ktg-plugin-marketplace

open/ktg-plugin-marketplace

Fork 0

Commit graph

Author	SHA1	Message	Date
Kjell Tore Guttormsen	8dc3090080	fix(voyage): permanently block cloud metadata endpoints in OTLP validator (CWE-918) Found by simulert v4.1 smoke — doc/code-drift in v4.1 ship: docs/observability.md claims "Cloud metadata endpoints (169.254.169.254) are permanently blocked" but the validator allowed them when VOYAGE_OTEL_ALLOW_PRIVATE=1. Cloud metadata services expose IAM credentials and instance secrets — operator-trust extended to RFC-1918 home-lab access does NOT extend here, because the blast-radius (cloud-account compromise) is qualitatively different. New HARD_BLOCKED_HOSTS set checked BEFORE the link-local opt-in path: - 169.254.169.254 (AWS / GCP / Azure metadata) - 100.100.100.200 (AliCloud metadata) - metadata.google.internal - metadata.azure.com New error code ENDPOINT_HARD_BLOCKED. Existing test for ENDPOINT_LINK_LOCAL_REJECTED on 169.254.169.254 updated to assert the new code; 3 new tests verify the hard-block holds even with VOYAGE_OTEL_ALLOW_PRIVATE=1, plus AliCloud + GCP-hostname coverage. Tests: 487 → 490 pass + 2 skipped.	2026-05-09 10:23:51 +02:00
Kjell Tore Guttormsen	9e01ce30b5	feat(voyage): add lib/exporters/{path,endpoint,field-allowlist}-validators — CWE-22, CWE-918, CWE-212 mitigering Step 11 av v4.1-execute (Wave 2, Session 3). 3 sikkerhets-validatorer for OTel-eksporten: path-validator.mjs (CWE-22 Path Traversal): - Reject `..` segmenter, `~`-shorthand - realpathSync symlink-resolution (med macOS quirk: /etc, /var, /tmp er symlinks til /private/etc, /private/var, /private/tmp — begge former i FORBIDDEN_PREFIXES) - Allowlist-først evaluering: hvis allowedRoots gitt, det er primary defense (caller's threat model). Forbidden-prefix-denylist er FALLBACK når allowedRoots ikke spesifisert. endpoint-validator.mjs (CWE-918 SSRF): - Reject loopback (127.0.0.1, ::1, localhost, 0.0.0.0) UNLESS VOYAGE_OTEL_ALLOW_PRIVATE=1 - Reject RFC-1918 (10/8, 172.16/12, 192.168/16) UNLESS opt-in - Reject link-local (169.254.x.x cloud metadata, fe80:* IPv6) UNLESS opt-in - Krev https:// for non-private endpoints - node:url-parsing, ingen runtime DNS-resolusjon (defense-in-depth) field-allowlist.mjs (CWE-212 Improper Cross-boundary Removal of Sensitive Data): - INLINE static const Object.freeze på modul-scope (IKKE runtime read fra fixtures) - Per-schema allowlist for alle 8 schema-id (trekbrief, trekresearch, trekplan, trekexecute, event-emit, post-bash-stats, trekreview, trekcontinue) - Source-comment per allowlist refererer tests/fixtures/jsonl-schemas.md - post-bash-stats DROPPER eksplisitt command_excerpt + session_id (CWE-212) - event-emit applies sub-allowlist på payload-objekt (recursive) - Unknown schema-type returnerer conservative {_schema_id, ts} Tester (19 nye, baseline 413 → 432): - path-validator x6 (CWE-22 traversal, forbidden-system, ~, allowedRoots accept/reject, drift-pin) - endpoint-validator x7 (CWE-918 link-local, RFC-1918, loopback, https-required, opt-in, public-accept, empty-input) - field-allowlist x6 (CWE-212 post-bash-stats, trekplan-PII, event-emit-payload, unknown-schema, Object.freeze, null-safe) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-09 09:36:00 +02:00

Author

SHA1

Message

Date

Kjell Tore Guttormsen

8dc3090080

fix(voyage): permanently block cloud metadata endpoints in OTLP validator (CWE-918)

Found by simulert v4.1 smoke — doc/code-drift in v4.1 ship:
docs/observability.md claims "Cloud metadata endpoints (169.254.169.254)
are permanently blocked" but the validator allowed them when
VOYAGE_OTEL_ALLOW_PRIVATE=1. Cloud metadata services expose IAM
credentials and instance secrets — operator-trust extended to
RFC-1918 home-lab access does NOT extend here, because the
blast-radius (cloud-account compromise) is qualitatively different.

New HARD_BLOCKED_HOSTS set checked BEFORE the link-local opt-in path:
  - 169.254.169.254  (AWS / GCP / Azure metadata)
  - 100.100.100.200  (AliCloud metadata)
  - metadata.google.internal
  - metadata.azure.com

New error code ENDPOINT_HARD_BLOCKED. Existing test for
ENDPOINT_LINK_LOCAL_REJECTED on 169.254.169.254 updated to assert
the new code; 3 new tests verify the hard-block holds even with
VOYAGE_OTEL_ALLOW_PRIVATE=1, plus AliCloud + GCP-hostname coverage.

Tests: 487 → 490 pass + 2 skipped.

2026-05-09 10:23:51 +02:00

Kjell Tore Guttormsen

9e01ce30b5

feat(voyage): add lib/exporters/{path,endpoint,field-allowlist}-validators — CWE-22, CWE-918, CWE-212 mitigering

Step 11 av v4.1-execute (Wave 2, Session 3).

3 sikkerhets-validatorer for OTel-eksporten:

path-validator.mjs (CWE-22 Path Traversal):
- Reject `..` segmenter, `~`-shorthand
- realpathSync symlink-resolution (med macOS quirk: /etc, /var, /tmp er
  symlinks til /private/etc, /private/var, /private/tmp — begge former
  i FORBIDDEN_PREFIXES)
- Allowlist-først evaluering: hvis allowedRoots gitt, det er primary defense
  (caller's threat model). Forbidden-prefix-denylist er FALLBACK når
  allowedRoots ikke spesifisert.

endpoint-validator.mjs (CWE-918 SSRF):
- Reject loopback (127.0.0.1, ::1, localhost, 0.0.0.0) UNLESS VOYAGE_OTEL_ALLOW_PRIVATE=1
- Reject RFC-1918 (10/8, 172.16/12, 192.168/16) UNLESS opt-in
- Reject link-local (169.254.x.x cloud metadata, fe80:* IPv6) UNLESS opt-in
- Krev https:// for non-private endpoints
- node:url-parsing, ingen runtime DNS-resolusjon (defense-in-depth)

field-allowlist.mjs (CWE-212 Improper Cross-boundary Removal of Sensitive Data):
- INLINE static const Object.freeze på modul-scope (IKKE runtime read fra fixtures)
- Per-schema allowlist for alle 8 schema-id (trekbrief, trekresearch, trekplan,
  trekexecute, event-emit, post-bash-stats, trekreview, trekcontinue)
- Source-comment per allowlist refererer tests/fixtures/jsonl-schemas.md
- post-bash-stats DROPPER eksplisitt command_excerpt + session_id (CWE-212)
- event-emit applies sub-allowlist på payload-objekt (recursive)
- Unknown schema-type returnerer conservative {_schema_id, ts}

Tester (19 nye, baseline 413 → 432):
- path-validator x6 (CWE-22 traversal, forbidden-system, ~, allowedRoots accept/reject, drift-pin)
- endpoint-validator x7 (CWE-918 link-local, RFC-1918, loopback, https-required, opt-in, public-accept, empty-input)
- field-allowlist x6 (CWE-212 post-bash-stats, trekplan-PII, event-emit-payload, unknown-schema, Object.freeze, null-safe)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-09 09:36:00 +02:00

2 commits