Skip to content

Conversation

pensarapp[bot]
Copy link

@pensarapp pensarapp bot commented Apr 1, 2025

Secured with Pensar

Type Identifier Message Severity Link
Application ML09 In the run_locally function, the system writes the Dockerfile and application files generated by the LLM directly to disk without additional sanitization, validation, or potential restrictions. This creates a trust boundary vulnerability where malicious modifications in the generated files could result in harmful behavior when building and running Docker containers. This is an instance of ML09: Manipulation of ML Model Outputs Affecting Integrity, potentially allowing an attacker to escalate privileges or perform container escapes through unchecked code execution. high Link

The vulnerability in the run_locally function stems from trusting LLM-generated content without validation, creating a trust boundary issue (ML09). The original code takes a Dockerfile and files generated by the LLM, writes them directly to disk, and executes Docker commands without any security checks.

The patch implements multiple layers of defense:

  1. Input Validation:

    • Validates that inputs are properly formatted
    • Checks Dockerfile content for dangerous patterns (privileged mode, mounting host filesystem, etc.)
    • Enforces path safety by preventing directory traversal attacks
  2. Path Traversal Prevention:

    • Normalizes all filenames
    • Blocks absolute paths and parent directory references
    • Double-checks that the final resolved path stays within the designated output directory
  3. Docker Runtime Security:

    • Adds the --security-opt=no-new-privileges=true flag to prevent privilege escalation
    • Drops all capabilities and only adds back the minimum needed (NET_BIND_SERVICE)
    • Sets resource limits for memory, CPU, process count, and file handles
    • Adds timeouts to prevent long-running operations
    • Uses --no-cache for builds to prevent persistent artifacts
  4. Improved Error Handling:

    • Adds comprehensive error handling throughout the function
    • Returns descriptive error messages to aid debugging
    • Logs security violations

This patch ensures that even if the LLM generates malicious content, it will be detected and blocked before execution, significantly reducing the risk of container escapes or privilege escalation attacks.

Copy link

restack-app bot commented Apr 1, 2025

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants