Security: DevMode auth API unconditionally allows all apps and KMS replication

[kvinwang]

Note: This issue documents a vulnerability that was originally reported privately as the repository security advisory GHSA-2q43-m63v-6j3r by @pbeza.

Root Cause

The AuthApi::Dev variant returns is_allowed: true for every authorization request, including KMS key replication. This is a runtime configuration option (auth_api.type = "dev" in config), not a compile-time feature gate. The get_meta endpoint exposes is_dev: true to unauthenticated callers, allowing attackers to discover misconfigured KMS instances.

// upgrade_authority.rs:63-70
AuthApi::Dev => Ok(AuthResponse {
    is_allowed: true,
    // ...
})

Attack Path

1. Attacker scans for KMS instances and calls get_meta on each
2. Attacker finds a KMS instance with is_dev: true in the response
3. Attacker requests key derivation for any app_id — AuthApi::Dev allows all
4. Attacker requests KMS key replication — AuthApi::Dev allows it
5. Attacker now has copies of all KMS root keys

Impact

A KMS instance running in dev mode has no authorization boundary. Any attacker with network access can derive keys for any app, replicate root keys to their own KMS instance, and completely compromise the key hierarchy. The get_meta endpoint makes discovery trivial.

Suggested Fix

Gate AuthApi::Dev behind a compile-time feature flag:

#[cfg(feature = "dev-mode")]
AuthApi::Dev => Ok(AuthResponse { is_allowed: true, ... }),
#[cfg(not(feature = "dev-mode"))]
AuthApi::Dev => Err(Error::DevModeDisabled),

Remove is_dev from the get_meta response, or at minimum do not expose it to unauthenticated callers.

---

Note: This finding was reported automatically as part of an AI/Claude-driven internal audit by the NEAR One MPC team. It has not been manually verified by a human to confirm whether it constitutes an actual security issue.

[kvinwang]

Maintainer response (copied from private security advisory GHSA-2q43-m63v-6j3r):

Thanks for the report, but this is not a security vulnerability. A few points:

1. Dev mode is for local/integration testing — not production

The dev auth mode is used for local development and CI integration testing, where environments are typically ephemeral and short-lived. There is no realistic attack scenario — these environments are not exposed to the internet and contain no meaningful key material. "Attacking" a throwaway test KMS instance is pointless.

2. Runtime configuration is measured and attested

The KMS configuration, including whether auth_api.type = "dev" is set, is part of the runtime measurement. Any verifier performing remote attestation can detect that a KMS instance is running in dev mode. A production deployment using dev mode would fail attestation checks. This is the fundamental security boundary in dstack — attestation, not code-level enforcement.

3. Compile-time gating via cargo features is not strictly better

The suggested fix of using #[cfg(feature = "dev-mode")] has its own risks. Cargo features are additive — if any crate in the dependency tree enables dev-mode, it gets enabled for the entire build. This can lead to accidental inclusion that is easy to miss in code review. A runtime configuration that is explicitly measured and attested provides a clear, auditable boundary without the pitfalls of feature flag composition.

4. is_dev in get_meta is informational, not a vulnerability

Exposing is_dev: true in metadata is a transparency feature — it helps operators and verifiers confirm the mode of a KMS instance. Hiding it would reduce visibility without improving security, since attestation already covers this.