Skip to content

fix(frontend): harden frontend server (RCE/SSRF/path traversal)#656

Open
yaozheng-fang wants to merge 1 commit into
mainfrom
fix/frontend-security
Open

fix(frontend): harden frontend server (RCE/SSRF/path traversal)#656
yaozheng-fang wants to merge 1 commit into
mainfrom
fix/frontend-security

Conversation

@yaozheng-fang

Copy link
Copy Markdown
Collaborator

背景

安全扫描在公网暴露veadk frontend 部署上报了"任意 PUT 文件 & 读取文件"等风险。核实后确认是 FastAPI 应用自身若干未授权可达的端点(与火山 TOS 无关,web.xml 那套 Tomcat 修法也不适用)。本 PR 修掉其中四个代码级问题。

修复内容

# 问题 处理
1 RCE / 任意写文件 删除"测试运行"功能:/web/deploy-temp-agent(POST/DELETE)、临时 Agent 注册表、以及对 AgentLoader.load_agent 的猴补丁。该端点把客户端上传的文件写盘后 exec_module(agent.py),等于未授权远程代码执行。
2 SSRF /agentkit-proxy 现在强制要求 X-AgentKit-Key,且目标 X-AgentKit-Base 必须是 https://*.volceapi.com(用 urlparse().hostname 取 host,https://x.volceapi.com@evil.com 这类 userinfo 绕过会被拒)。
3 任意文件读(路径穿越) SPA 兜底路由发文件前 resolve() + is_relative_to(webui),../../etc/passwd 只会返回前端页面而非宿主文件。
4 任意写(路径穿越) 保留的 /web/deploy-agentkit 拒绝绝对路径 / ..,写入点必须落在临时目录内。

顺带移除不再使用的 AgentTest 前端组件与 client 里的 deployTempAgent/deleteTempAgent,并重建随包发布的 veadk/webui 静态资源。

验证

  • 前端 tsc --noEmit = 0、vite build = 0。
  • 起本地服务实测:
    • POST /web/deploy-temp-agent → 405(端点已移除)
    • 代理无 key → 401;非 *.volceapi.com → 403;@evil.com userinfo 绕过 → 403;合法 https://*.volceapi.com 放行
    • GET /../../../etc/passwd → 返回 SPA HTML,读不到宿主文件

说明(非本 PR 改动)

veadk frontend 默认 --host 127.0.0.1(仅本机);且未配置 VOLCENGINE_ACCESS_KEY/SECRET_KEY 时创建工作台整体禁用。公网暴露请务必开启 SSO(--oauth2-user-pool / --auth-mode gateway)——deploy-agentkit 仍使用服务端凭证,应置于鉴权之后。

🤖 Generated with Claude Code

Close four issues a security scan flagged on a publicly-exposed
`veadk frontend` deployment:

- RCE / arbitrary write: remove the "test run" feature —
  /web/deploy-temp-agent (POST/DELETE), the temp-agent registry and the
  AgentLoader monkeypatch. It wrote client-supplied files to disk and
  exec'd agent.py, i.e. unauthenticated remote code execution.
- SSRF: /agentkit-proxy now requires X-AgentKit-Key and only proxies to
  https://*.volceapi.com (host checked via urlparse, so userinfo tricks
  like https://x.volceapi.com@evil.com are rejected).
- Arbitrary file read: the SPA fallback confines FileResponse to the
  built UI directory, blocking ../ traversal (e.g. /../../etc/passwd).
- Arbitrary write (path traversal): /web/deploy-agentkit rejects
  absolute or ".." file paths that resolve outside its temp dir.

Also drops the now-unused AgentTest UI + client helpers and rebuilds the
shipped web assets.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants