security: the three remaining red-team lows (cleartext key, symlink write, unpinned dep)#70
Merged
Merged
Conversation
[Low] Cleartext Bearer key in the fluency eval tool. openai_answerer sent Authorization: Bearer <key> to whatever base_url it was given, including an http:// one. It now refuses http to a non-loopback host when a key is set (raises ValueError at construction); loopback http (local LiteLLM/CCR) and https are unaffected, and http with no key is still allowed. [Low] _secure_io followed symlinks on write. write_restricted/append_restricted opened the final path component without O_NOFOLLOW, so a pre-planted symlink in a terse-managed dir could redirect a secret-bearing write onto an attacker target. Both opens now add O_NOFOLLOW (via getattr, so it's a no-op on a platform without the flag rather than a crash). [Low] Unpinned tiktoken. pyproject listed a bare "tiktoken"; a lockfile-less install could resolve to an arbitrarily old release. Pinned a floor (tiktoken>=0.7); uv.lock still pins the exact version for this repo. Tests: openai_answerer rejects http+key to a remote host, allows loopback-http +key / https+key / http+no-key; _secure_io refuses to write/append through a symlink (skipped where O_NOFOLLOW is absent) and leaves the target untouched. 452 pass, ruff clean.
The pyproject constraint change (previous commit) leaves uv.lock's recorded requires-dist specifier stale; regenerate it so lock and manifest agree. No resolved-version change — tiktoken stays at the locked 0.13.0, which satisfies >=0.7.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The three remaining Lows from the
/redteampass, batched. All defensive; none change happy-path behavior.[Low] Cleartext Bearer key in the fluency eval tool
fluency.pyopenai_answererAuthorization: Bearer <key>to anybase_url, includinghttp://, leaking the key in cleartext on the wire.httpto a non-loopback host when a key is set (raisesValueErrorat construction). Loopback http (local LiteLLM/CCR gateway) andhttpsare unaffected;httpwith no key is still allowed (nothing to leak).[Low]
_secure_iofollowed symlinks on write_secure_io.pywrite_restricted/append_restrictedO_NOFOLLOW, so a pre-planted symlink in a terse-managed dir could redirect a secret-bearing write (config, backup, captured payload) onto an attacker-chosen target.O_NOFOLLOWviagetattr(os, "O_NOFOLLOW", 0)— a no-op on a platform lacking it rather than a crash. Guards the final component (the standardO_NOFOLLOWlimitation).[Low] Unpinned
tiktokenpyproject.toml"tiktoken"— a lockfile-lesspip install tersecould resolve to an arbitrarily old release.tiktoken>=0.7;uv.lockstill pins the exact version for this repo.Tests (+6)
openai_answerer: rejects http+key to a remote host; allows loopback-http+key, https+key, and http+no-key._secure_io: refuses to write/append through a symlink and leaves the target untouched (skipped whereO_NOFOLLOWis absent).452 pass, ruff clean. Completes the redteam remediation — no open findings remain.