具有读写权限的代理沙箱工具存在严重漏洞。
我最近在审查代理沙箱解决方案时,意识到一个明显的漏洞,即允许代理写入当前工作目录(CWD)的工具存在持续利用的风险。
我最初认为这没问题,因为我们可以在 git diff 中审查所有内容。但后来我意识到,代理可以写入各种文件,而我作为开发者可能会在沙箱外执行这些文件。例如,每个 .pyc 文件、.venv 中的文件以及 .git 钩子文件。
ChatGPT 确认了潜在的利用向量,并指出在代理沙箱工具的上下文中对此讨论不多。
我的结论是,唯一真正安全的沙箱技术是通过某种 git 补丁或类似方式将文件从沙箱传输到开发者的机器。也就是说,文件只有在版本控制中时才能传输,因此可以推测在传输到沙箱外之前已经经过开发者的审查。
你有什么想法或建议吗?
查看原文
I've been reviewing Agent sandboxing solutions recently it occurred to me there is a gaping vector for persistent exploits for tools that let the agent write to the CWD.<p>I had originally thought this would ok as we could review everything in the git diff. But, it later occurred to me that there are all kinds of files that the agent could write to that I'd end up executing, as the developer, outside the sandbox. Every .pyc file for instance, files in .venv , .git hook files.<p>ChatGPT[1] confirms the underlying exploit vectors and also that there isn't much discussion of them in the context of agent sandboxing tools.<p>My conclusion from that is the only truly safe sandboxing technique would be one that transfers files from the sandbox to the dev's machine through some kind of git patch or similar. I.e. the file can only transfer if it's in version control and, therefore presumably, has been reviewed by the dev before transfer outside the sandbox.<p>Thoughts or recommendations?<p>1: https://chatgpt.com/share/69c3ec10-0e40-832a-b905-31736d8a3438