AntFleet

Disagreement · 44bd7a66-openai-0

Security policy can be bypassed by placing sensitive files in subdirectories (anchored patterns only match repo root)

mismatch
repo 56f59a0d·PR #1·reviewed 4 days ago

Primary finding

Security policy can be bypassed by placing sensitive files in subdirectories (anchored patterns only match repo root)

highsecurityhigh
  • src/security-policy.ts:16-27
  • src/security-policy.ts:29-42
  • src/security-policy.ts:44-50
  • src/security-policy.ts:56-64
The regexes for .env, .npmrc, .git, .ssh, Dockerfile, scripts/, etc. are anchored to the start of the path. This only flags files at the repository root. Sensitive files under subdirectories (e.g., apps/api/.env or packages/foo/.npmrc or services/web/Dockerfile) will not match and will be misclassified as safe, allowing high-impact or sensitive writes to proceed without block/confirmation.

Recommendation

Update patterns to match anywhere in the path using a non-capturing prefix boundary. For example: - .env: use /(?:^|\/)\.env(?:\.|$)/i - .npmrc: use /(?:^|\/)\.npmrc$/i - .git: use /(?:^|\/)\.git(?:\/|$)/i - .ssh: use /(?:^|\/)\.ssh(?:\/|$)/i - Dockerfile: use /(?:^|\/)Dockerfile$/i - scripts/: use /(?:^|\/)scripts\//i - Similarly adjust Makefile, justfile, .husky/, .vscode/tasks.json to use (?:^|\/). Add unit tests for classifyActionRisk and touchesCommandSurface to cover subdirectory paths (e.g., packages/app/.env, packages/service/Dockerfile).

Counterpart finding

BLOCKED_PATTERNS misses common secret-bearing files (e.g., .env without suffix variants, credentials.json, .aws/, .kube/, gcloud)

mediumsecurityhigh
  • src/security-policy.ts:17-27
Block patterns are anchored to root (e.g., /^\.env/) so a nested `packages/foo/.env` is NOT blocked — it is classified as 'safe'. The CONFIRM patterns have the same root-anchoring bias. This is inconsistent with the secret scanner (src/ci/secrets.ts) which scans by content but the policy gate is the one that prevents the agent from writing to those paths in the first place. Net effect: agent can freely create/modify `apps/web/.env` or `packages/x/.npmrc` without confirmation. Also missing: ~/.aws/credentials, .kube/config, gcp service-account.json, .pypirc, .netrc, id_ecdsa.

Recommendation

Change root-anchored patterns to allow path prefix (e.g., /(?:^|\/)\.env(?:\.|$)/i), and add patterns for .aws/, .kube/, .netrc, .pypirc, id_ecdsa, gcloud credentials JSON.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗