🔒 Security · 🟠 High · Confidence: 94%
File: crates/forkd-cli/src/sandbox.rs
Location: delete_sandbox
What's wrong
The sandbox ID is interpolated directly into the request URL without validation, allowing crafted IDs to target arbitrary endpoints. Problematic line: let url = format!("{}/v1/sandboxes/{}", daemon_url.trim_end_matches('/'), id);
Suggested fix
Validate or encode the id to ensure it contains only allowed characters (e.g., alphanumeric and hyphens) before constructing the URL:
if !id.chars().all(|c| c.is_ascii_alphanumeric() || c == '-') {
anyhow::bail!("invalid sandbox id");
}
let url = format!("{}/v1/sandboxes/{}", daemon_url.trim_end_matches('/'), id);
About this report
This finding was generated by an automated audit tool using Llama 3.3 70B + verification passes.
Only findings with ≥92% confidence that passed both LLM self-verification and line reference
verification are reported. False positives are still possible — please verify before acting.
🔒 Security · 🟠 High · Confidence: 94%
File:
crates/forkd-cli/src/sandbox.rsLocation:
delete_sandboxWhat's wrong
The sandbox ID is interpolated directly into the request URL without validation, allowing crafted IDs to target arbitrary endpoints. Problematic line:
let url = format!("{}/v1/sandboxes/{}", daemon_url.trim_end_matches('/'), id);Suggested fix
Validate or encode the
idto ensure it contains only allowed characters (e.g., alphanumeric and hyphens) before constructing the URL:About this report
This finding was generated by an automated audit tool using Llama 3.3 70B + verification passes.
Only findings with ≥92% confidence that passed both LLM self-verification and line reference
verification are reported. False positives are still possible — please verify before acting.