mirror of
https://github.com/wirenboard/agent-vm.git
synced 2026-07-09 16:00:54 +00:00
docs(run): update gh-secret comment now that the github.com gap is closed
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
62c9eb6ff8
commit
4e6ea00efb
1 changed files with 7 additions and 13 deletions
|
|
@ -422,19 +422,13 @@ pub async fn launch(agent: Agent, args: Args) -> Result<i32> {
|
|||
// accept the perf hit (basic_auth disables the per-chunk
|
||||
// fast path) because GitHub connections aren't WebSocket.
|
||||
//
|
||||
// **Known gap (review #1).** The per-launch repo allow-list
|
||||
// is enforced by the intercept hook on api.github.com only.
|
||||
// The gh secret also allows github.com / codeload / raw /
|
||||
// objects so `git push` / `git clone` can reach them with
|
||||
// the substituted token — but no intercept rule filters
|
||||
// those paths. A malicious in-VM agent that knows how to
|
||||
// craft git smart-HTTP requests can push to any repo the
|
||||
// host token has access to. Filtering git protocol over
|
||||
// HTTPS requires a streaming intercept primitive that
|
||||
// microsandbox doesn't have yet (intercept buffers the
|
||||
// full request, capped at 64 KiB — git push pack data
|
||||
// exceeds that). Until then, the threat model assumes the
|
||||
// agent is well-intentioned but possibly mistaken.
|
||||
// The per-launch repo allow-list binds api.github.com
|
||||
// (full-buffer hook below) AND the git smart-HTTP hosts
|
||||
// (streaming `rule_streaming` rules below). The smart-
|
||||
// HTTP path uses microsandbox's headers-only dispatch
|
||||
// primitive — the hook decides based on the request
|
||||
// line alone, so multi-MB git push pack data never hits
|
||||
// the 64 KiB intercept buffer.
|
||||
if let Some(file) = gh {
|
||||
n = n.secret(|s| {
|
||||
s.env("MSB_AGENT_VM_GH_UNUSED")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue