fix(frontend): harden frontend server (RCE/SSRF/path traversal)#656
Open
yaozheng-fang wants to merge 1 commit into
Open
fix(frontend): harden frontend server (RCE/SSRF/path traversal)#656yaozheng-fang wants to merge 1 commit into
yaozheng-fang wants to merge 1 commit into
Conversation
Close four issues a security scan flagged on a publicly-exposed `veadk frontend` deployment: - RCE / arbitrary write: remove the "test run" feature — /web/deploy-temp-agent (POST/DELETE), the temp-agent registry and the AgentLoader monkeypatch. It wrote client-supplied files to disk and exec'd agent.py, i.e. unauthenticated remote code execution. - SSRF: /agentkit-proxy now requires X-AgentKit-Key and only proxies to https://*.volceapi.com (host checked via urlparse, so userinfo tricks like https://x.volceapi.com@evil.com are rejected). - Arbitrary file read: the SPA fallback confines FileResponse to the built UI directory, blocking ../ traversal (e.g. /../../etc/passwd). - Arbitrary write (path traversal): /web/deploy-agentkit rejects absolute or ".." file paths that resolve outside its temp dir. Also drops the now-unused AgentTest UI + client helpers and rebuilds the shipped web assets.
zakahan
approved these changes
Jul 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
安全扫描在公网暴露的
veadk frontend部署上报了"任意 PUT 文件 & 读取文件"等风险。核实后确认是 FastAPI 应用自身若干未授权可达的端点(与火山 TOS 无关,web.xml那套 Tomcat 修法也不适用)。本 PR 修掉其中四个代码级问题。修复内容
/web/deploy-temp-agent(POST/DELETE)、临时 Agent 注册表、以及对AgentLoader.load_agent的猴补丁。该端点把客户端上传的文件写盘后exec_module(agent.py),等于未授权远程代码执行。/agentkit-proxy现在强制要求X-AgentKit-Key,且目标X-AgentKit-Base必须是https://*.volceapi.com(用urlparse().hostname取 host,https://x.volceapi.com@evil.com这类 userinfo 绕过会被拒)。resolve()+is_relative_to(webui),../../etc/passwd只会返回前端页面而非宿主文件。/web/deploy-agentkit拒绝绝对路径 /..,写入点必须落在临时目录内。顺带移除不再使用的
AgentTest前端组件与 client 里的deployTempAgent/deleteTempAgent,并重建随包发布的veadk/webui静态资源。验证
tsc --noEmit= 0、vite build= 0。POST /web/deploy-temp-agent→ 405(端点已移除)*.volceapi.com→ 403;@evil.comuserinfo 绕过 → 403;合法https://*.volceapi.com放行GET /../../../etc/passwd→ 返回 SPA HTML,读不到宿主文件说明(非本 PR 改动)
veadk frontend默认--host 127.0.0.1(仅本机);且未配置VOLCENGINE_ACCESS_KEY/SECRET_KEY时创建工作台整体禁用。公网暴露请务必开启 SSO(--oauth2-user-pool/--auth-mode gateway)——deploy-agentkit仍使用服务端凭证,应置于鉴权之后。🤖 Generated with Claude Code