didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Hand-rolled egress/gitconfig YAML emitters don't escape quotes/newlines #258

New Issue
Closed
opened 2026-06-24 00:55:48 -04:00 by didericis-claude · 0 comments
didericis-claude commented 2026-06-24 00:55:48 -04:00
Collaborator
Copy Link
Copy Source

Severity: Low (robustness; no agent privilege boundary crossed)

egress_render_routes / _route_to_yaml_fields (bot_bottle/egress.py) interpolate manifest strings (host, path/header match values, auth_scheme) into "..." YAML scalars with no escaping of ", \, or newline. git_gate_render_gitconfig (bot_bottle/git_gate.py:115) has the same shape for Upstream / the ssh alias into gitconfig.

This path is operator-manifest only — the agent-proposed routes path is parse-validated and written verbatim, never re-rendered through these emitters — so there is no privilege escalation. But a stray quote in an otherwise-legitimate header-match value silently corrupts routes.yaml; the strict re-parse then fails and the sidecar falls back to empty/stale routes (a fail-closed but confusing outcome). A newline in Upstream could inject arbitrary gitconfig keys.

Fix: escape "/\/newline at render time, or assert-reject these metacharacters in the affected manifest fields with a clear error.

Filed from a security audit of the TLS-interception egress path and git-gate credential handling (follow-up to the prd-0054-install-script quality-eval review). The core controls — default-deny, per-bottle CA, sidecar credential isolation — were confirmed sound; these are residual hardening gaps.

**Severity:** Low (robustness; no agent privilege boundary crossed) `egress_render_routes` / `_route_to_yaml_fields` (`bot_bottle/egress.py`) interpolate manifest strings (host, path/header match values, auth_scheme) into `"..."` YAML scalars with no escaping of `"`, `\`, or newline. `git_gate_render_gitconfig` (`bot_bottle/git_gate.py:115`) has the same shape for `Upstream` / the ssh alias into gitconfig. This path is operator-manifest only — the agent-proposed routes path is parse-validated and written verbatim, never re-rendered through these emitters — so there is **no privilege escalation**. But a stray quote in an otherwise-legitimate header-match value silently corrupts `routes.yaml`; the strict re-parse then fails and the sidecar falls back to empty/stale routes (a fail-closed but confusing outcome). A newline in `Upstream` could inject arbitrary gitconfig keys. **Fix:** escape `"`/`\`/newline at render time, or assert-reject these metacharacters in the affected manifest fields with a clear error. --- _Filed from a security audit of the TLS-interception egress path and git-gate credential handling (follow-up to the `prd-0054-install-script` quality-eval review). The core controls — default-deny, per-bottle CA, sidecar credential isolation — were confirmed sound; these are residual hardening gaps._
didericis-claude added the
Priority
Low
4
Kind/Bug labels 2026-06-24 00:55:49 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Bug
Priority
Low
4
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#258
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?