocs (injection, CWE-94)
  • OS-18: Redact session tokens in SSH tunnel rate-limit logs (credential exposure, CWE-532)
  • OS-17: HTML-escape Host header in auth connect page (XSS, CWE-79)
  • OS-16: Validate confirmation code format, use serde_json for JS embedding, add CSP header (XSS, CWE-79)
  • OS-21: Add 32 MiB byte cap and 30s idle timeout to streaming inference relay (DoS, CWE-400)
  • OS-22: Narrow policy port field from u32 to u16, validate at API boundary (input validation)
  • OS-19: Replace archived serde_yaml with serde_yml (RUSTSEC-2024-0320, CWE-1104)
  • OS-15: Gateway re-validates security_notes, caps hit_count; TUI approve-all uses bulk RPC (confused deputy, CWE-284)

Related Issues

Closes OS-15, OS-16, OS-17, OS-18, OS-19, OS-20, OS-21, OS-22, OS-23

Changes

Commit Issue CWE Files
721f4bdc OS-20 CWE-22 install.sh
b8307dc7 OS-23 CWE-94 deploy/docker/cluster-entrypoint.sh
77541a11 OS-18 CWE-532 crates/openshell-server/src/ssh_tunnel.rs
21646778 OS-17 CWE-79 crates/openshell-server/src/auth.rs
3c0d7e8d OS-16 CWE-79 crates/openshell-server/src/auth.rs
1a961133 OS-21 CWE-400 crates/openshell-sandbox/src/proxy.rs
f95590f7 OS-22 crates/openshell-policy/src/lib.rs
71329fbd OS-19 CWE-1104 7 files (Cargo.toml + crate deps + import sites)
04825ee1 OS-15 CWE-284 crates/openshell-server/src/grpc.rs, crates/openshell-tui/src/lib.rs

Testing

  • cargo fmt --check — clean
  • cargo clippy — clean (pre-existing warnings only)
  • cargo test --workspace — all tests pass (new tests added for code validation and port rejection)
  • mise run pre-commit — all checks pass (only pre-existing license header issue on untracked local file)

Checklist

  • One commit per finding for clean bisect/revert
  • No secrets or credentials committed
  • Conventional commit messages
  • Tests added for new validation logic
  • Scoped to security audit remediation only

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drew drew drew approved these changes

Assignees

No one assigned

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johntmyers @drew