Skip to content

Security: prevent host-file disclosure and scanner verdict bypasses #268

Description

@fmercurio

Summary

A local security review of commit a68496dc9220c78c3daa13cfb2f18036f1a79494 identified five high-severity issues. They allow a malicious skill, or an HTTP MCP caller, to disclose host data or obtain an incorrect SAFE verdict.

Findings

  1. Symlink scope escapebuild_context follows symlinks outside the selected skill root and reads their contents. Those contents can reach reports and configured LLM analysis.

    • Suggested fix: reject symlinks during discovery, or resolve every candidate path and require it to remain under the resolved scan root before reading. Apply the same rule to multi-skill and batch paths.
  2. HTTP MCP local-path access — the HTTP scan_skill path forwards targets to local-path-capable input resolution, despite the README stating local paths are rejected over HTTP.

    • Suggested fix: make transport context explicit; reject local paths and file:// URLs for HTTP calls. Keep routable deployments behind authentication.
  3. Codex CLI provider host readscodex exec --sandbox read-only still allows model-initiated shell reads of absolute host paths. A hostile scanned prompt can induce reads despite a temporary CWD.

    • Suggested fix: do not use a tool-enabled CLI to analyze hostile content unless it runs in a filesystem-isolated sandbox; otherwise use a provider/transport with tools fully disabled.
  4. Fenced SKILL.md bypass — the static runner drops findings near fenced Markdown, including executable instructions in SKILL.md. A no-LLM scan of a fenced privileged command returned SAFE with no findings.

    • Suggested fix: never treat fenced content in SKILL.md as automatically benign; restrict example suppression to trusted fixtures or explicit metadata.
  5. Oversized-file bypass — static and YARA analyzers silently skip files above the size cap, allowing payload padding to evade detection while static mode can still return SAFE.

    • Suggested fix: chunk large files or mark scans with skipped executable content as incomplete/non-safe, with an explicit report limitation.

Validation

  • Full test suite: 1257 passed (with project-configured skips/xfails).
  • Local reproductions confirmed the symlink read, MCP local-path scan, Codex host-file read, fenced-instruction SAFE result, and oversized-file SAFE result.

Please consider treating this as a coordinated security report if public discussion is not appropriate.

Detailed local scan artifact: report.md generated by Codex Security.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions