AntFleet

Disagreement · 6017bf3f-openai-0

Secrets endpoint passes secret value via command-line args (-b), exposing secrets to other processes

mismatch
repo 6f7fc663·PR #25·reviewed 1 week ago

Primary finding

Secrets endpoint passes secret value via command-line args (-b), exposing secrets to other processes

highsecurityhigh
  • dashboard/app/api/secrets/route.ts:112-116
  • dashboard/app/api/auth/route.ts:63-66
In POST /api/secrets, the secret value is supplied using '-b', which puts the secret on the process command line (argv). On many systems, process arguments are visible to other users and may be logged, leaking the secret. The auth route correctly uses stdin to provide the secret, avoiding this leak.

Recommendation

Provide the secret via stdin instead of '-b'. For example: execFileSync('gh', ['secret','set', name, ...ghArgsRepo()], { input: value, stdio: ['pipe','pipe','pipe'] }). Also ensure no logging of the value.

Counterpart finding

Error responses can leak shell output / file paths to unauthenticated callers

mediumsecurityhigh
  • dashboard/app/api/auth/route.ts:111-114
  • dashboard/app/api/secrets/route.ts:119-122
  • dashboard/app/api/secrets/route.ts:140-143
`execFileSync` errors include `error.message` containing the full command line (and sometimes stderr). For the secrets POST this means the secret value — passed as argv `-b <value>` — appears in the error message if gh fails (e.g. invalid name slipped through, network error, repo not found), and is then returned in the HTTP response body. Combined with the missing auth above, this is a direct exfiltration path. Even without the argv issue, returning raw stderr from `gh` and the host's working directory is information disclosure.

Recommendation

Never echo `error.message` from child_process to the client. Log server-side and return a generic message (e.g. `{ error: 'Failed to set secret' }`). Pair this with the stdin-input fix above.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗