Security audit: Fix critical dependency vulnerabilities and add security controls

Co-authored-by: kingassune <6126851+kingassune@users.noreply.github.com>
2026-02-03 22:08:33 +00:00
parent 9d4c00ac6a
commit 8b4e0a8868
6 changed files with 351 additions and 8 deletions
--- a/SECURITY_AUDIT.md
+++ b/SECURITY_AUDIT.md
@@ -0,0 +1,263 @@
+# Security Audit Report - nanobot
+
+**Date:** 2026-02-03  
+**Auditor:** GitHub Copilot Security Agent  
+**Repository:** kingassune/nanobot
+
+## Executive Summary
+
+This security audit identified **CRITICAL** vulnerabilities in the nanobot AI assistant framework. The most severe issues are:
+
+1. **CRITICAL**: Outdated `litellm` dependency with 10 known vulnerabilities including RCE, SSRF, and API key leakage
+2. **MEDIUM**: Outdated `ws` (WebSocket) dependency with DoS vulnerability
+3. **MEDIUM**: Shell command execution without sufficient input validation
+4. **LOW**: File system operations without path traversal protection
+
+## Detailed Findings
+
+### 1. CRITICAL: Vulnerable litellm Dependency
+
+**Severity:** CRITICAL  
+**Location:** `pyproject.toml` line 21  
+**Current Version:** `>=1.0.0`  
+**Status:** REQUIRES IMMEDIATE ACTION
+
+#### Vulnerabilities Identified:
+
+1. **Remote Code Execution via eval()** (CVE-2024-XXXX)
+   - Affected: `<= 1.28.11` and `< 1.40.16`
+   - Impact: Arbitrary code execution
+   - Patched: 1.40.16 (partial)
+   
+2. **Server-Side Request Forgery (SSRF)**
+   - Affected: `< 1.44.8`
+   - Impact: Internal network access, data exfiltration
+   - Patched: 1.44.8
+
+3. **API Key Leakage via Logging**
+   - Affected: `< 1.44.12` and `<= 1.52.1`
+   - Impact: Credential exposure in logs
+   - Patched: 1.44.12 (partial), no patch for <=1.52.1
+
+4. **Improper Authorization**
+   - Affected: `< 1.61.15`
+   - Impact: Unauthorized access
+   - Patched: 1.61.15
+
+5. **Denial of Service (DoS)**
+   - Affected: `< 1.53.1.dev1` and `< 1.56.2`
+   - Impact: Service disruption
+   - Patched: 1.56.2
+
+6. **Arbitrary File Deletion**
+   - Affected: `< 1.35.36`
+   - Impact: Data loss
+   - Patched: 1.35.36
+
+7. **Server-Side Template Injection (SSTI)**
+   - Affected: `< 1.34.42`
+   - Impact: Remote code execution
+   - Patched: 1.34.42
+
+**Recommendation:** Update to `litellm>=1.61.15` immediately. Note that one vulnerability (API key leakage <=1.52.1) has no available patch - monitor for updates.
+
+### 2. MEDIUM: Vulnerable ws (WebSocket) Dependency
+
+**Severity:** MEDIUM  
+**Location:** `bridge/package.json` line 14  
+**Current Version:** `^8.17.0`  
+**Patched Version:** `8.17.1`
+
+#### Vulnerability:
+- **DoS via HTTP Header Flooding**
+- Affected: `>= 8.0.0, < 8.17.1`
+- Impact: Service disruption through crafted requests with excessive HTTP headers
+
+**Recommendation:** Update to `ws>=8.17.1`
+
+### 3. MEDIUM: Shell Command Execution Without Sufficient Validation
+
+**Severity:** MEDIUM  
+**Location:** `nanobot/agent/tools/shell.py` lines 46-51
+
+#### Issue:
+The `ExecTool` class uses `asyncio.create_subprocess_shell()` to execute arbitrary shell commands without input validation or sanitization. While there is a timeout mechanism, there's no protection against:
+- Command injection via special characters
+- Execution of dangerous commands (e.g., `rm -rf /`)
+- Resource exhaustion attacks
+
+```python
+process = await asyncio.create_subprocess_shell(
+    command,  # User-controlled input passed directly to shell
+    stdout=asyncio.subprocess.PIPE,
+    stderr=asyncio.subprocess.PIPE,
+    cwd=cwd,
+)
+```
+
+**Current Mitigations:**
+- ✅ Timeout (60 seconds default)
+- ✅ Output truncation (10,000 chars)
+- ❌ No input validation
+- ❌ No command whitelist
+- ❌ No user confirmation for dangerous commands
+
+**Recommendation:**
+1. Implement command validation/sanitization
+2. Consider using `create_subprocess_exec()` instead for safer execution
+3. Add a whitelist of allowed commands or patterns
+4. Require explicit user confirmation for destructive operations
+
+### 4. LOW: File System Operations Without Path Traversal Protection
+
+**Severity:** LOW  
+**Location:** `nanobot/agent/tools/filesystem.py`
+
+#### Issue:
+File operations use `Path.expanduser()` but don't validate against path traversal attacks. While `expanduser()` is used, there's no check to prevent operations outside intended directories.
+
+**Potential Attack Vectors:**
+```python
+read_file(path="../../../../etc/passwd")
+write_file(path="/tmp/../../../etc/malicious")
+```
+
+**Current Mitigations:**
+- ✅ Permission error handling
+- ✅ File existence checks
+- ❌ No path traversal prevention
+- ❌ No directory whitelist
+
+**Recommendation:**
+1. Implement path validation to ensure operations stay within allowed directories
+2. Use `Path.resolve()` to normalize paths before operations
+3. Check that resolved paths start with allowed base directories
+
+### 5. LOW: Authentication Based Only on allowFrom List
+
+**Severity:** LOW  
+**Location:** `nanobot/channels/base.py` lines 59-82
+
+#### Issue:
+Access control relies solely on a simple `allow_from` list without:
+- Rate limiting
+- Authentication tokens
+- Session management
+- Account lockout after failed attempts
+
+**Current Implementation:**
+```python
+def is_allowed(self, sender_id: str) -> bool:
+    allow_list = getattr(self.config, "allow_from", [])
+    
+    # If no allow list, allow everyone
+    if not allow_list:
+        return True
+```
+
+**Concerns:**
+1. Empty `allow_from` list allows ALL users (fail-open design)
+2. No rate limiting per user
+3. User IDs can be spoofed in some contexts
+4. No logging of denied access attempts
+
+**Recommendation:**
+1. Change default to fail-closed (deny all if no allow list)
+2. Add rate limiting per sender_id
+3. Log all authentication attempts
+4. Consider adding token-based authentication
+
+## Additional Security Concerns
+
+### 6. Information Disclosure in Error Messages
+
+**Severity:** LOW  
+Multiple tools return detailed error messages that could leak sensitive information:
+```python
+return f"Error reading file: {str(e)}"
+return f"Error executing command: {str(e)}"
+```
+
+**Recommendation:** Sanitize error messages before returning to users.
+
+### 7. API Key Storage in Plain Text
+
+**Severity:** MEDIUM  
+**Location:** `~/.nanobot/config.json`
+
+API keys are stored in plain text in the configuration file. While file permissions provide some protection, this is not ideal for sensitive credentials.
+
+**Recommendation:**
+1. Use OS keyring/credential manager when possible
+2. Encrypt configuration file at rest
+3. Document proper file permissions (0600)
+
+### 8. No Input Length Validation
+
+**Severity:** LOW  
+Most tools don't validate input lengths before processing, which could lead to resource exhaustion.
+
+**Recommendation:** Add reasonable length limits on all user inputs.
+
+## Compliance & Best Practices
+
+### ✅ Good Security Practices Observed:
+
+1. **Timeout mechanisms** on shell commands and HTTP requests
+2. **Output truncation** prevents memory exhaustion
+3. **Permission error handling** in file operations
+4. **TLS/SSL** for external API calls (httpx with https)
+5. **Structured logging** with loguru
+
+### ❌ Missing Security Controls:
+
+1. No rate limiting
+2. No input validation/sanitization
+3. No content security policy
+4. No dependency vulnerability scanning in CI/CD
+5. No security headers in responses
+6. No audit logging of sensitive operations
+
+## Recommendations Summary
+
+### Immediate Actions (Critical Priority):
+
+1. ✅ **Update litellm to >=1.61.15**
+2. ✅ **Update ws to >=8.17.1**
+3. **Add input validation to shell command execution**
+4. **Implement path traversal protection in file operations**
+
+### Short-term Actions (High Priority):
+
+1. Add rate limiting to prevent abuse
+2. Change authentication default to fail-closed
+3. Implement command whitelisting for shell execution
+4. Add audit logging for security-sensitive operations
+5. Sanitize error messages
+
+### Long-term Actions (Medium Priority):
+
+1. Implement secure credential storage (keyring)
+2. Add comprehensive input validation framework
+3. Set up automated dependency vulnerability scanning
+4. Implement security testing in CI/CD pipeline
+5. Add Content Security Policy headers
+
+## Testing Recommendations
+
+1. **Dependency Scanning**: Run `pip-audit` or `safety` regularly
+2. **Static Analysis**: Use `bandit` for Python security analysis
+3. **Dynamic Testing**: Implement security-focused integration tests
+4. **Penetration Testing**: Consider professional security assessment
+5. **Fuzzing**: Test input validation with fuzzing tools
+
+## Conclusion
+
+The nanobot framework requires immediate security updates, particularly for the `litellm` dependency which has critical vulnerabilities including remote code execution. After updating dependencies, focus should shift to improving input validation and implementing proper access controls.
+
+**Risk Level:** HIGH (before patches applied)  
+**Recommended Action:** Apply critical dependency updates immediately
+
+---
+
+*This audit was performed using automated tools and manual code review. A comprehensive penetration test is recommended for production deployments.*