didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Extended outbound DLP scan: headers, query params, paths, DNS lookups #204

New Issue
Closed
opened 2026-06-06 13:40:19 -04:00 by didericis-claude · 0 comments
didericis-claude commented 2026-06-06 13:40:19 -04:00
Collaborator
Copy Link
Copy Source

The current outbound DLP scan (PRD 0052) covers only the request body and the Authorization header. An agent can exfiltrate a provisioned secret via several other surfaces that are currently unscanned:

  • Other HTTP headers – any custom or standard header (e.g. X-Api-Key, X-Auth-Token, Cookie).
  • Query parameters – e.g. ?token=<secret> or ?api_key=<secret>.
  • URL path segments – e.g. /api/<secret>/resource.
  • DNS-level hostnames – DNS tunnelling where the secret is base64-encoded into a subdomain (<encoded-secret>.attacker.com).

Acceptance criteria

  1. All four surfaces are included in the outbound DLP scan text for every matched route.
  2. A pure helper build_outbound_scan_text(host, path, query, headers, body) in egress_addon_core.py assembles the scan corpus so the logic is unit-testable without mitmproxy.
  3. Unit tests demonstrate blocking when a known token or provisioned secret appears in each surface.
  4. The change is backwards-compatible: no manifest schema changes required.
The current outbound DLP scan (PRD 0052) covers only the request body and the `Authorization` header. An agent can exfiltrate a provisioned secret via several other surfaces that are currently unscanned: - **Other HTTP headers** – any custom or standard header (e.g. `X-Api-Key`, `X-Auth-Token`, `Cookie`). - **Query parameters** – e.g. `?token=<secret>` or `?api_key=<secret>`. - **URL path segments** – e.g. `/api/<secret>/resource`. - **DNS-level hostnames** – DNS tunnelling where the secret is base64-encoded into a subdomain (`<encoded-secret>.attacker.com`). ## Acceptance criteria 1. All four surfaces are included in the outbound DLP scan text for every matched route. 2. A pure helper `build_outbound_scan_text(host, path, query, headers, body)` in `egress_addon_core.py` assembles the scan corpus so the logic is unit-testable without mitmproxy. 3. Unit tests demonstrate blocking when a known token or provisioned secret appears in each surface. 4. The change is backwards-compatible: no manifest schema changes required.
didericis added the Kind/Security label 2026-06-06 14:26:40 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#204
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?