didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Egress apply validates with load_routes but sidecar runs load_config (log: bypass) #256

New Issue
Closed
opened 2026-06-24 00:55:48 -04:00 by didericis-claude · 0 comments
didericis-claude commented 2026-06-24 00:55:48 -04:00
Collaborator
Copy Link
Copy Source

Severity: Medium

EgressApplicator.validate_routes_content validates agent-proposed content with load_routes (routes only — bot_bottle/backend/egress_apply.py:34), but the sidecar reads the same file with load_config, which also honors a top-level log: key (egress_addon_core.py:421, egress_addon.py:52).

An agent-proposed routes file can carry log: 2 (LOG_FULL): validation ignores the key, and on reload the sidecar honors it — silently enabling full request/response logging. The supervise approval surface presents it as a routes change and would not flag the logging-mode flip.

Fix: validate with load_config (the same parser the sidecar uses) so what is checked equals what runs, and so a log: change is surfaced/rejected at approval time.

Closely related to the LOG_FULL credential-exposure issue (the two chain).

Filed from a security audit of the TLS-interception egress path and git-gate credential handling (follow-up to the prd-0054-install-script quality-eval review). The core controls — default-deny, per-bottle CA, sidecar credential isolation — were confirmed sound; these are residual hardening gaps.

**Severity:** Medium `EgressApplicator.validate_routes_content` validates agent-proposed content with `load_routes` (routes only — `bot_bottle/backend/egress_apply.py:34`), but the sidecar reads the same file with `load_config`, which also honors a top-level `log:` key (`egress_addon_core.py:421`, `egress_addon.py:52`). An agent-proposed routes file can carry `log: 2` (`LOG_FULL`): validation ignores the key, and on reload the sidecar honors it — silently enabling full request/response logging. The supervise approval surface presents it as a routes change and would not flag the logging-mode flip. **Fix:** validate with `load_config` (the same parser the sidecar uses) so what is checked equals what runs, and so a `log:` change is surfaced/rejected at approval time. Closely related to the LOG_FULL credential-exposure issue (the two chain). --- _Filed from a security audit of the TLS-interception egress path and git-gate credential handling (follow-up to the `prd-0054-install-script` quality-eval review). The core controls — default-deny, per-bottle CA, sidecar credential isolation — were confirmed sound; these are residual hardening gaps._
didericis-claude added the Kind/Security
Priority
Medium
3
 labels 2026-06-24 00:55:48 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Security
Priority
Medium
3
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#256
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?