fix(egress): randomize canary secret env name

2026-06-25 03:25:23 +00:00
parent 0a7e166b35
commit 4808ef557a
9 changed files with 129 additions and 36 deletions
@@ -137,10 +137,11 @@ def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
        volumes.append(_bind(ep.routes_path.parent, str(Path(EGRESS_ROUTES_IN_CONTAINER).parent)))
        for token_env in sorted(ep.token_env_map.keys()):
            env.append(token_env)
-    if ep.canary:
-        # Inject canary as a literal NAME=VALUE (not a bare name) — the
-        # value is a fake secret so it need not be hidden from the compose file.
-        env.append(f"EGRESS_TOKEN_CANARY={ep.canary}")
+    if ep.canary and ep.canary_env:
+        # Inject the fake secret as a literal NAME=VALUE (not a bare name) and
+        # tell the sidecar to scan that exact env var as sensitive.
+        env.append(f"{ep.canary_env}={ep.canary}")
+        env.append(f"BOT_BOTTLE_SENSITIVE_PREFIXES={ep.canary_env}")

    # --- git-gate -----------------------------------------------------
    gp = plan.git_gate_plan
@@ -226,8 +227,8 @@ def _agent_service(plan: DockerBottlePlan) -> dict[str, Any]:
        env.append(name)
    # Canary token: visible to the agent as a fake secret so that any
    # outbound appearance of this value is a zero-FP exfil signal.
-    if plan.egress_plan.canary:
-        env.append(f"BOT_BOTTLE_CANARY={plan.egress_plan.canary}")
+    if plan.egress_plan.canary and plan.egress_plan.canary_env:
+        env.append(f"{plan.egress_plan.canary_env}={plan.egress_plan.canary}")

    service: dict[str, Any] = {
        "image": plan.image,
@@ -353,8 +353,9 @@ def _sidecar_env_entries(plan: MacosContainerBottlePlan) -> tuple[str, ...]:
    env: list[str] = []
    if plan.egress_plan.routes:
        env.extend(sorted(plan.egress_plan.token_env_map.keys()))
-    if plan.egress_plan.canary:
-        env.append(f"EGRESS_TOKEN_CANARY={plan.egress_plan.canary}")
+    if plan.egress_plan.canary and plan.egress_plan.canary_env:
+        env.append(f"{plan.egress_plan.canary_env}={plan.egress_plan.canary}")
+        env.append(f"BOT_BOTTLE_SENSITIVE_PREFIXES={plan.egress_plan.canary_env}")
    if plan.git_gate_plan.upstreams:
        env.append(f"BOT_BOTTLE_GIT_GATE_READY_FILE={_GIT_GATE_READY_FILE}")
    if plan.supervise_plan is not None:
@@ -422,8 +423,8 @@ def _agent_env_entries(
        env.append(f"{name}={value}")
    for name in sorted(plan.forwarded_env.keys()):
        env.append(name)
-    if plan.egress_plan.canary:
-        env.append(f"BOT_BOTTLE_CANARY={plan.egress_plan.canary}")
+    if plan.egress_plan.canary and plan.egress_plan.canary_env:
+        env.append(f"{plan.egress_plan.canary_env}={plan.egress_plan.canary}")
    return tuple(env)


@@ -35,6 +35,32 @@ EGRESS_HOSTNAME = "egress"
 EGRESS_ROUTES_IN_CONTAINER = "/etc/egress/routes.yaml"
 EGRESS_ROUTES_FILENAME = Path(EGRESS_ROUTES_IN_CONTAINER).name

+_CANARY_ENV_WORDS = (
+    "ACCORD",
+    "ANCHOR",
+    "ATLAS",
+    "CANON",
+    "CIPHER",
+    "EMBER",
+    "FALCON",
+    "HARBOR",
+    "LANTERN",
+    "MARBLE",
+    "NOVA",
+    "ORBIT",
+    "PIVOT",
+    "RADIUS",
+    "SUMMIT",
+    "VECTOR",
+)
+
+
+def _random_canary_env() -> str:
+    first = secrets.choice(_CANARY_ENV_WORDS)
+    remaining = tuple(word for word in _CANARY_ENV_WORDS if word != first)
+    second = secrets.choice(remaining)
+    return f"{first}_{second}_SECRET"
+

@dataclass(frozen=True)
 class EgressRoute(Route):
@@ -67,6 +93,7 @@ class EgressPlan:
    mitmproxy_ca_cert_only_host_path: Path = Path()
    log: int = 0
    canary: str = ""
+    canary_env: str = ""


 def egress_manifest_routes(
@@ -326,9 +353,9 @@ class Egress(ABC):
        routes_path = stage_dir / EGRESS_ROUTES_FILENAME
        routes_path.write_text(egress_render_routes(routes, log=log))
        routes_path.chmod(0o600)
-        # Generate a per-session canary token.  The sidecar receives it as
-        # EGRESS_TOKEN_CANARY (scanned by the existing known-secrets detector);
-        # the agent receives it as BOT_BOTTLE_CANARY (a visible fake secret).
+        # Generate a per-session fake secret under a plausible random env name.
+        # The sidecar marks that exact env name as sensitive for known-secret
+        # scanning; the agent receives the same name/value as exfil bait.
        canary = secrets.token_urlsafe(32)
        return EgressPlan(
            slug=slug,
@@ -337,6 +364,7 @@ class Egress(ABC):
            token_env_map=egress_token_env_map(routes),
            log=log,
            canary=canary,
+            canary_env=_random_canary_env(),
        )

 __all__ = [