bot-bottle

didericis/bot-bottle

Fork 0

Commit Graph

Author	SHA1	Message	Date
didericis	23f50f7720	fix(pipelock): scan all request headers + fix attack-3 destination test / unit (pull_request) Successful in 19s Details test / integration (pull_request) Failing after 49s Details Two related changes the PRD 0022 sandbox-escape test surfaced: 1. `pipelock_build_config` now emits `request_body_scanning.scan_headers: true` and `header_mode: all`. Pipelock's default `header_mode: sensitive` only checks Authorization / Cookie / X-Api-Key / X-Token / Proxy-Authorization / X-Goog-Api-Key — an agent attempting exfil could trivially pick a non-sensitive header (`X-Custom: $SECRET`) and slip through. `all` closes the gap; pipelock caps it by the same max_body_bytes the body scan uses. 2. Test 3 (HTTP exfil shapes) now targets raw.githubusercontent.com instead of api.anthropic.com. api.anthropic.com is in `DEFAULT_TLS_PASSTHROUGH` — pipelock can't MITM it because real LLM conversation bodies false-positive on DLP scanners (BIP-39 etc.). The trade-off is documented in `pipelock.DEFAULT_TLS_PASSTHROUGH`; the test now exercises a host where the sandbox is actually supposed to block. All 5 sandbox-escape attacks now produce HTTP 403 with the expected sandbox marker (`egress:`, `pipelock`, or `blocked:`): - Attack 1 (non-allowlisted host) ✓ egress - Attack 2 (non-allowlisted IP + spoof) ✓ egress - Attack 3a (URL path) ✓ pipelock DLP - Attack 3b (URL query) ✓ pipelock DLP - Attack 3c (request body) ✓ pipelock DLP - Attack 3d (request header) ✓ pipelock DLP (scan_headers) - Attack 4a (crafted subdomain) ✓ egress - Attack 4b (direct dig @8.8.8.8) ✓ network isolation - Attack 5 (README push, 3 secret shapes) ✓ gitleaks (pre-upstream) 489 unit tests pass (1 updated for the new request_body_scanning shape). Full integration suite passes in ~6s.	2026-05-26 22:38:38 -04:00
didericis	e2231f46a3	test(integration): PRD 0022 sandbox-escape suite (chunks 1-5) test / unit (pull_request) Successful in 18s Details test / integration (pull_request) Failing after 2m13s Details End-to-end test that brings up a real bottle with allowlisted egress + git-gate + three planted secrets, then runs five attacks from inside the agent container. Chunks 1-5 implemented in one pass against the Docker backend: Attack 1 — non-allowlisted hostname (curl evil.example.com) ✓ blocked by egress Attack 2 — non-allowlisted IP literal (198.51.100.1) + host- header spoof via curl --resolve ✓ both blocked by egress Attack 3 — HTTP exfil to allowlisted destination via path / query / body / header ✗ ALL FOUR LEAK — request reaches api.anthropic.com with the secret embedded. Pipelock's DLP doesn't catch the anthropic-key shape in the body, and nothing scans path / query / headers. Attack 4 — DNS exfil via crafted subdomain + direct dig @8.8.8.8 query ✓ both blocked (egress rejects subdomain, internal network has no path to 8.8.8.8) Attack 5 — README push through git-gate with secret-bearing attacker URL (parameterized over anthropic / AWS / generic shapes); ordering check that gitleaks fires BEFORE any upstream attempt ✓ all three secret shapes blocked by gitleaks Per PRD 0022 Q1 the assertion in attack 3 is authoritative — HTTP 403 with an egress/pipelock marker in the body is the only acceptable outcome. Any 4xx from upstream means the secret reached the network. The four failing sub-tests are real sandbox gaps that need their own remediation PRDs before this test merges green. Also adds `dnsutils` (dig) to the base agent image so attack 4's direct-DNS check has a tool to run. CI: no changes needed — `.gitea/workflows/test.yml` already runs `tests/integration/` and the suite skip_unless_dockers cleanly when the runner has no Docker socket.	2026-05-26 22:23:45 -04:00

Author

SHA1

Message

Date

didericis

23f50f7720

fix(pipelock): scan all request headers + fix attack-3 destination

test / unit (pull_request) Successful in 19s

Details

test / integration (pull_request) Failing after 49s

Details

Two related changes the PRD 0022 sandbox-escape test surfaced:

  1. `pipelock_build_config` now emits
     `request_body_scanning.scan_headers: true` and
     `header_mode: all`. Pipelock's default `header_mode:
     sensitive` only checks Authorization / Cookie / X-Api-Key
     / X-Token / Proxy-Authorization / X-Goog-Api-Key — an
     agent attempting exfil could trivially pick a
     non-sensitive header (`X-Custom: $SECRET`) and slip
     through. `all` closes the gap; pipelock caps it by the
     same max_body_bytes the body scan uses.

  2. Test 3 (HTTP exfil shapes) now targets
     raw.githubusercontent.com instead of api.anthropic.com.
     api.anthropic.com is in `DEFAULT_TLS_PASSTHROUGH` —
     pipelock can't MITM it because real LLM conversation
     bodies false-positive on DLP scanners (BIP-39 etc.). The
     trade-off is documented in `pipelock.DEFAULT_TLS_PASSTHROUGH`;
     the test now exercises a host where the sandbox is
     actually supposed to block.

All 5 sandbox-escape attacks now produce HTTP 403 with the
expected sandbox marker (`egress:`, `pipelock`, or `blocked:`):

  - Attack 1 (non-allowlisted host)        ✓ egress
  - Attack 2 (non-allowlisted IP + spoof)  ✓ egress
  - Attack 3a (URL path)                   ✓ pipelock DLP
  - Attack 3b (URL query)                  ✓ pipelock DLP
  - Attack 3c (request body)               ✓ pipelock DLP
  - Attack 3d (request header)             ✓ pipelock DLP (scan_headers)
  - Attack 4a (crafted subdomain)          ✓ egress
  - Attack 4b (direct dig @8.8.8.8)        ✓ network isolation
  - Attack 5 (README push, 3 secret shapes) ✓ gitleaks (pre-upstream)

489 unit tests pass (1 updated for the new request_body_scanning
shape). Full integration suite passes in ~6s.

2026-05-26 22:38:38 -04:00

didericis

e2231f46a3

test(integration): PRD 0022 sandbox-escape suite (chunks 1-5)

test / unit (pull_request) Successful in 18s

Details

test / integration (pull_request) Failing after 2m13s

Details

End-to-end test that brings up a real bottle with allowlisted
egress + git-gate + three planted secrets, then runs five
attacks from inside the agent container.

Chunks 1-5 implemented in one pass against the Docker backend:

  Attack 1 — non-allowlisted hostname (curl evil.example.com)
              ✓ blocked by egress
  Attack 2 — non-allowlisted IP literal (198.51.100.1) + host-
              header spoof via curl --resolve
              ✓ both blocked by egress
  Attack 3 — HTTP exfil to allowlisted destination via path /
              query / body / header
              ✗ ALL FOUR LEAK — request reaches api.anthropic.com
                with the secret embedded. Pipelock's DLP doesn't
                catch the anthropic-key shape in the body, and
                nothing scans path / query / headers.
  Attack 4 — DNS exfil via crafted subdomain + direct
              dig @8.8.8.8 query
              ✓ both blocked (egress rejects subdomain, internal
                network has no path to 8.8.8.8)
  Attack 5 — README push through git-gate with secret-bearing
              attacker URL (parameterized over anthropic / AWS /
              generic shapes); ordering check that gitleaks fires
              BEFORE any upstream attempt
              ✓ all three secret shapes blocked by gitleaks

Per PRD 0022 Q1 the assertion in attack 3 is authoritative —
HTTP 403 with an egress/pipelock marker in the body is the only
acceptable outcome. Any 4xx from upstream means the secret
reached the network. The four failing sub-tests are real
sandbox gaps that need their own remediation PRDs before this
test merges green.

Also adds `dnsutils` (dig) to the base agent image so attack 4's
direct-DNS check has a tool to run.

CI: no changes needed — `.gitea/workflows/test.yml` already runs
`tests/integration/` and the suite skip_unless_dockers cleanly
when the runner has no Docker socket.

2026-05-26 22:23:45 -04:00

2 Commits