fix: resolve 3 critical security findings (sandbox RCE, unauth console, Rust panic fail-safe)#3
Merged
Conversation
…rect-access escapes The extension sandbox ran untrusted code in-process via exec() with a restricted __builtins__ — a non-boundary, escapable to full RCE (demonstrated: reads /etc/passwd, runs shell). The static inspector was a name-blocklist that rated the escape safe. - sandbox.py: remove in-process exec entirely. execute() now FAILS CLOSED (REJECTED) unless execution is explicitly enabled (PI_EXTENSION_ALLOW_CODE_EXECUTION=1 or allow_execution=True); when enabled it runs in an isolated subprocess (python -I) with a stripped env (no inherited secrets), RLIMIT_AS, SIGALRM + a hard parent-side wall-clock kill. (Not a full OS jail — still recommend seccomp/gVisor in prod.) - inspector.py: add _check_indirect_access — reject reflective/dunder escape pivots (__subclasses__/__mro__/__globals__/__builtins__/_module/__import__/globals/vars/…). - governor.py: wire the new check into the Phase-1 source scan. - tests: new test_sandbox_security.py (escape rejected & not executed, env stripped); governor + catalog tests move execution behind the opt-in flag. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The ledger and transparency endpoints served every tenant's execution audit data with NO authentication by default (JWT was opt-in; the shipped config left it off). - auth_guard.py: new require_reader dependency — refuses access unless the request carries a valid principal (JWT validated by the existing middleware). Fails closed when auth is unconfigured, with an explicit local-dev opt-out (PI_CONSOLE_ALLOW_UNAUTHENTICATED=1). - main.py: apply require_reader to the ledger + transparency routers. - tests: new test_auth_gate.py (default 401 / valid-token 200 / opt-out); the transparency integration test uses the documented dev opt-out. FOLLOW-UP (not in this commit): per-row tenant scoping needs a schema migration — execution_trace has no tenant_id column — plus RBAC on these routes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…tches them A Rust panic crossed the PyO3 boundary as PanicException (a BaseException subclass), which the orchestrator's 'except Exception' fail-safe could not catch — aborting the request instead of falling back to Python. The Rust core is default-on, so one crafted input (e.g. a 20-digit Solidity version overflowing i64) could take down a request. - pi-agents/registry.rs: add run_agent_safe — catch_unwind converts an escaped panic into Err (=> a normal PyValueError, an Exception). + panic_safety_tests. - pi-py/lib.rs: run_agent and run_agents route through run_agent_safe. - consensus.py: _try_rust_agent now catches BaseException (re-raising KeyboardInterrupt/SystemExit) — defence in depth for an unpatched cdylib. - tests: new test_rust_fallback.py (panic-like BaseException falls back; interrupts still propagate). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the three critical findings from the full audit (
pi-platform-audit-report.html). Each was reproduced, fixed test-first (TDD), and verified.What's fixed
🔴 Sandbox escape → RCE (demonstrated)
The extension "sandbox" ran untrusted code in-process via
exec()with a restricted__builtins__— not a security boundary; it was escapable to full RCE (read/etc/passwd, run shell). The static inspector was a name-blocklist that rated the escape 100/100 safe.sandbox.pynow fails closed: no in-processexec(). Execution is opt-in (PI_EXTENSION_ALLOW_CODE_EXECUTION=1/allow_execution=True) and runs in an isolated subprocess (python -I) with a stripped env (no inherited secrets),RLIMIT_AS, and a hard parent-side wall-clock kill.inspector.py_check_indirect_accessrejects the reflective/dunder escape pivots; wired into the governor's Phase-1 scan.🔴 Unauthenticated console
The ledger + transparency endpoints served every tenant's execution audit data with no auth by default.
auth_guard.require_readergates those routers fail-closed (401 unless a valid principal is present); explicit local-dev opt-outPI_CONSOLE_ALLOW_UNAUTHENTICATED=1.execution_tracehas notenant_id) + RBAC on these routes.🔴 Rust panic defeats the "fail-safe" fallback
A Rust panic crossed PyO3 as
PanicException(aBaseException), which theexcept Exceptionfallback couldn't catch — and the Rust core is default-on.pi_agents::run_agent_safecatches panics →Err(→ a normalPyValueError);pi-pyroutes both entry points through it;consensus.pybroadened to catchBaseException(re-raisingKeyboardInterrupt/SystemExit).Verification
pi-agents782 +pi-event-fabric13 passed (incl. 3 new panic-safety tests)ruff check+ruff format --check: clean on all changed filesNotes
rust-core-loadbearing(where this work was branched from).🤖 Generated with Claude Code