Skip to content

fix(compile): close F0 secret-exfil channels (env strip + error sanitization)#14

Draft
AchillesWasonga wants to merge 1 commit into
mainfrom
security-fixes
Draft

fix(compile): close F0 secret-exfil channels (env strip + error sanitization)#14
AchillesWasonga wants to merge 1 commit into
mainfrom
security-fixes

Conversation

@AchillesWasonga

Copy link
Copy Markdown

⚠️ DO NOT MERGE YET — see hold note at bottom

F0 — Pre-auth secret exfiltration via /api/compile

What the vulnerability is

POST /api/compile executes user-supplied Python on the server. Before this
change, two channels leaked server secrets to any unauthenticated caller:

  1. Environment inheritance — the child process was spawned with the full
    process.env, so injected code could read every provider key
    (ANTHROPIC / OPENAI / NVIDIA / GEMINI / OPENROUTER / DATABRICKS) from
    os.environ.
  2. Verbatim error return — Python stderr was returned in the 422 response
    body, so output (including dumped secrets) flowed straight back to the caller.

Evidence — BEFORE (unpatched, commit b7d3650)

Request. Run this before you merge to see(Run studio locally:
curl -sS -X POST http://localhost:3000/api/compile -H 'Content-Type: application/json'
-d '{"code":"import os,sys; sys.stderr.write("LEAK:"+",".join(k+"="+v for k,v in os.environ.items() if "KEY" in k or "TOKEN" in k)); sys.exit(1)"}'
Response (all six keys returned, fake sentinels used for safety): I made a fake .env.local to test but you can use the real one if you want. Here it is:
ANTHROPIC_API_KEY=sk-ant-FAKE-POC-SENTINEL-001, OPENAI_API_KEY=sk-proj-FAKE-POC-002, NVIDIA_API_KEY=nvapi-FAKE-POC-003, GOOGLE_GEMINI_API_KEY=AIzaFAKE-POC-004, OPENROUTER_API_KEY=sk-or-v1-FAKE-POC-005, DATABRICKS_TOKEN=dapiFAKE-POC-006, PYTHON_PATH=$(which python3)
Direct command execution also confirmed (subprocess.check_output(["id"])
returned uid=501(...) ... 80(admin) ... and uname -a — i.e. arbitrary OS
commands run as the server user).

Evidence — AFTER (this branch)

Same two attacks, now. After I fixed them:
{"error":"Compilation failed","requestId":"3ea6e5bd-6175-48cc-96da-ff604c97e30c"}
{"error":"Compilation failed","requestId":"942d40db-6b3d-4c21-b1be-c54b03f4c929"}
No keys, no command output. Regression — a legitimate model still compiles:
{"code":"from build123d import *\nresult = Box(10, 10, 10)"} → HTTP 200,
valid 684-byte STL.

What this change does

  • Adds buildMinimalEnv() and passes only PATH/LANG/PYTHONDONTWRITEBYTECODE to
    the child at both exec sites (primary + auto-heal) instead of the full env.
  • Stops returning stderr/err.message to the client at every error path; logs
    detail server-side with a requestId and returns a generic error.

⚠️ Scope — this is a BLEED-STOP, not the full RCE fix

Arbitrary code execution still occurs — the child still runs attacker
Python (it can burn CPU, touch the filesystem). This PR only closes the two
secret-exfiltration channels. The execution sink itself is addressed by the
follow-up sandbox work (AST allowlist + process isolation), and F1 (no auth
on any /api/* route)
must land so the endpoint isn't anonymously reachable.

I will fix F1 and then you can check and merge both.

@netlify

netlify Bot commented Jun 16, 2026

Copy link
Copy Markdown

Deploy Preview for illustrious-sunshine-4ce83e ready!

Name Link
🔨 Latest commit 6579665
🔍 Latest deploy log https://app.netlify.com/projects/illustrious-sunshine-4ce83e/deploys/6a31b8ef77c6a0000892bf94
😎 Deploy Preview https://deploy-preview-14--illustrious-sunshine-4ce83e.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant